According to the complaint lodged against the Company, the Company created a user account on its webpage using the data of the complainant provided after buying from the Company, and only provided information on such account creation subsequently. Besides reviewing the customer management activity of the Company, the DPA also focused on the Company’s marketing activity regarding which it identified major non-compliances, with regard to the mail, telephone and online marketing activity of the Company.

Non-compliance regarding postal and telephone marketing

Within the framework of its postal marketing activity, the Company attached flyers to different journals which subscribers received, along with a consent form. On this consent form only general information on processing was given in barely readable fine print highlighting that personal data shall be collected and used for sending “useful offers”. The purpose of data processing was not further detailed however, therefore it was not obvious for customers through which marketing channel and based on what information such “useful offers” are sent.

As regards the telephone marketing of the Company, the DPA also identified non-compliances and highlighted that more specific prior information was given to (potential) new customers compared to those targeted by postal marketing, but new customers were still unable to choose the marketing channel(s) through which they intended to receive marketing offers, thereby consenting to receive marketing materials through unforeseeable channels.

Unlawful online marketing activity

In terms of the online marketing activity, the DPA highlighted that the Company required both telephone number and email address from new customers besides giving the opportunity to choose a marketing channel through which the customer intended to receive marketing offers. Despite this, however, the Company only described the purpose of data processing as sending marketing offers by “electronic means” without providing further information on its electronic direct marketing activity, despite the fact that the Company also used targeted Google and Facebook marketing besides email marketing, by manually selecting the group of customers for whom the advertisement might be relevant. Therefore, although customers were able to choose between different marketing channels, including online marketing, they could not have been aware about whether they receive offers via email or targeted online advertising. The DPA underpinned in this respect, however, that the potential non-compliances related to data processing activities of Google, Facebook and similar mass automated advertising systems are being investigated by foreign data protection authorities, and therefore a deeper analysis of their data processing practices was not the subject of this procedure.

In this case, the DPA put considerable emphasis on information to be provided prior to consent and revising the elements of such information as well as the purpose of processing, the relevant marketing channels, the scope of the data collected, and transparency related to the use of data concerning purchases by customers.

In view of the gravity of the infringements and the other circumstances of the case, the DPA decided to impose the above fine and to name the data controller in the publicly available decision of the DPA.