Financial sanction on a company due to carrying out electronic direct marketing without prior consent as well as neglecting the rights of the data subject
The sanctions board of the Office of the Data Protection Ombudsman has imposed an administrative fine on Acc Consulting Varsinais-Suomi (Independent Consulting Oy) for sending electronic direct marketing messages without prior consent as well as neglecting the rights of the data subject. The company did not respond to or implement the requests concerning the rights of data subjects, and it was not able to prove that it had processed personal data legally.
During the spring and summer of 2019, the Office of the Data Protection Ombudsman received eleven complaints on the electronic direct marketing of the company and the company neglecting the rights of the data subject in accordance with the General Data Protection Regulation (GDPR). The topics of direct marketing included various courses, such as hot work and asbestos removal.
Reprimand for the lack of consent for electronic direct marketing
In the complaints, the data subjects reported that they had received direct marketing messages from the company without consenting to it. According to section 200 of the Information Society Code (917/2014), direct marketing may only be directed at natural persons who have given their prior consent. According to Article 4(11) of the EU General Data Protection Regulation (GDPR), the consent must be a freely given, specific, informed and unambiguous indication of the data subject's wishes.
Some of the data subjects have responded to the marketing message sent as an SMS as requested by the controller in order to prohibit direct marketing. Despite the prohibition, the data subjects have still received direct marketing messages from the controller. Therefore, the controller has failed to implement the data subjects’ right to object in accordance with the GDPR.
In the controller’s view, it has targeted the electronic direct marketing at corporations, to which prior consent does not apply according to the Information Society Act. The controller has stated that the telephone numbers of data subjects were used by the company, in which the data subject works, and that these companies are within the scope of the controllers’ customer segment.
However, the Deputy Data Protection Ombudsman states that before targeting the direct marketing, the controller should have separately determined the position of the person in question in the corporation and assessed especially whether the marketed courses were significantly linked to the person’s duties. Therefore, the direct marketing by the controller targeted at natural persons cannot be considered to be intended for a corporation, and the controller should have requested the consent of the data subject for the electronic direct marketing.
The controller has been given a reprimand after it processed personal data without the consent required by the GDPR. In addition, the Deputy Data Protection Ombudsman obliges the controller to correct its operating methods with regard to direct marketing targeted at corporations.
Neglecting the rights of the data subject and failure to comply with accountability
In addition, in some of the complaints, the data subjects had made requests concerning their rights in accordance with the GDPR. However, the controller did not respond to the requests without undue delay and within one month of receiving the request at maximum, as required by the GDPR. The controller has not implemented any requests related to these rights, either.
According to the Deputy Data Protection Ombudsman, the controller does not seem to have organised its operating methods in processing personal data in such a way that the controller would be able to tell if it has implemented the rights of the data subjects or received requests related to the rights. The Deputy Data Protection Ombudsman states that as a result, the controller was not able to prove that it had processed personal data legally.
The Deputy Data Protection Ombudsman gave the company a reprimand for neglecting the rights of the data subject and failing to implement them. The Deputy Data Protection Ombudsman also ordered the company to change its operating methods and implement the rights of the data subject in accordance with the GDPR.
A financial sanction was imposed on the company
The sanctions board of the Office of the Data Protection Ombudsman imposed a financial sanction of EUR 7,000 in addition to the corrective measures mentioned above. The sanctions board considers the sanction to be proportionate and function as an effective deterrent with regard to the nature of the offences.
The intentional nature of the act, the number of similar offences over a short period of time, the disinterest of the controller in cooperating with the supervisory authority and the fact that the controller has not demonstrated that it has implemented corrective measures with regard to direct marketing and the realisation of the rights of the data subjects while the matter is being resolved have been taken into account as aggravating factors in the decision.
As a mitigating factor for the amount of the financial sanction, it has been taken into account that during the preparation of the case, it has not been found that the data subjects would have suffered financial or other material damage.
The decisions of the Deputy Data Protection Ombudsman and sanctions board are not yet final and are open to appeal in the administrative court.
The decisions of the Deputy Data Protection Ombudsman are published in Finlex (in Finnish)
Decision of the sanctions board: Data Protection Ombudsman Reijo Aarnio, tel. +358 (0)29 566 6730, reijo.aarnio(at)om.fi
The decisions of the Deputy Data Protection Ombudsman: Deputy Data Protection Ombudsman Jari Råman, tel. +358 (0)29 566 6757, jari.raman(at)om.fi
The decision-making of the sanctions board and legal protection of controllers are provided for in the Finnish Data Protection Act. The sanctions board is made up of the Data Protection Ombudsman and two Deputy Data Protection Ombudsmen, and it has the power to impose administrative fines for violations of data protection legislation. The maximum amount of the administrative fine is four percent of the company’s turnover or EUR 20 million.