Posted on by stefan

publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 21 August 2019
LSA: LI
CSAs: DE-Lower Saxony
Legal Reference: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Conditions for consent (Article 7), Right of access by the data subject (Article 15, Security of processing (Article 32)

Decision: Compliance order to controller
Key words: Consent, Transparency

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the Commissioner for Data Protection of Lower Saxony, alleging he received unsolicited personalised advertising. In its reply to the data subject’s right of access request, the controller had stated that the complainant’s personal data was the result of a prize competition in which he had allegedly participated consenting to the use of his data for marketing purposes by the controller or its sponsors.

Findings
In its assessment of the validity of the consent provided by the complainant, the LI SA found that the text explaining the checkbox for consent was inconsistent with the privacy policy, which referred to a wider range of processing activities and a larger number of recipients: thus, the consent was not legally valid and Articles 5(1)(a), 6 and 7 GDPR were violated.
Furthermore, the LI SA found that the controller did not comply with Article 15 GDPR as it did not appropriately provide the data subject with information on the purposes of the processing of personal data, the recipients and the storage period.
In addition, violations of Article 32 GDPR were also identified: first, the technical and organizational measures implemented by the processor (e.g. double opt-in procedure) were not sufficient to prevent the misuse of personal data; secondly, the unauthorized entry of data could not be traced back due to the deletion of the link relating to the generated lead after a 30-day period.

Decision
The LI SA required the controller to take the following required steps within three months:

– seek consent in accordance with Article 7 GDPR and revise the Terms and Conditions and Privacy Notice of the prize competition;

– implement further technical and organisational measures;

– ensure that the author or source of the manipulation can be identified.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Please see also EDPB Copyright page