UODO (Poland) - ZSPR.421.7.2019

From GDPRhub
UODO (Poland) - ZSPU.421.3.201
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 7(3) GDPR
Article 12(2) GDPR
Article 17 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 16.10.2019
Published: 05.11.2019
Fine: 47,120 EUR
Parties: ClickQuickNow Sp. z o
National Case Number/Name: ZSPU.421.3.201
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: n/a

The UODO imposed a fine of ca €47,000 on a limited liability company ClickQuickNow Sp. z o. o. for preventing the exercise of the right to withdraw consent.


English Summary

Facts and questions arising

In February 2019, the UODO carried out investigation regarding the compliance of processing operations with the GDPR at the ClickQuickNow Sp. z o. o.

Holding

The UODO found that the company did not take appropriate technical and organisational measures to enable the data subjects to withdraw easily and effectively their consent and to request the erasure of their personal data. Thus, the company violated Articles 5(1)(a), 6(1), 7(3), 12(2), 17(1)(b) and Article 24(1) GDPR. The DPA also found that the company processes personal data of non-customers without a legal basis and without allowing them to exercise their right to remove personal data. Apart from the fine, the DPA ordered the company to adjust its processing practices to the requirements set by the GDPR within 14 days and to delete the personal data of the non-customers who requested deletion.

Comment

Share your comments here!

Further Resources

The EDPB released its summary of the case here.

Share others blogs or news articles here!

Further Reseouces

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Polish original for more details.

DECISION
CP.421.7.2019

 

                                                          

DECISION

Pursuant to Article 104 § 1 of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2018, item 2096 as amended) and Article 7 section 1 and section 2, Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 5 paragraph 1 point a, Article 5 paragraph 2, Article 6 paragraph 1, Article 7 paragraph 3, Article 12 paragraph 2, Article 17 paragraph 1 point b, Article 24 paragraph 1, Article 58 paragraph 2 point d and point i, as well as in connection with Article 83 paragraph 3, Article 83 paragraph 5 point a and point b of Regulation 2016/679 of the European Parliament and the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1 and OJ EU L 127, 23.05.2018, p. 2), following the administrative proceedings concerning the processing of personal data by ClickQuickNow Sp. z o.o. based in Warsaw

       I. stating that ClickQuickNow Sp. z o.o. with its registered office in Warsaw violated the regulations:

a) Article 5(1)(a) in connection with Article 5(2) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1 and OJ L 127, 23.05.2018, p. 2), hereinafter referred to as "Regulation 2016/679", i.e. "Regulation 2016/679". the principles of lawfulness, fairness and transparency of processing of personal data, and Articles 7(3), 12(2), 17(1)(b) and 24(1) of Regulation 2016/679, by not implementing appropriate technical and organisational measures which would allow the data subject to easily and effectively withdraw his or her consent to the processing of his or her personal data and to exercise his or her right to request immediate deletion of his or her personal data (right to be forgotten),

(b) Article 5(1)(a) in conjunction with Article 5(2) of Regulation 2016/679, i.e. the principle of legality, and Article 6(1) of Regulation 2016/679, by processing without legal basis the data of persons who are not clients of ClickQuickNow Sp. z o.o. and from whom ClickQuickNow Sp. z o.o. received requests to cease processing of personal data,

orders ClickQuickNow Sp. z o.o. with its registered office in Warsaw to adjust the processing of personal data to the provisions of Regulation 2016/679, within 14 days, from the date of delivery of this decision, through:

1) modifying the process of handling requests for withdrawal of consent for data processing, so that the data subjects can effectively exercise their right to withdraw consent and their right to be forgotten,

2) removing personal data of persons who are not clients of ClickQuickNow Sp. z o.o. and from whom ClickQuickNow Sp. z o.o. received a request to stop processing personal data.

II. for violation of the provisions of Article 5(1)(a), Article 6(1), Article 7(3), Article 12(2), Article 17(1)(b) and Article 24(1) of Regulation 2016/679 imposes on ClickQuickNow Sp. z o.o. with its registered office in Warsaw, a fine of PLN 201,559.50 (two hundred and one thousand five hundred and fifty-nine zloty 50/100), which is equivalent to EUR 47,000, according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates on 28 January 2019.

EXAMPLE

On [...] February 2019, pursuant to Article 78(1), Article 79(1)(1) and Article 84(1)(1-4) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws, item 1000, as amended) in conjunction with Article 57(1)(a) and (h), Article 58(1)(a) and (b) and Article 58(1)(a) and (b) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws, item 159, as amended). b, e and f of Regulation 2016/679, in order to control the compliance of data processing with the regulations on personal data protection, control activities were carried out in ClickQuickNow Sp. z o.o. with its registered office in Warsaw (hereinafter also referred to as "the Company").

The scope of control included the processing of personal data by the Company, excluding the data concerning employees.

During the control, oral explanations were received from the Company's employees and the IT system was checked. The facts were described in detail in the control protocol, which was signed by the President of the Company's Management Board.

The information contained in the National Court Register shows that the subject of the Company's business activity is data processing, website management (hosting) and similar activities; advertising agencies; telephone centres; other business and management consulting and internet portals.

On the basis of the evidence gathered in the case, it was established that in the process of personal data processing, the Company, as a controller, violated the provisions on personal data protection. These deficiencies consist in:

Failure to ensure that data subjects can easily exercise their right to withdraw their consent to the processing of their personal data (violation of Article 7(3) and Article 12(1) of Regulation 2016/679).

(2) Violation of the principles of transparency and fairness in the process of revoking consent by sending conflicting communications to data subjects, with the result that the person revoking consent is misled and cannot revoke it (infringement of Article 5(1)(a) of Regulation 2016/679).

(3) Infringement of the right to erasure (right to be forgotten), by applying a process of withdrawal of consent which hinders the effective withdrawal of consent - infringement of Article 17(1)(b) of Regulation 2016/679.

(4) Processing of data of persons who are not customers of the Company without legal basis (infringement of Article 6(1) of Regulation 2016/679 and infringement of the principle of lawfulness of processing referred to in Article 5(1)(a) of Regulation 2016/679).

Failure to apply appropriate technical and organisational measures which would enable the data subject to exercise his rights effectively (infringement of Article 24(1) of Regulation 2016/679).

In the light of the foregoing, the President of the Office for the Protection of Personal Data of his own motion initiated an administrative procedure for the infringements found, in order to clarify the circumstances of the case.

In response to the notice of initiation of administrative proceedings, the Company's Plenipotentiary (power of attorney in the case file) by letter of [...] July 2019 submitted explanations, in which he indicated, inter alia, that:

The position of the President of the Office for Personal Data Protection with respect to the objections relating to the processing of personal data contained in the notice of initiation of the proceedings deviates from the findings contained in the control protocol and therefore the proceedings should end with a statement that the Company has not violated the provisions of the law on personal data protection.

The Company does not agree with the allegation that in the process of revoking consent to the processing of personal data, it prevents or hinders the data subjects from exercising the rights referred to in Article 17 paragraph 1 point b of Regulation 2016/679.

The Company leaves the so-called "[...] e-mails" (which do not contain any content, except the sender's e-mail address, date and time of sending and indication of the addressee: […]. The Company does not consider such messages as requests for revocation of consent, nor as other correspondence in the case (e.g. incomplete requests for revocation of consent).

The Company does not agree with the position of the President of the Office for Personal Data Protection that "[...] e-mail" sent to the address: [...], is an incomplete application for revoking consent to the processing of personal data. In the Company's opinion, such an e-mail may constitute, for example, an incomplete request for data correction or an incomplete request for information about data processing.

The adoption of the concept of legal qualification of empty e-mails as declarations of intent to exercise a specific right of the sender of such a 'letter', in the Company's opinion, is not based on the provisions of Regulation 2016/679 and the rules for the interpretation of declarations of intent contained in Regulation 2016/679 (prohibition to presume statements of the data subject). Therefore, in the opinion of the Company, "[...] e-mails" are not considered by the Company as correspondence in the case.

(6) In the Company's view, the notice of initiation of the procedure omitted an important circumstance noted in the inspection report which shows that the '[...] e-mails' in question come in bulk from two websites, [...] and [...], which have introduced on their side mechanisms for automated calling of e-mails addressed to the Company.

(7) In the Company's view, the large scale of this phenomenon is such that 'the [...] e-mails' are evidence of systemic or accidental behaviour by portal users. The rules of life experience indicate that people who knowingly use e-mail do not send correspondence without content to the addressees.

8 Taking into account potential risks - related to the Internet services provided for the benefit of Internet users and automation mechanisms not agreed with the Company, which cause an influx of "[...] correspondence" to the Company - the Company intervened with the entities running these services in order to eliminate this phenomenon. In case of confirmation of correspondence in this case, printouts of e-mail correspondence were enclosed to the letter constituting a response to the notice of initiation of proceedings.

9 The Company believes that since no presumed consent to data processing should be collected, data should not be deleted on the basis of the presumed request, nor should the request be specified.

(10) In the Company's opinion, the process by which a click on a link included in an advertisement message redirects a user to two websites - to the first one, where the user is asked about the reason for revoking his/her consent, and to the second website, where the user is informed about the manner of revoking it - does not violate the obligations concerning easy revocation of consent, because: quote: 'on the second website (after answering the question about the reason for the potential opt-out), a message about how to revoke consent is displayed to the user (request to e-mail address)'. On this basis, the Company considers that the method of revoking consent is no less complicated than the process by which consent was obtained.

(11) In the Company's opinion, the allegation that the Company obtains additional information from the persons filing the request for revocation of consent without a legal basis is also unfounded. The Company confirms that the inquiry about the reason for waiving further data processing should be considered as collection of additional data by the Company, which would be removed anyway if the revocation of consent was considered effective. On the other hand, if the withdrawal of consent is not successful, the information obtained would be processed by the Company on the basis of Article 6(1)(f) of Regulation 2016/679, i.e. on the basis of the legitimate interest of the controller.

(12) Referring to the content of the Communication: "Your withdrawal of consent today [...]". Thank you for your reply! In this case, I would like to inform you that you have the right of access, deletion, restriction of processing, transfer, objection, request for rectification and withdrawal of consent at any time at [...], including the right to lodge a complaint with the President of the Office for Personal Data Protection. (...)', which is displayed to the user only after the reason for the resignation has been answered, it has been indicated that, following receipt of the notice of initiation of the procedure from the website, a message containing the words 'Your withdrawal of consent today [...]' has been deleted. It also follows from the information provided that this notice will be replaced by the following message 'Information on how to withdraw your consent'.

(13) The Company, explaining why it does not apply the model of revocation of consent only by one click on the link of an e-mail message (containing the link "revocation of consent"), indicates that the application of such a model could result in a request in this respect being made unknowingly (by mistake by an accidental click) and by an unauthorized person or by so-called "bots". - automated internet software which, without the knowledge of the e-mail account holder, can activate links contained in the content of e-mail correspondence. It was pointed out that similar solutions are also used in the public administration sector and as an example it pointed out that on the website of the Ministry of Justice the so-called captcha mechanism is used to prevent the so-called bots from filling in forms and downloading data from that Ministry's website. As evidence, he attached a screenshot from the KRS search engine to his reply to the notification, which in the Company's opinion confirms the fact that solutions preventing the use of forms and e-mail addresses made available on the Internet by the so-called "bots" (robots) are used.

The Company believes that the President of the Office for Personal Data Protection erroneously assumes that a mere click on the link "revocation of consent" contained in a marketing message should be considered by the Company as a declaration of will to revoke consent. This is not the case, as the field where the above mentioned link is placed also contains other information concerning various rights related to the processing of personal data.

The Company does not agree with the allegation that the information obligation each time refers to the same issues in a different way and indicates different ways and possibilities for the data subjects to make declarations of revocation of their consent to the processing of personal data, which makes it impossible for them to effectively revoke their consent.

16. in the scope of information on the manner of revoking the consent to data processing, the Company invariably and consistently (on the basis of the current and previous legal status) informs that the data subject may submit a request by mail to the address of the Company's registered office or by e-mail to the Company's e-mail address. The fact that the Company, after the application of Regulation 2016/679 (i.e. on [...] June 2018), indicated an additional e-mail address for submitting the requests should be assessed as an extension of data subjects' rights. Therefore, the statement that the Company indicates various ways and possibilities of revoking the consent to the processing of personal data is not consistent with the evidence gathered - it is always both written correspondence sent to the address of the Company's registered office and e-mail correspondence sent to the Company's e-mail address.

(17) The Company emphasizes that it does not comply with the collected evidence in the case the allegation that the Company in the document entitled "Information for you on personal data processing by [...]" did not indicate the e-mail address to which the data subject could effectively submit a statement on withdrawal of consent for personal data processing. In point 1 of the aforementioned document, apart from indicating the address of the Company's registered office, in the next paragraph the e-mail address was indicated i.e. [...].

18.With regard to the following communication: "Your withdrawal of consent today [...]! Thank you for your reply!' and the following text: "I would like to inform you that you have the right to access, delete, restrict, transfer, object, request rectification and revoke your consent at any time at [...], and that this information is displayed by clicking on the link in the marketing notice. However, this message is not sent to the e-mail address from which the withdrawal of consent was received. Moreover, the Authority unfoundedly considers that a click on the link in question implies a statement by the user about the revocation of consent to the processing of personal data. The information accompanying this link does not indicate such a consequence of the click, nor does any of the Company's information documents indicate such a consequence. The reasons for the adoption of the two-stage process of accessing the information about the way of revoking the consent are based on the need to protect against the Internet software performing random clicks without the knowledge and will of the mailbox owner.

(19) In the Company's view, the notice of initiation of the procedure did not explain how the above process of informing the user about his or her personal data rights allegedly constitutes a failure to develop appropriate technical and organisational measures within the meaning of Article 24(1) of Regulation 2016/679. The Authority does not provide an interpretation of this provision of law and does not refer to the facts and evidence gathered, which is required in particular when the arguments in p. 9 of the Notice de facto refer to the requirement of easy consent (Article 7(3) of Regulation 2016/679) and not to the obligation in Article 24(1) of Regulation 2016/679.

(20) The Company's method of informing about the revocation of consent in each advertising message, including a two-stage access to the e-mail address to which the request may be sent, means that the Company applies non-standard technical and organisational measures within the meaning of Article 24(1) of Regulation 2016/679.

21 In the scope of the reservation concerning the processing by the Company of data without legal basis, in the case of data received from persons who are not its customers, whose data the Company obtains in the correspondence received through the e-mail address: [...], it was indicated that the Company does not agree with this objection, because the Company (as well as other entities that publish their e-mail addresses on the Internet), does not have any influence on who and for what purpose will provide its data to the e-mail address. The data in question is processed by the Company only for the purpose of handling correspondence, whereas the data is not processed for any other purposes (e.g. for marketing purposes).

A financial statement for the period from 1 January 2017 to 31 December 2017 was attached to the letter responding to the notice of initiation of the administrative proceedings, which shows that the amount of net revenues from sales and equalized with them is: PLN [...] and the financial statement for the financial year from 1 January 2018 to 31 December 2018, which shows that the amount of net revenue from sales and equalised with them is: [...] PLN: PLN [...]. 

After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following:

I. The evidence collected in the case shows that: Since 2012, the Company has had its own database in which, as of January 31, 2019, it processed personal data of [...] persons. In 98 % of the data were obtained from participants of the competition called [...]'.

All personal data in the Company's database were obtained electronically using registration forms. The same model form was used for all competitions.

When filling in the registration form, the user gave the following consents: 1) consent to the processing of personal data by [...]. for marketing purposes of third parties also in the future; 2) consent to make the data available to contractors of ClickQuickNow Sp. z o.o. for marketing purposes; 3) consent to transfer commercial information electronically by ClickQuickNow Sp. z o.o, including on behalf of third parties and by counterparties of ClickQuickNow Sp. z o.o.; 4) consent to transfer marketing information by telephone and electronic means by ClickQuickNow Sp. z o.o., including on behalf of third parties and by counterparties of ClickQuickNow Sp. z o.o.

The findings made during the audit indicate that the Company currently uses the acquired personal data of contest participants to carry out orders for marketing to other entities.

To the concluded contracts of orders to conduct a given marketing campaign, the Company attaches a document called "Declaration concerning the processing of personal data valid from [...] May 2018". From the content of this document it follows, among others, that through a link placed in the e-mail or SMS messages sent, as well as in telephone conversations via the e-mail address indicated in the conversation, persons to whom the marketing campaign will be directed will be able to easily and simply revoke the granted permissions. Immediately after receiving such information, the Company will block the possibility of further implementation of the campaign in relation to a user who has withdrawn his or her consent or has declared that he or she does not want the campaign to be addressed to him or her.

It should be pointed out that the findings made in the course of the inspection have undoubtedly shown that the Company does not comply with the rules it has developed itself. The use of a reference (link) placed in the content of commercial information, contrary to the Company's assurances, does not result in a quick revocation of consent to the processing of personal data. Messages sent as a result of this link mislead the person who applies for revocation of consent, which results in the fact that revocation of consent is not effective.

In the course of the inspection it was established that a sample marketing offer sent by the Company at the order of another entity contains, among others, such information: [...] informs that after clicking on the message you will be redirected to the website ClickQuickNow Sp. z o.o. where you will be able to answer questions. Clicking on the link "revocation of consent" results in that: 1) the user is redirected to a website where the reason for resigning from receiving advertisements by e-mail is asked (with two defined answers: "A: I receive ads that do not interest me", "B: I receive ads too often"); 2) after answering the above questions, the user is redirected to the next page where the following message appears: "Your withdrawal of consent today [...]! This message contains a note: "Thank you for your answer! In this case, I would like to inform you that you have the right to access, delete, restrict, transfer, object, request rectification and revoke your consent at any time at [...], including the right to lodge a complaint with the President of the Data Protection Authority. For my part, that is all. […] […].

Analysing the above process of revoking the consent, it should be stated that the Company first of all (without any legal basis) requires the person who submits the statement of revocation of consent to indicate the reason for his request. It is important to note that failure to answer this question does not allow the process of revoking consent to continue, which results in the fact that consent is not revoked.

Moreover, after providing the person with the following message: "Your withdrawal of consent today [...] !", the Company informs the person about the manner of withdrawal of consent.

In the Company's opinion, the effective submission of a declaration of intent concerning the revocation of consent to data processing may only take place if the person, having familiarized himself/herself with the content of the above mentioned communication, addresses his/her request to the address again: [...] and specify precisely what he or she requests from the Company.

There is no doubt that a vast majority of persons, having read the content of the announcement, states that the statement of revocation of consent was accepted by the Company on the date indicated in the announcement and, therefore, does not take further actions in this respect.

The Company's application of such a mechanism results in the data subject's failure to take any further actions after reading this announcement, which means that the consent is not revoked effectively. Such actions by the Company result in the fact that persons who cannot effectively exercise their rights (i.e. revoke their consent) submit complaints to the Office for Personal Data Protection in this respect.

Pursuant to Article 7(3) of Regulation 2016/679, the data subject has the right to withdraw consent at any time. Withdrawing consent must be as easy as giving it.

In the opinion of the President of the Office for the Protection of Personal Data, the procedure used by the Company in the process of revoking consent does not meet the criteria for a simple and quick revocation of consent. Thus, it is undisputed that the Company is in breach of Article 7(3) of Regulation 2016/679.

At this point, reference should be made to the Company's explanations (in reply to the notice of initiation of the proceedings) regarding the allegation that the Company has no legal basis for requesting information on the reason for revoking the consent, from which it follows that "a request for the reason for a potential resignation is a collection of data which, in the case of revoking the consent, would be removed anyway, but in the case of a decision not to continue the process of revoking the consent, is a data which the Company may collect on the basis of a premise of a legally justified interest of the administrator (Article 6.1.f of the GDR)".

Referring to these explanations, it should be noted that the Company assumes in advance that the consent revocation process may be ineffective.

According to Article 5(1)(a) of Regulation 2016/679, personal data must be processed lawfully, fairly and in a way that is transparent to the data subject ("lawfulness, fairness and transparency").

It should also be indicated that, in accordance with Article 12(2) of Regulation 2016/679, the controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act at the request of the data subject wishing to exercise the rights under Articles 15 to 22, unless the controller proves that he or she is unable to identify the data subject.

In the opinion of the President of the Office for Personal Data Protection, in the process of revoking the consent, the Company violates the principles of transparency and reliability referred to in Article 5(1)(a) of Regulation 2016/679, because the Company addresses contradictory messages to the persons revoking the consent, which results in the person revoking the consent, having received from the Company the message "Your revocation of consent today [...] !", is convinced that he/she has effectively revoked his/her consent. However, consent shall not be revoked; after sending the above mentioned message, the Company shall send the same person a message in which it informs about the method of effective revocation of consent.

It should be stated that the Company as a controller does not make it easier for the data subject to exercise the right to revoke the consent (the right to be forgotten).

In response to the notice of initiation of the proceedings, it was concluded that the allegation of the President of the Office for the Protection of Personal Data is justified in the scope of this violation and therefore the Company removed the notice from the website: "Your withdrawal of consent today [...]". In addition, the same letter stated that the quotation 'introduces the subject and the phrase: "'Information on how to withdraw your consent' instead of 'Your withdrawal of consent today [...]'.

However, these explanations were not confirmed by any additional evidence to the President of the Office for Personal Data Protection.

The evidence gathered in the case does not indicate that the Company would stop obtaining information on the reason for revoking the consent, which undoubtedly results in the fact that the lack of such a response still prevents the data subject from effectively revoking the consent.

It has been pointed out that the information contained in the notice of initiation of proceedings regarding the Company's failure to correspond with incorrectly submitted applications and failure to respond to the data subjects' requests is not consistent with the collected evidence. With reference to this allegation it should be pointed out that the President of the Management Board of the Company during the audit explained that the following quotations were made: "(...) the Company does not send feedback on the manner in which a given application has been considered, as in the Company's opinion, effective removal of personal data is tantamount to final consideration of a given application" and the quotation "the Company does not correspond in any form with respect to incorrectly submitted applications".

The findings of the audit also showed that the Company has been receiving daily about [...] [...] [...] so-called [...] e-mails (not containing the content of the request) for a long time, i.e. since the beginning of [...]. These e-mails are sent to [...] on two websites ([...] and [...]).

As established in the course of the inspection, the Company leaves such messages unattended. In response to the notice of initiation of the procedure, it was explained that the ', [...] e-mails' do not contain any request and the Company cannot itself presume what the e-mail is about. In explaining this, the Company indicated that it has taken steps to eliminate this phenomenon. In order to confirm the above explanations, as additional evidence in the case, together with the response to the notice of initiation of the procedure, printouts of the conducted correspondence in this case have been sent to the Office for Personal Data Protection (printout of the e-mail of [...], confirms the conducted correspondence of [...], printout of the e-mail of [...] confirms the conducted correspondence of [...]). It follows from the content of the correspondence that the Company signals to the entities operating the above-mentioned portals that it is necessary to switch off the automatic mechanisms of sending the so-called [...] to the address [...].

Nevertheless, the Company has been receiving '[...] e-mail' at least since the beginning of [...] and so far nothing has changed in this respect. The Company indicates that in the case of the '[...] e-mail' the Company cannot fulfil the requests of an unidentified person and it is not known what the e-mail recipient is requesting.

The so-called "[...] e-mails" contain such information as: sender's e-mail address, date and time and recipient's indication: […]. In the opinion of the President of the Office for the Protection of Personal Data, the designation of the addressee in this way indicates the conscious actions of the sender of such an e-mail, i.e. that it revokes its consent.

The Company's doubts as to what is the sender's request for such an e-mail could be clarified, e.g. by way of return correspondence addressed to the sender's e-mail address asking what such e-mail concerns. However, it is clear from the evidence gathered in the case that the Company has left the '[...] e-mails' coming to the address [...], without consideration, and does not give them any further course. The e-mail recipient does not receive any feedback from the Company.

In connection with the above, there is no doubt that the state of infringement in this respect is still ongoing.

Indicate that in accordance with Article 7(3) of Regulation 2016/679, the person whose data are concerned has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before withdrawal. The data subject shall be informed thereof before giving consent. Withdrawal of consent must be as easy as giving it.

However, according to Article 17(1)(b) of Regulation 2016/679, the data subject has the right to request from the controller the immediate deletion of personal data concerning him/her, and the controller is obliged to delete personal data without undue delay where the data subject has withdrawn the consent on which the processing is based (according to Article 6(1)(a) or 9(2)(a) and there is no other legal basis for the processing.

Summing up the above findings, it should be stated that the Company in the process of personal data processing violates Article 7(3) of Regulation 2016/679, because the process of revoking the consent applied by the Company makes it difficult or even impossible for the data subject to effectively exercise his right to revoke the consent.

Moreover, in the opinion of the President of Personal Data Protection, the process used by the Company to process requests for revoking consent to data processing prevents the data subject from effectively exercising his or her right referred to in Article 17(1)(b) of Regulation 2016/679. Consequently, it should be concluded that the Company also violates this provision of Regulation 2016/679.

II. According to Article 24(1) of Regulation 2016/679, taking into account the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons of varying degrees of probability and seriousness, the controller shall implement appropriate technical and organisational measures to ensure that the processing is carried out in accordance with the abovementioned Regulation and to be able to demonstrate this. Those measures shall be reviewed and updated as necessary.

In the opinion of the President of the Office for the Protection of Personal Data, it is clear from the evidence gathered in the case that the Company has not developed and implemented such technical and organizational measures that would result in the data subject receiving in an easily accessible, concise, transparent and comprehensible form information on the possibility of effective electronic revocation of consent to the processing of personal data. The result is that the data subject cannot effectively exercise his or her right to withdraw his or her consent at any time and to be forgotten.

The Company, as a controller, is obliged to apply appropriate organisational and technical solutions so that the data processing process, including the process of revoking consent, is conducted in a simple and transparent manner. The company as a controller should ensure in the process of personal data processing such technical and organisational solutions (applied also by other entities participating in the process), the use of which will ensure that the exercise of persons' rights is effective.

As it was established during the audit, the solutions taken over by the Company in the process of revoking the consent are ineffective, as evidenced, for example, by the fact that the infringement consisting in the so-called "[...] e-malii" influence on the Company has not been removed.

Organizational solutions applied by the Company are also ineffective because, as it has been established, the Company does not conduct any correspondence on applications for revoking consent.

It follows from recital 59 of Regulation 2016/679 that procedures should be provided for facilitating the exercise of the data subject's rights under this Regulation, including request mechanisms - and where applicable free of charge - to obtain, in particular, access to and rectification or erasure of personal data and the possibility to exercise the right to object. The controller should ensure that such requests can also be made by electronic means, in particular where personal data are processed electronically. The controller should be obliged to respond to the requests of the data subjects without undue delay - at the latest within one month, and if it does not intend to comply with such a request - to provide the reasons.

On this basis it should be concluded that the Company (the controller) has not implemented appropriate technical and organizational measures in the process of revoking the consent, which constitutes an infringement referred to in Article 24 paragraph 1 of Regulation 2016/679.

III. In accordance with Article 6(1) of Regulation 2016/679. Pursuant to Article 6(1) of Regulation 2016/679, processing of personal data is lawful only in cases where at least one of the conditions is met: (a) the data subject has consented to the processing of his or her personal data for one or more specified purposes; (b) processing is necessary for the performance of a contract to which the data subject is party or for taking action at the request of the data subject before entering into the contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) processing is necessary for the protection of the vital interests of the data subject or of another individual; (f) processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular where the data subject is a child, override those interests.

The evidence gathered in the case shows that from the beginning of 2018, from the website of [...] and [...] to the Company's mailbox address: [...] numerous requests to stop sending advertisements are sent. Among these applications are also applications of persons who demand the cessation of their data processing by entities other than the Company. These persons have e-mail accounts in the indicated services, but are not clients of the Company.

In the course of the inspection, printouts of screenshots of searching in the Company's database for personal data of an exemplary person from whom the Company received an appeal of its consent to the processing of personal data by another entity were obtained. This evidence confirms that in the so-called "database [...]" Companies, the data of the searched person is not processed.

The findings of the inspection show that the Company does not conduct any correspondence with such persons, in particular the Company does not send any return correspondence to such persons. Therefore, the Company's claim that the data of these persons is processed by the Company in order to handle the correspondence is not consistent with the facts.

On this basis, the President of the Office for Personal Data Protection decided that the Company, having established that the Company did not have any information about a given person, should delete the acquired data due to the lack of legal grounds for further processing (storage) of such data.

Therefore, on the basis of the collected evidence in the case, the President of the Office for the Protection of Personal Data considered that the Company, in this respect, violates Article 6(1) of Regulation 2016/679, and thus violates the principle of legality, which, under Regulation 2016/679, is called the principle of lawfulness of processing (Article 5(1)(a) of Regulation 2016/679).

According to Article 58(2)(i) of Regulation 2016/679, each supervisory authority has the power to impose, in addition to or instead of the other remedies provided for in Article 58(2)(a) to (h) and (j) of that Regulation, an administrative penalty payment under Article 83 of the Regulation, depending on the circumstances of the specific case.

In view of the foregoing, the President of the Office for the Protection of Personal Data, in exercising his power under that provision, concluded that in the case in question there were conditions justifying the imposition of an administrative fine on the Company.

In deciding to impose a financial penalty on the Company, the President of the Office for Personal Data Protection - pursuant to Article 83, section 2, letter a-k of Regulation 2016/679 - took into account the following circumstances of the case, which are considered to be to the detriment of the Company and which affect the amount of the financial penalty imposed:

    The process of revoking the consent applied by the Company results in the breach of Article 7 paragraph 3, Article 12 paragraph 2 and Article 17 paragraph 1 letter b of Regulation 2016/679, by not providing data subjects with an easy use of their right to withdraw their consent for the processing of their data and the right to delete their data (right to be forgotten). In the opinion of the President of the Office for the Protection of Personal Data, this violation is an intentional one. According to the position of the Article 29 Data Protection Working Party (contained in the guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679), adopted on 3 October 2017, in the part referring to the intentional or unintentional nature of an infringement, "intentional" includes both knowledge and intentional action, in relation to the characteristics of a prohibited act. In the content of the document prepared by the Company called "[...]" it is indicated that the persons to whom the marketing campaign is addressed will have the possibility of simple and quick withdrawal of granted approvals. This information also shows that the Company, immediately after receiving the statement of revocation of consent, will block the possibility of further implementation of the marketing campaign for a given person. On this basis, it should be considered that the Company has knowledge that the process of revoking consent should be easy and should be conducted in a simple and effective manner. Unfortunately, the findings made in the course of the inspection have undoubtedly shown that the Company does not comply with the rules it has developed itself. Contrary to the Company's assurances, the use of a link included in the content of commercial information does not result in the rapid withdrawal of consent. After the link in question has been activated, the messages addressed to a person interested in revoking the consent are misleading. The Company, after sending a message with the content "Your revocation of consent today [...]!", confirms that the revocation of consent was recognized by the Company, and then requires from the same person additional actions to effectively revoke the consent. The Company definitely complicates and even makes the revocation of consent difficult. In the process of revoking the consent, it forces the necessity to provide a reason for revoking the consent. Failure to provide a reason interrupts the process of revoking the consent. The fact that the Company, having received a reply, continues the process of revoking the consent by sending contradictory messages to the interested party, which ultimately results in the revocation of the consent not being successful. Such actions of the Company should definitely be considered as deliberate action aimed at hindering or even preventing the exercise of data subjects' rights. The Company's declared intention to take action to remove this state of affairs does not constitute grounds for considering that the infringement has been removed. Meanwhile, the Company, as a controller, is obliged to act in accordance with the law, to facilitate the exercise of data subjects' rights (Article 12(2) of Regulation 2016/679), to ensure that the applied process of revoking consent allows for effective withdrawal of consent (Article 7(3) of Regulation 2016/679). By its activities in the processing of data, the company also violates the principle of lawfulness of data processing, the principle of transparency and the principle of fairness referred to in Article 5(1)(a) of Regulation 2016/679, and most importantly, it misleads those who wish to exercise their right effectively. The process of revocation of consent applied by the Company creates a high risk of negative consequences for a very large number of persons (personal data of [...] persons were processed in the Company's database as of [...] [...] 2019). The Company has been processing data in the database since [...]. Since all persons' data have been collected on the basis of consent, i.e. on the basis of Article 6(1)(a) of Regulation 2016/679, each data subject has the right to withdraw (revoke) consent at any time.
    In the process of revoking consent, the company did not take appropriate technical and organisational measures to enable the data subject to exercise his or her rights effectively (Article 24(1) of Regulation 2016/679). The evidence gathered in the case shows that the Company did not take into account the principle that withdrawal of consent should be as easy as giving it (Article 7.3 of Regulation 2016/679). It should be pointed out that from all persons whose personal data are processed in the Company's database (database of participants [...]), consent to the processing of data was always obtained in electronic form, by using the "checkbox" button, placed in the registration form. The process of revoking consent should also be carried out in an easy, uncomplicated manner, and, most importantly, through the same communication channel, i.e. via the Internet (e.g. by placing a consent revocation form or a bookmark for revoking consent on the website). The Company as the administrator is responsible for the fact that an ineffective tool is used in the process of revoking consent, i.e. a button: "[...]" on websites ([...] and [...]). The effect of the solutions applied by the Company is that persons who use this button to revoke their consent cannot effectively exercise their right. The scale of this phenomenon is very large (approximately [...] so-called '[...] e-mails per day). The company cannot be exempted from liability in this respect simply because the button in question is placed on the websites of other entities. It should be pointed out that it is the controller's responsibility to ensure that technical and organisational solutions (applied also by other entities participating in the process), the use of which will ensure effective exercise of data subjects' rights, are applied in the data processing process.
    When determining the amount of the administrative fine, the President of the Office for the Protection of Personal Data has not taken into account any mitigating circumstance affecting the final penalty. It should be pointed out here that in its letter responding to the notice of initiation of proceedings, the Company explained that, following receipt of the notice of initiation of proceedings, the communication 'Your withdrawal of consent today [...]' was removed from the website, and that the letter also indicated that the Company declared to change its communication 'Your withdrawal of consent today [...]' to 'Information on how to withdraw your consent'. Nevertheless, the submitted explanations were not confirmed by any additional evidence to the President of the Office for Personal Data Protection. On this basis, the President of the Office for Personal Data Protection decided that the Company's sole intention to take action to remedy the infringement does not constitute a mitigating circumstance affecting the final penalty.

Neither the imposition of the penalty nor the administrative fine itself was affected by the fact that

a) The Company does not apply approved codes of conduct under Article 40 of Regulation 2016/679 or approved certification mechanisms under Article 42 of Regulation 2016/679;

(b) there is no evidence that the Company has obtained a financial advantage as well as the avoidance of losses due to the infringement;

(c) there was good cooperation from the Company during the inspection; within this deadline, the Company sent a reply to the notice of initiation of proceedings to the Data Protection Authority;

d) there is no evidence in the collected evidence that would confirm that the data subjects suffered material damage;

e) there is no evidence that the Company obtained financial benefits and avoided losses due to the infringement;

f) it has not been established that the Company has previously committed a breach of the provisions of Regulation 2016/679, which would be material for this proceeding.

Taking into account all the circumstances discussed above, the President of the Office for Personal Data Protection has taken the position that the imposition of an administrative fine on the Company is necessary and justified by the gravity and nature of the alleged violations. It should be stated that the application to the Company of any other corrective measure provided for in Article 58, paragraph 2 of Regulation 2016/679, would not be proportionate to the irregularities identified in the processing of personal data and would not guarantee that the Company will not commit similar practices in the future infringing the rights of the data subjects.

Referring to the amount of the administrative fine imposed on the Company, the President of the Office for Personal Data Protection decided that in the established circumstances of this case, i.e. in view of the fact that the Company has infringed the right to erase data (the right to be forgotten) referred to in Article 17(1)(b) of Regulation 2016/679, it is not reasonable for the Company to be able to carry out similar practices in the future.     breach of Article 6(1) of Regulation 2016/679), by applying complex organisational and technical solutions in the process of revoking consent, Article 83(5)(a) and (b) of Regulation 2016/679 shall apply. In accordance with these provisions, the breach of the basic principles of processing, including the terms and conditions of consent, referred to in Article 7(3).The breach of the fundamental principles of processing, including the conditions for consent referred to, inter alia, in Articles 5, 6, 7 of that Regulation and the rights of data subjects shall be subject to an administrative fine of up to EUR 20 000 000 and, in the case of an enterprise, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being applicable.

At the same time, in view of the Company's finding of an infringement within the same or related processing operations of several provisions of this Regulation, pursuant to Article 83(3) of Regulation 2016/679, the President of the Office for Personal Data Protection has determined the total amount of the administrative penalty payment to be not more than the amount of the most serious infringement.

In the presented facts, the most serious shall be considered the infringement by the Company of the right to delete data (the right to be forgotten) referred to in Article 17(1)(b) of Regulation 2016/679 and the infringement of the principles of transparency and reliability referred to in Article 5(1)(a) of Regulation 2016/679. This is supported by the serious nature of these infringements and the circle of persons affected by them (in the Company's database on [...] [...] 2019 personal data of [...] persons were processed). Due to the fact that all data of persons were obtained on the basis of consent (i.e. on the basis of Article 6(1)(a) of Regulation 2016/679), each of these persons has the right to withdraw (revoke) consent at any time.

It should be emphasized that the admission by the Company in the process of personal data processing of inadequate technical and organizational measures referred to in Article 24(1) of Regulation 2016/679 has led to a breach of the principle of lawfulness of data processing referred to in Article 5(1)(a) of Regulation 2016/679, because the Company has come into possession of personal data for processing which it is not entitled to because it does not meet any of the conditions indicated in Article 6(1) of Regulation 2016/679.

However, taking into account the fact that this violation concerns only persons who have mistakenly sent to the Company statements on withdrawal of consent to data processing (despite the fact that they are not customers of the Company), this violation has a minor impact on the decision to impose a penalty and its amount.

Pursuant to Article 103 of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2018, item 1000, as amended), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the exchange rate table as at 28 January of each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate as at 28 January - according to the average euro exchange rate announced in the table of exchange rates of the National Bank of Poland closest after that date.

In view of the foregoing, the President of the Office for Personal Data Protection, pursuant to Article 83(3) and Article 83(5)(a) of Regulation 2016/679, in conjunction with Article 103 of the Personal Data Protection Act of 2018, imposed on the Company - using the average euro exchange rate of 28 January 2019 - for the infringements described in the operative part of this decision. (1 EUR = 4,2885 PLN) - an administrative fine in the amount of PLN 101,559.50 (equivalent to EUR 47,000), according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January 2019.

In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine applied in the established circumstances of this case fulfils the functions referred to in Article 83(1) of Regulation 2016/679, i.e. it will be effective, proportionate and dissuasive in this individual case.

In the opinion of the President of the Office for the Protection of Personal Data, the penalty imposed on the Company is intended to lead to the state in which the Company will apply such technical and organisational measures in the process of data processing (i.e. in the process of revoking consent) that will ensure that data subjects can effectively exercise their rights.

The financial penalty applied is also proportional to the identified breaches, including in particular their severity, the circle of affected individuals and the risk incurred by such individuals in connection with the breaches. The level of the penalty shall be set at such a level as to be an adequate response by the supervisory authority to the degree of non-compliance with the obligations of the controller.

In the opinion of the President of the Office for the Protection of Personal Data, the administrative fine imposed will fulfil a repressive function in these specific circumstances, as it will be a response to the Company's breach of the provisions of Regulation 2016/679, but also a preventive one, as the Company itself, as well as other administrators, will be effectively discouraged from violating the provisions on personal data protection in the future.

In the opinion of the President of the Office for the Protection of Personal Data, the fine applied meets, in the established circumstances of this case, the conditions referred to in Article 83(1) of Regulation 2016/679 due to the seriousness of the infringements found in the context of the basic requirements and principles of Regulation 2016/679.

The purpose of the penalty payment imposed is to ensure the proper performance by the Company of its obligations under Article 5(1)(a), 5(2), 6(1), 7(3), 12(2), 17(1)(b) and 24(1) of Regulation 2016/679 and, consequently, to carry out data processing operations in accordance with the legal provisions in force.

In view of the above, the President of the Office for the Protection of Personal Data has decided as in the operative part of this Decision. 

 

The decision is final. The party has the right to lodge a complaint against the decision with the Voivodeship Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of the Office for the Protection of Personal Data (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.

Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland No. 28 1010 1010 0028 8622 3100 0000. 

Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to the administrative court shall suspend the execution of the decision on the administrative fine.