The Hungarian DPA fined a hotel booking service for sending direct marketing emails without valid legal basis, not obtaining separate consent for specific purposes, not expressly mentioning data processing purposes in the privacy policy.
Excerpt
Our analysis
A hotel booking website was fined by the Hungarian DPA for violating GDPR laws by sending unsolicited commercial emails to two data subjects. The website's privacy policy provided misleading information as it claimed the legal basis for processing personal data for newsletters and marketing was consent under Article 6(1)(a) GDPR, while mentioning the legitimate interest of the controller. This hidden information caused confusion for the data subjects as to which legal basis was actually used, violating Article 12(1) GDPR.
Moreover, the controller did not obtain separate consent for specific purposes as there were no separate checkboxes for data marketing purposes, thereby amounting to bundling of consent. The DPA found a violation of Article 6(1) GDPR as the consent given by the data subjects was not informed. Additionally, the controller violated Article 7(1) GDPR as it did not have proof of consent and Article 5(2) GDPR as it did not send the requested proofs of consent or an assessment of balancing the legitimate interests at stake.
Outcome
A hotel booking service was fined €1,228 by the Hungarian DPA for sending direct marketing emails without a valid legal basis by bundling consent and not complying with GDPR data subject rights, including access, rectification, erasure, and objection to data processing under Articles 12, 15, 17, and 21(2).
Parties
D.A.A.A (Data Subjects) and Infotv
Case number
NAIH-1091-10/2022.
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Grants individuals the right to access their personal data and receive information on how it is processed.
Grants individuals the right to have their personal data erased under certain circumstances.