Hellenic Telecommunications Company fined EUR 200,000 for failure to remove email addresses from direct marketing database in keeping with GDPR’s right to object.
Have you ever clicked unsubscribe from a marketing emailing list but still continued to receive emails? From experience, I’m willing to go out on a limb and say that the likelihood of this occurrence is high. While this may seem like no big deal; for companies who fail to act on requests for something as seemingly simple as removing an email address from a database, the implications can be dire. This is because it is a direct infringement of the GDPR’s right to object.
In fact, just last month Hellenic Telecommunications Organization (OTE) was fined EUR 200,000 by the Hellenic DPA for infringement of the right to object to the processing for direct marketing purposes and failure to establish an adequate data protection by design in accordance with the GDPR.
According to the European Data Protection Board (EDPB) the Hellenic DPA has received complaints from the recipients of advertising messages from OTE concerning their lack of ability to unsubscribe from the list of recipients of advertising messages. The EDPB article offers that in the course of the examination of the complaints, it emerged that from 2013 onwards—due to a technical error—the removal from the lists of recipients of advertising messages did not operate for those recipients who used the “unsubscribe” link. OTE did not have the appropriate organisational measure, i.e. a defined procedure by which it could detect that the data subject’s right to object could not be satisfied. The OTE has since removed some 8000 persons from the addresses of the messages.
Direct Marketing and the GDPR
Under the GDPR’s Right to Object, Article 21.2 and 21.3 state:
Data protection by default and ePrivacy rules
Meanwhile Article 25 (2) of the GDPR offers that “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”, including that contact details are not automatically accessed and used by the marketing teams.
Where businesses rely on the opt-out rules of the ePrivacy Directive, they need to be careful. “Most EU jurisdictions require an actual purchase to be made before one can rely on the opt-out rule for marketing emails,” explains Dr Bostjan Makarovic, Aphaia managing partner. “In such cases, any marketing emails may only relate to the business’s own similar goods or services, plus easy opt-out needs to be enabled both at the time of email address gathering, as well as in each email sent.”