The Norwegian DPA held the controller liable for direct marketing purposes to a data subject despite of having previously objected to such processing.
Excerpt
Our analysis
Komplett Bank ASA violated multiple articles of the GDPR, according to the Data Protection Authority. The bank sent direct marketing emails to a data subject who had previously objected to such processing under Article 21(3) GDPR. Despite claiming that the lawful basis for processing was consent under Article 6(1)(a) GDPR, the bank later revealed that it was using "Necessary for the performance of a contract" under Article 6(1)(b) GDPR. The DPA found that the bank had processed personal data for direct marketing purposes without a lawful basis, exceeded the time limit for responding to data subject requests under Article 12(3) GDPR, and failed to inform the data subject of their right to object to processing under Articles 13(2) and 21(4) GDPR. The bank also violated Articles 12(1) and 13(1) GDPR by providing misleading information about the lawful basis for processing personal data for direct marketing purposes.
Outcome
The DPA found that Komplett Bank ASA breached several provisions of the GDPR. Firstly, they processed personal data for direct marketing purposes without a lawful basis, which goes against Article 6(1) GDPR. Secondly, they provided misleading information about the lawful basis used for processing personal data for direct marketing purposes, which violates Articles 12(1) and 13(1) GDPR. Thirdly, the bank exceeded the time limit for responding to data subject requests for information, which is in breach of Article 12(3) GDPR. Fourthly, they failed to inform the data subject of their right to object to the processing of their personal data for direct marketing purposes, violating Articles 13(2) and 21(4) GDPR. Lastly, they disregarded the data subject's prior objection to direct marketing, which is against Article 21(3) GDPR. As a result of these violations, the DPA issued Komplett Bank ASA with a Compliance Order and Reprimand.
Parties
D.A.A.A (Data subject) and Komplett Bank ASA
Case number
20/02319
Decision
Related deceptive patterns
Nagging is a form of adversarial resource depletion. Every time an app or a website interrupts the user with a request to do something, this depletes the user's time and attention. This is like a tax that the provider imposes on users who do not want to comply with the provider's wishes. Although the cost is non-financial, it adds up and eventually becomes non-trivial. At this point the user may decide that it’s more cost effective to just give in and agree to whatever the provider is asking for, even if it is against their best interests.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Gives individuals the right to object to the processing of their personal data in certain situations.