Failure to adhere to GDPR’s Right to Object results in EUR 200,000 Fine

GDPR’s right to object fine

Hellenic Telecommunications Company fined EUR 200,000 for failure to remove email addresses from direct marketing database in keeping with GDPRs right to object.

Have you ever clicked unsubscribe from a marketing emailing list but still continued to receive emails? From experience, Im willing to go out on a limb and say that the likelihood of this occurrence is high. While this may seem like no big deal; for companies who fail to act on requests for something as seemingly simple as removing an email address from a database, the implications can be dire. This is because it is a direct infringement of the GDPRs right to object.

In fact, just last month Hellenic Telecommunications Organization (OTE) was fined EUR 200,000 by the Hellenic DPA for infringement of the right to object to the processing for direct marketing purposes and failure to establish an adequate data protection by design in accordance with the GDPR.

According to the European Data Protection Board (EDPB) the Hellenic DPA has received complaints from the recipients of advertising messages from OTE concerning their lack of ability to unsubscribe from the list of recipients of advertising messages. The EDPB article  offers that in the course of the examination of the complaints, it emerged that from 2013 onwards—due to a technical error—the removal from the lists of recipients of advertising messages did not operate for those recipients who used the unsubscribe” link. OTE did not have the appropriate organisational measure, i.e. a defined procedure by which it could detect that the data subjects right to object could not be satisfied. The OTE has since removed some 8000 persons from the addresses of the messages.

Direct Marketing and the GDPR

Under the GDPRs Right to Object, Article 21.2 and 21.3 state:

1. “ Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
2. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

Data protection by default and ePrivacy rules

Meanwhile Article 25 (2) of the GDPR offers that The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons, including that contact details are not automatically accessed and used by the marketing teams.

Where businesses rely on the opt-out rules of the ePrivacy Directive, they need to be careful. “Most EU jurisdictions require an actual purchase to be made before one can rely on the opt-out rule for marketing emails,” explains Dr Bostjan Makarovic, Aphaia managing partner. “In such cases, any marketing emails may only relate to the business’s own similar goods or services, plus easy opt-out needs to be enabled both at the time of email address gathering, as well as in each email sent.”

Does your company maintain a direct marketing database? Has an efficient Data Protection Design been established? Aphaiadata protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance. Contact us today.

Leave a Comment

(0 Comments)

Your email address will not be published. Required fields are marked *