Czech Data Protection Office record breaking penalty for spam
The Czech legislation brings two regimes how an entity can receive such messages.
The first is the consent with the quality required by GDPR (art. 4 sec. 11) i.e. freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Usual way how to obtain such a consent is through a checkbox placed on the website of the vendor (data controller) next to a form allowing placing an e-mail address to which the newsletters should be sent. These cases do not bring a lot of issues as basically the data subjects are aware they receive the newsletters. The bad practice usually shows a lack of compliance in the documents as the conditions of the consent are missing or the privacy policy is not included or is wrong. However, the data subjects do not complain as they usually want the newsletters, no matter how compliant the process is.
The tricky one is the other option allowing to send newsletters to a customer whose electronic contact was acquired in connection with the sale of a product or service to such customer. The contact may be used for the purposes of disseminating commercial communications regarding the vendor’s (controller’s) own similar products or services, provided that the customer has a clear and distinct possibility to refuse consent to such use in a simple way, free of charge or at the expense of this natural or legal person his electronic contact even when sending each individual message. The customer must have the option to reject this use when the electronic contact is acquired.
This option brings a lot of practical problems as the vendors very rarely follow all the rules. The usual non-compliance is the lack of the option to reject the use for „ commercial communications purposes“ while acquiring the contact. Compliant vendors have a checkbox allowing the rejection during registration in e-shops and similar services. A lot of others are using the contact without such an option and the data subject have the first „rejection option“ within the first newsletter the data subject receives. Which is late and contrary to the law.
Recently, CZDPA informed about a huge breach of the spam rules.
Since 2015, a transport company has distributed commercial messages to e-mails they acquired from their customers. But they did it for the benefit of third parties, apparently without having the prior consent of the recipients. The company did not offer its own products or services.
Commercial communications were embedded in e-mail messages containing confirmation of the purchase made, and the addressees had no possibility to reject these commercial communications in any way. CZDPA also stated that other legal requirements were missing, such as the distinct and clear labeling of such a message or the indication of a clear identification of the entity for whose benefit the given commercial messages are disseminated.
Such cases happen, but the interesting fact is that the CZDPA imposed a fine in the amount of 7.700.000,- CZK (app. 312.743 EUR) making it the highest legally imposed fine of the CZPDA. The office took into account the amount of affected customers (app. 40M) and the length of the illegal conduct.
There are higher fines imposed by the CZDPA - notably fine for antivirus giant Avast for abuse of user data in the amount of 351.000.000 CZK, app. 14 256 000 EUR, however this one has not come to legal force yet due to appeal.
Both these fines are clearly showing the even CZDPA, which used to impose very limited penalties (usually several thousand euros), is moving to enhance the sanctions for privacy violations and the pressure to be compliant in the Czech Republic is getting stronger and stronger.
Article provided by INPLP member: Jan Bárta (Barta.Legal, Czech Republic)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)