Withdrawal of consent

Withdrawal of Consent Should be Easy

Withdrawal of consent requests could have dire consequencesfor your company if they are not immediately and seamlessly processed.

Withdrawal of consent should be just as easy as giving consent.  So says the President of the Polish Data Protection Authority. This assessment came as a result of the review of practices by company ClickQuickNow.

According to the investigation the mechanism utilized by ClickQuickNow for processing requests for withdrawal of consent did not result in a quick withdrawal but rather involved the use of a link included in the commercial information. After the link was set up, messages addressed to the person interested in withdrawing consent were misleading, the EDPD article reports. Additionally, the company required that individuals who submitted consent removal requests must state the reason for withdrawing consent. Failure to provide this reason resulted in the discontinuation or the process of withdrawing.

It was further noted that ClickQuickNow also processed the data of subjects who were not its customers and from whom they had received objections to processing their personal data, without any legal basis.

These practices by ClickQuickNow were direct violations of the GDPR, particularly Articles 7(3), 12(2) and 17. It was further asserted that ClickQuickNows practices violated the principles of lawfulness, fairness and transparency of the processing of personal data, specified in the GDPR. As a results of these violations, the Polish DPA has levied an administrative fine of PLN 201,000 (Approximately EUR 47,000) on ClickQuickNow. Further the Polish DPA  mandated that ClickQuickNow adjusts its means of processing withdrawal of consent requests and deletes the data of data subjects who are not its customers and objected to the processing of the personal data concerning them.

What mechanisms does your company have to action an individuals request for withdrawal of consent? Are your practices easy and seamless? If not, this could result in severe consequences. Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Automated decision making and GDPR

Automated Decision Making and the GDPR

In today’s blog we delve into automated decision making and the GDPR.

Artificial Intelligence is increasingly becoming ingrained in all facets of our societies and lives. While it certainly heralds an age of cool futuristic technology and applicationsfacial recognition and self-driving cars for example!what about when AI is utilized as an automated decision making tool? Can this pose an issue to an individuals right? What are the possible implications? Is it fair? Are there any legal provisions to ensure fairness?

In our latest vlog we explore some frequently asked questions as it relates to Artificial Intelligence, automated decision making and the GDPR. Click here to take a look.

A deeper look: GDPR and Automated Individual Decision making, including profiling

Automated decision-making is described by the ICO  asthe process of making a decision by automated means without any human involvement.

These decisions, the ICO says, can be based on factual data, as well as on digitally created profiles or inferred data. Examples of this include:

an online decision to award a loan; and
an aptitude test used for recruitment which uses pre-programmed algorithms and criteria.

Meanwhile Article 4 (4) defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The ICO offers the following examples of profiling:

collect and analyse personal data on a large scale, using algorithms, AI or machine-learning;
identify associations to build links between different behaviours and attributes;
create profiles that you apply to individuals; or
predict individualsbehaviour based on their assigned profiles.

Yet while automated decision making and profiling have several benefits for both businesses and consumers, they carry risks for people’s rights and freedoms. A false or unfair decision may lead to significant adverse effects for individuals, from discrimination to undue intrusion into private life.

Article 22 of the GDPRreferenced in our vlogseeks to address this and other risks by setting the strict parameters that the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

GDPR’s right to object fine

Failure to adhere to GDPR’s Right to Object results in EUR 200,000 Fine

Hellenic Telecommunications Company fined EUR 200,000 for failure to remove email addresses from direct marketing database in keeping with GDPRs right to object.

Have you ever clicked unsubscribe from a marketing emailing list but still continued to receive emails? From experience, Im willing to go out on a limb and say that the likelihood of this occurrence is high. While this may seem like no big deal; for companies who fail to act on requests for something as seemingly simple as removing an email address from a database, the implications can be dire. This is because it is a direct infringement of the GDPRs right to object.

In fact, just last month Hellenic Telecommunications Organization (OTE) was fined EUR 200,000 by the Hellenic DPA for infringement of the right to object to the processing for direct marketing purposes and failure to establish an adequate data protection by design in accordance with the GDPR.

According to the European Data Protection Board (EDPB) the Hellenic DPA has received complaints from the recipients of advertising messages from OTE concerning their lack of ability to unsubscribe from the list of recipients of advertising messages. The EDPB article  offers that in the course of the examination of the complaints, it emerged that from 2013 onwards—due to a technical error—the removal from the lists of recipients of advertising messages did not operate for those recipients who used the unsubscribe” link. OTE did not have the appropriate organisational measure, i.e. a defined procedure by which it could detect that the data subjects right to object could not be satisfied. The OTE has since removed some 8000 persons from the addresses of the messages.

Direct Marketing and the GDPR

Under the GDPRs Right to Object, Article 21.2 and 21.3 state:

1. “ Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
2. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.”

Data protection by default and ePrivacy rules

Meanwhile Article 25 (2) of the GDPR offers that The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons, including that contact details are not automatically accessed and used by the marketing teams.

Where businesses rely on the opt-out rules of the ePrivacy Directive, they need to be careful. “Most EU jurisdictions require an actual purchase to be made before one can rely on the opt-out rule for marketing emails,” explains Dr Bostjan Makarovic, Aphaia managing partner. “In such cases, any marketing emails may only relate to the business’s own similar goods or services, plus easy opt-out needs to be enabled both at the time of email address gathering, as well as in each email sent.”

Does your company maintain a direct marketing database? Has an efficient Data Protection Design been established? Aphaiadata protection impact assessments and Data Protection Officer outsourcing will assist you with ensuring compliance. Contact us today.

Thailand Personal Data Protection Acr

Thailand’s Personal Data Protection Act

Published earlier this year, Thailands Personal Data Protection Act will come into full force in May 2020.

Today, we live in a highly connected technological era where data is king. Indeed Digitization has resulted in a world where data underpins almost all aspects of our lives to the point where our personal data is constantly being collected, shared, sold, analyzed and monetized. And while this constant data sharing certainly has its benefits; the associated risks are alarming. It is no wonder then that more and more countries around the globe are making a concerted effort to enact more comprehensive data protection and privacy legislation. Today we take a look at Thailands new Personal Data Protection Act (PDPA).

Published in the Government Gazette on May 27, 2019, Thailands PDPA is expected to come into full force on May 2020. Similar to the GDPR, the PDPA seeks to regulate the collection, use and sharing of personal data which could identifywhether directly or indirectlya natural person; and provides guidelines for the processing of personal data. It does not apply to information related to a deceased individual.

Under the PDPA data owners now have the following rights:

​​Right to be informed
​​Right to access
​​Right to data portability
​​Right to object
​​Right to erasure / right to be forgotten
​​Right to restrict of processing
​​Right to rectify

Who is the PDPA applicable to?

The PDPA is applicable to any entities offering goods and/or services to individuals located in Thailand which collect, use or share personal data. This is the case whether or not the entity is located in or out of Thailand.

Based on data usages, companies must comply to the PDPA either as a data controller and/or a data processor.

While the PDPA may have similarities to the GDPR It is important to note that GDPR compliance does not automatically ensure that your company is PDPA compliant.

If your company offers products/services to individuals residing in Thailand it is imperative that you access your services to ensure compliance. Aphaia provides GDPR and PDPA adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. Contact us today.