Summary Final Decision Art 60
Infringement of the GDPR
Date of final decision: 10 October 2019
CSAs: DE-Berlin, NL, NO, SE
Legal Reference: Right to object (Article 21), Cooperation with the supervisory authority(Article 31)
Decision: Infringement of Article 21 and Article 31 GDPR
Key words: Right to object, Cooperation with the supervisory authority, Exercise of data subjects’ rights, Marketing communications
Summary of the Decision
Origin of the case
The complainant lodged a complaint with the CSA alleging that the controller kept sending marketing communications to the complainant even though he had previously objected to the processing of his data for marketing purposes.
The preliminary investigation by the LSA was aimed at ensuring that the controller’s main establishment was in its country.
The controller as internal procedure accepted any requests from data subjects only when the requests were made by using the same email address the users have used to open their account.
Through its investigations, the LSA found out that the controller could not find the first email sent by the complainant to object to the processing of his data for marketing purposes even if this email was sent from the email address used by the user to open his account. The data controller admitted that there was a possibility that the email had not been received or had not been dealt with properly.
Following the receipt of further unsolicited marketing communications, the complainant objected several more times. These emails were sent from email addresses different from the one used to open his account. Even if the controller was thus not able to comply with the data subject’s request as he could not identify him, the controller decided to block the complainant’s account from receiving marketing communications. From the investigation it transpired that the controller did not have any internal procedures for the handling of data subjects’ requests.
In addition the controller did not cooperate with the LSA that had to wait months to receive the requested submissions.
The LSA found that the controller infringed Article 21 by not having adequate procedures put in place to deal with the complainant’s request to exercise his right to object. The controller also infringed Article 31 GDPR by not cooperating with the LSA. Consequently, the LSA imposed an administrative fine of 15,000 euros on the controller. A 2,000 euro administrative fine was also imposed on the controller for having breached several provisions of national law relating to unsolicited communications.
This text has been converted automatically from the PDF available via
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
Please see also EDPB Copyright page