Fine for a company for carrying out direct marketing with robocalls without consent
The Data Protection Ombudsman’s sanctions board has imposed an administrative fine on a magazine publisher due to data protection violations related to direct marketing. The publishing company carried out direct marketing of the magazine with an automated calling system, that is, with so-called robocalls, without the consent of the call recipients. In the robocalls, it was not ascertained that the data subjects would be able to exercise their data protection rights. In addition, the controller and the subcontracting company that carried out direct marketing calls on its behalf had not drawn up a processing agreement required by the General Data Protection Regulation (GDPR) for carrying out direct marketing.
The Office of the Data Protection Ombudsman received four complaints from persons who stated that they received direct marketing for a magazine published by the controller in the form of robocalls. The complainants were not been able to exercise their rights as data subjects in accordance with the GDPR, because the robot could not understand the question of where the data subjects’ personal data was obtained from, for instance.
The Finnish Competition and Consumer Authority has also received approximately a hundred similar complaints. The complaints show that the people who received calls were not able to exercise their right to object to the processing of personal data for direct marketing purposes, either.
The consent must be voluntary and it must be possible to exercise the rights of a data subject
According to its statement, the controller obtained consent for direct marketing on its website in connection with a magazine subscription. The magazine subscribers were required to accept the terms of the agreement and subscription, which included consent to direct marketing. If consent to direct marketing was not given, subscribing to the magazine was not possible.
The consent and the method for obtaining it were not compliant with the GDPR, because consent was not requested separately for direct marketing, and the consent requested in connection with the terms of the agreement and subscription was not voluntary. In addition, the terms did not state transparently how the personal data would be processed for direct marketing. Neither did the controller ensure that the data subjects who received calls would be able to exercise their rights in connection with direct marketing.
In its decision, the Data Protection Ombudsman permanently prohibited the processing of personal data gathered based on the consent mentioned above for direct marketing. The company has stopped publishing the magazine in question.
No agreement on the processing of personal data had been drawn up
A subcontracting company implemented the direct marketing calls on behalf of the controller. This means that the subcontractor acted as a processor of personal data. However, the parties had not drawn up an agreement in accordance with the GDPR defining the processing of personal data by the processor of personal data on behalf of the controller.
The Data Protection Ombudsman issued a reprimand to the subcontractor for neglecting an obligation of a processor of personal data, because the subcontractor’s business was specifically based on direct marketing carried out on behalf of different customers.
The responsibility of a controller to draw up a processing agreement was taken into account in imposing the fine
The sanctions board imposed an administrative fine amounting to EUR 8,500 on the controller. In particular, the severity of the violations, their nature and duration, the number of data subjects and the act being intentional supported the imposition of an administrative fine.
In the view of the sanctions board, imposing a fine on the subcontracting company would have been effective and acted as a warding considering the severity of the violation, but it would not have been proportionate. Nevertheless, the controller had the main responsibility for drawing up an agreement on the processing of personal data, because the matter involved the processing of personal data on behalf of the controller. In addition, the board took the company’s turnover and the bankruptcy petition initiated at a District Court into account in its assessment.
The decisions are not yet final, and they can be appealed against to the Administrative Court.
Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.