The Spanish Data Protection Authority issued a reprimand to a controller for failing to fulfill a data subject's request for deletion. Despite six separate attempts by the data subject, the controller did not act promptly, and neither their website nor app allowed for easy account cancellation.
Excerpt
Our analysis
The motorcycle sharing company in question utilised a deceptive pattern known as the hard to cancel to make it difficult for users to cancel their accounts. This is evidenced by the fact that the company did not provide an option for users to cancel their accounts through their website or app, and instead required the data subject to email a generic mailbox which did not accept incoming mail. Furthermore, despite the data subject's repeated requests to delete their account and data, the company failed to do so in a timely manner, which violated Article 17 of the GDPR. Additionally, the company failed to notify the data subject once their account was deleted, as required by Article 12 of the GDPR. In this case, the motorcycle sharing company made it intentionally difficult for users to cancel their accounts and delete their data, which violates the principles of transparency and fairness that are fundamental to the GDPR. The company's failure to respond to the data subject's requests and continued sending of commercial messages after the data subject had requested deletion of their data also constitutes a violation of the GDPR, specifically Article 21 which grants individuals the right to object to the processing of their personal data for direct marketing purposes.
Outcome
Despite the infringement, the DPA considered it minor due to mitigating circumstances, such as the controller's lack of prior non-compliance, temporary layoffs due to Covid-19, and prompt action taken to address the issue. As a result, the DPA issued a reprimand rather than a fine.
Parties
D.A.A.A. (Complainant) and Cooltra Motosharing S.L.U.
Case number
AEPD PS-00006-2022
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Related laws
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Grants individuals the right to have their personal data erased under certain circumstances.