GDPR News – December 2021
Selected GDPR decisions from the month of December
EUR 10,000 fine for letter with marketing content
On 12 February 2020, the Belgian data protection agency received a data subject’s complaint due to failing provision of information about the data processing on the data subject in compliance with article 14 of the GDPR and failing and adequate action in respect to the data subject’s requests and objection in compliance with articles 12 (3) and 17 (1) lit c of the GDPR.
In December 2019, the data subject had received a letter addressed to him personally, which contained marketing material. In consequence hereof, the data subject sent a request to the data controller on 5 December 2019 objecting against the processing of his personal data and requested that all data on him be deleted. The data subject also requested for information about who had passed on his personal data to the data controller. On 6 January 2020, the data subject sent the same request to the data controller by registered mail.
Meanwhile, neither of the data subject’s requests, which were sent to the data controller with more than 30 days in between, lead to any reply from the data controller, and hence the case was submitted to the Belgian DPA.
On 23 October 2020, the DPA ordered the data controller within one month to comply with the data subject’s request. The data controller was also to inform the DPA within one month after notifying the decision to the data subject.
Subsequently, the DPA received replies from both the data controller and the data subject. The data controller had bought information from a marketing bureau and had acted in the belief that it was legal since the information had been bought from a professional party. The data subject acknowledged that he was satisfied with the answer and therefore considered the matter closed.
Meanwhile, the DPA notified the data controller that they intended to impose an administrative fine on the data controller, and the data controller was therefore given the opportunity of making a statement.
The Belgian DPA then received the data controller’s reply in which it was stated that it was the first time the data controller got a warning for violating the GDPR, and since it was a professional bureau selling information, the data controller had acted in good faith. It was also stated that the data controller’s database dated back to 4 January 2020 and that all previous data had been deleted.
Nevertheless, the Belgian DPA imposed a EUR 10,000 fine on the data controller.
Read the whole decision here (in Belgian).
Municipality draws criticism for its processing of data on website users
In October 2020, the Danish DPA initiated an investigation of the Danish Municipality of Næstved regarding the municipality’s processing of personal data on its website users.
The procedure used by the municipality in October 2020 for processing personal data introduced website users to information about the use of cookies, which i.a. was to improve user experience and to support the marketing of the municipality’s services. Website users were then given the option of choosing “OK” or “Show details”.
The municipality informed that data about its website users were collected for statistical purposes with the aim of ensuring a high level of citizen- and user-friendliness.
The DPA found rise to criticise the municipality for not observing the most fundamental principle for processing of personal data on website users; and that is the principle on lawfulness, fairness and transparency.
However, the DPA did find that the municipality’s processing of personal data on its website users for statistical purposes was made in line with the municipality’s exercise of authority and therefore within the scope of the regulations set out under the GDPR.
When deciding in the matter, the DPA took into account that no data were transferred to any countries outside the EU.
Read the whole decision here (in Danish).
Egendriftssag om kommunes behandling af oplysninger om hjemmesidebesøgende (datatilsynet.dk)