IMY (Sweden) - DI-2020-10545: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
Line 70: Line 70:


=== Facts ===
=== Facts ===
Six different complaints were filed to multiple DPA’s over H&M’s direct marketing practices. Given that H&M is a Swedish based company, the Swedish as the responsible supervisory authority under [[Article 54 GDPR|Article 54 GDPR]]. The complaints were forwarded by DPA’s of Poland, Italy and the United Kingdom.  
Six different complaints were filed to multiple DPA’s over H&M’s direct marketing practices. Given that H&M is a Swedish based company, the Swedish DPA is the responsible supervisory authority under [[Article 56 GDPR]]. The complaints were forwarded by DPA’s of Poland, Italy and the United Kingdom.  


According to the complaints, the data subjects received unsolicited newsletters from the company despite the fact that they objected to having their personal data processed for direct marketing purposes. H&M (the controller) offered its customers three ways to object. Customers could change their subscription status under their account settings, unsubscribe from subscriptions via a link provided in every newsletter mailing or contact the Company's customer service. In each complaint the data subjects submitted evidence demonstrating that they had used these options but still received H&M’s marketing newsletters.  
According to the complaints, the data subjects received unsolicited newsletters from the company despite the fact that they objected to having their personal data processed for direct marketing purposes. H&M (the controller) offered its customers three ways to object. Customers could change their subscription status under their account settings, unsubscribe from subscriptions via a link provided in every newsletter mailing or contact the Company's customer service. In each complaint the data subjects submitted evidence demonstrating that they had used these options but still received H&M’s marketing newsletters.  

Latest revision as of 15:53, 15 November 2023

IMY - DI-2020-10545
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 6(1) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 21(3) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: DI-2020-10545
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: DI-2020-10545 (in SV)
Initial Contributor: sh

The Swedish DPA found H&M to have processed personal data for direct marketing in violation of Articles 6(1), 12(2), 12(3) and 21(3) of the GDPR.

English Summary

Facts

Six different complaints were filed to multiple DPA’s over H&M’s direct marketing practices. Given that H&M is a Swedish based company, the Swedish DPA is the responsible supervisory authority under Article 56 GDPR. The complaints were forwarded by DPA’s of Poland, Italy and the United Kingdom.

According to the complaints, the data subjects received unsolicited newsletters from the company despite the fact that they objected to having their personal data processed for direct marketing purposes. H&M (the controller) offered its customers three ways to object. Customers could change their subscription status under their account settings, unsubscribe from subscriptions via a link provided in every newsletter mailing or contact the Company's customer service. In each complaint the data subjects submitted evidence demonstrating that they had used these options but still received H&M’s marketing newsletters.

Given that this was cross-border processing, the Swedish DPA used the mechanisms provided in Chapter VII GDPR. Concerned Supervisory Authorities included Germany, Slovenia, France, Denmark. Spain, Norway, Italy, Finland, Poland, Belgium, Portugal, Cyprus, Estonia and the Netherlands.

Due to Brexit and given that two of the six complaints were filed in the UK, the Swedish DPA contacted United Kingdom's DPA (ICO) to ensure that a ne bis in idem (charging for the same crime twice) situation was avoided. The ICO replied that they had no information that they had taken any corrective action on the complaints. It was noted that the ICO's retention period for complaints is two years and therefore they had not kept any information on the complaints. The IMY considered Brexit to not be an obstacle because the controller’s establishment was in the Union.

Holding

The IMY decided that, with regard to the six complaints, there were deficiencies in the internal process for handling objections under Article 21(2) GDPR which resulted in the complainants not being able to easily access and exercise their rights under the GDPR.

The IMY determined that there has also been an infringement of Articles 21(3), 12(3) and 6(1) GDPR. If a data subject objects to direct marketing under Article 21(2) GDPR, Article 21(3) GDPR provides that personal data shall no longer be processed for such purposes. The fact that H&M continued to process the data means that there can be no legal basis for the processing under Article 6(1) GDPR either. Since the right to object to direct marketing according to Article 21(2) GDPR is unconditional, there is no room for an individual assessment of whether such an objection should be accepted.

Article 21(3) GDPR also requires action without undue delay (at maximum within a month). The IMY went through each complaint and determined that H&M had taken too long to react. As H&M is such a large company, it is important that it has functioning routines and processes in place to deal with data subjects' requests for objection promptly. All of the complainants' objections to direct marketing had to be repeated to H&M and were made through cumbersome options which delayed action on the side of the company.

The Swedish DPA fined H&M 350,000 SKE (around 30,362 euros).

Comment

This decision looks like an Article 60 decision but the Article is not mentioned by the IMY.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.