Privacy Protection Authority
The company states on its website that they offer suggestions for recommended
reading when purchasing an online subscription. Although the company informs that
they offer personalized content, it cannot be assumed that an average user
understands or perceives this to be a necessarily part of the service. The fact that the
company also offers the opportunity to unsubscribe from such e-mails suggests that
the processing of personal data was not necessary for the performance of the contract.
According to IMY, the e-mails received by the complainant with individually tailored
content are not objectively necessary to fulfill the main purpose of the contract, i.e.
providing a digital newspaper and magazine subscription. IMY finds that these e-mails
cannot be supported on article 6(1)(b) GDPR.
IMY considers that the e-mails are primarily intended to improve the access to and
experience of the service and that the individually adapted content constitutes direct
marketing
6
. The complainant therefore had the right to object to the processing of their
personal data under Article 21(2) and, after receiving such an objection, the company
was obliged to stop sending e-mails for direct marketing purposes.
After the complainant unsubscribed they still received marketing e-mails for another 23
days, which according to the company was due to an oversight and human error on
their part. IMI finds that the company has not, in this case, acted without undue delay
and therefore violated Article 21(3) and 12(3) of the GDPR.
The company's statement, that if the processing of personal data cannot be based on
a contract as a lawful basis, it may instead support the processing on legitimate
interest, does not affect IMY:s assessment of the violation of Article 21(3) and 12(3).
Has the company infringed Article 6.1 of the General Data Protection
Regulation?
In the present case, in the light of the complaint, IMY has to assess whether the
processing complained of by the complainant has been carried out in accordance with
the GDPR. It is clear from the complaint that it does not cover the mailing on 6
November. IMY’s assessment is therefore focused on whether the company has had a
lawful basis for the e-mails sent between 12 and 23 November 2019.
When a data subject objects to direct marketing, further processing of his or her
personal data is no longer permitted for such purposes.
That means that there is then no lawful basis for the processing. In order to determine
when the company has ceased to have a lawful basis for the processing, it must be
assessed when the objection should in any event have been dealt with.
Where a data subject objects to direct marketing pursuant to Article 21(2), the
controller shall cease mailings for direct marketing purposes. Since that right is
unconditional, there is no need for individual examination of such an objection. The
6
The GDPR does not define the terms ‘marketing’ or ‘direct marketing’. However, recital 47 mentions direct marke ing
as an example of what may be a legitimate interest under Article 6(1)(f). In the Swedish Marke ing Act (2008:486)
marketing is defined as: "advertising and other measures in the course of business activities which are intended to
promote the sale of and access to products including a trader’s actions, omissions or other measures or behaviour
before, during or after sale or delivery of products to consumers or traders." The International Chamber of Commerce
(ICC) Advertising and marketing communication code (ICC Code), 2018 edition, Chapter C, define the term “direct
marketing” as " communication, by whatever means, of advertising or marketing material carried out by a direct
marketer itself or on its behalf, and which is directed to particular
individuals using their personal contact information (including mailing address, telephone number, email address,
mobile phone number, facsimile, personal social media account handle, and the like." Available here; icc-advertising-
and-marketing-communications-code-int.pdf (iccwbo.org)