National Data Protection and Freedom of Information Authority v. Anonymous News Service Provider

€5,080 in fines

Excerpt

The news service was fined by the Hungarian DPA where the controller's newsletter subscribers were automatically enrolled in electronic marketing and a prize draw without adequate information or the ability to provide specific consent.

Our analysis

A news service provider was fined for violating GDPR regulations by the Hungarian DPA. The provider's newsletter subscribers were automatically signed up for electronic direct marketing (eDM) and a prize draw without being informed and without the option to opt out. The provider relied on Article 6(1)(b) GDPR to process subscriber data for the newsletter, but they also processed personal data for eDM and the prize draw. The DPA found that the provider's conduct breached GDPR regulations in several ways, including not informing data subjects about their rights, not adequately informing them about the duration of data processing, and not fulfilling the conditions for consent according to Article 7 GDPR.
During the investigation, the DPA found that between January 1st, 2021 and May 17th, 2022, all subscribers who registered online for the news service were automatically subscribed to eDM, making it impossible to subscribe to the service without also subscribing to eDM. The provider argued that the data processing was legitimate based on their legitimate interests, but the DPA rejected this argument. The absence of information regarding the legal basis and the data subject's rights generally constitutes unfair processing. The DPA also found that the data processing was not based on consent because it did not meet the criteria set out in Article 7 GDPR, such as granular consent and providing necessary information to data subjects.

Outcome

DPA deemed the data processing to be illegal due to violations of Article 7(2), Article 7(4), and Article 6(1)(a) of the GDPR, resulting in a fine of 2,000,000 HUF (approximately €5,080). The DPA considered several factors in determining the fine, including the controller's cooperation during the proceedings, admission of the infringement, implementation of remedial actions for the future, and internal training. Additionally, the infringement was limited to the email addresses of data subjects and did not include any sensitive data. However, the extended period of the data processing was seen as an aggravating circumstance.

Parties

National Data Protection and Freedom of Information Authority and Anonymous News Service Provider

Case number

NAIH-7058-5/2022

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us