Excerpt
Add Event Staff, S.L. was warned by the Spanish DPA (AEPD) for not obtaining separate consent for processing activities related to job search and commercial purposes.
Our analysis
Add Event Staff, S.L., a Spanish event organizing company, was recently warned by the Spanish DPA (AEPD) for violating GDPR and the Spanish Law on Data Protection and Digital Rights Guarantee (LOPDGDD). The decision was made in response to a complaint from a Spanish citizen who had registered for a job fair organized by Add Event Staff, S.L. The citizen stated that the web form required him to give consent not only for participation in the job fair, but also for receiving commercial communications and transferring his data to third parties. When he requested that his consent be used only for participation in the job fair, the defendant refused, stating that the claimant was obligated to receive commercial communications as it was a free event.
Add Event Staff, S.L. claimed that the processing activities were based on the claimant's consent and that he was fully informed about the need to process his data for participation in the job fair, as well as the possibility of receiving commercial communication, which could be unsubscribed from. However, the AEPD initiated a sanction procedure, and the defendant responded by stating that the participation in the event had one single purpose, which was to communicate attendees with the companies for networking objectives, and that the company was in the process of changing its forms to adopt the corresponding measures. The AEPD found that Add Event Staff, S.L. had violated Article 7 of GDPR and Article 6(3) of LOPDGDD by bundling different processing activities and requiring consent for them collectively, rather than obtaining separate consent for each specific activity. The defendant's actions deceived the claimant and violated their right to freely give or withhold consent for each processing activity.
Outcome
The AEPD found that Add Event Staff, S.L. violated Article 7 of the GDPR and Article 6(3) of the Spanish Law on Data Protection and Digital Rights Guarantee (LOPDGDD) by not obtaining separate consents for different processing activities related to job search and commercial purposes. The AEPD emphasized that commercial communications and attendance to a job fair are different purposes and therefore require separate consents. The AEPD also noted that the execution of an agreement cannot be made conditional on the data subject consenting to processing activities not strictly related to the contract relationship. As a result, the AEPD imposed a warning on the defendant and required them to correct the situation within one month of the resolution.
Parties
D.A.A.A (Claimant) and Add Event Staff, S.L.
Case number
PS/00110/2020
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Establishes the principles of lawfulness, fairness, and transparency in the processing of personal data.