Deceptive Patterns
‹ All enforcement EU & UK

D.A.A.A (Data subject) v. Komplett Bank ASA

Jurisdiction
EU & UK
Authority
Norgwegian DPA (Datatilsynet)
Date
11 Nov 2021
Case number
20/02319
Outcome
Compliance order and reprimand

Case summary

The Norwegian DPA held the controller liable for direct marketing purposes to a data subject despite of having previously objected to such processing.

Our analysis

Komplett Bank ASA violated multiple articles of the GDPR, according to the Data Protection Authority. The bank sent direct marketing emails to a data subject who had previously objected to such processing under Article 21(3) GDPR. Despite claiming that the lawful basis for processing was consent under Article 6(1)(a) GDPR, the bank later revealed that it was using "Necessary for the performance of a contract" under Article 6(1)(b) GDPR. The DPA found that the bank had processed personal data for direct marketing purposes without a lawful basis, exceeded the time limit for responding to data subject requests under Article 12(3) GDPR, and failed to inform the data subject of their right to object to processing under Articles 13(2) and 21(4) GDPR. The bank also violated Articles 12(1) and 13(1) GDPR by providing misleading information about the lawful basis for processing personal data for direct marketing purposes.

Outcome

The DPA found that Komplett Bank ASA breached several provisions of the GDPR. Firstly, they processed personal data for direct marketing purposes without a lawful basis, which goes against Article 6(1) GDPR. Secondly, they provided misleading information about the lawful basis used for processing personal data for direct marketing purposes, which violates Articles 12(1) and 13(1) GDPR. Thirdly, the bank exceeded the time limit for responding to data subject requests for information, which is in breach of Article 12(3) GDPR. Fourthly, they failed to inform the data subject of their right to object to the processing of their personal data for direct marketing purposes, violating Articles 13(2) and 21(4) GDPR. Lastly, they disregarded the data subject's prior objection to direct marketing, which is against Article 21(3) GDPR. As a result of these violations, the DPA issued Komplett Bank ASA with a Compliance Order and Reprimand.

Parties

D.A.A.A (Data subject) and Komplett Bank ASA

View the decision

Related deceptive patterns

NaggingThe user tries to do something, but they are persistently interrupted by requests to do something else that may not be in their best interests. Forced actionThe user wants to do something, but they are required to do something else undesirable in return.

Related rules

GDPR - Article 06Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.GDPR - Article 12Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.GDPR - Article 13Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.GDPR - Article 21Gives individuals the right to object to the processing of their personal data in certain situations.