Excerpt
The news service was fined by the Hungarian DPA where the controller's newsletter subscribers were automatically enrolled in electronic marketing and a prize draw without adequate information or the ability to provide specific consent.
Our analysis
A news service provider was fined for violating GDPR regulations by the Hungarian DPA. The provider's newsletter subscribers were automatically signed up for electronic direct marketing (eDM) and a prize draw without being informed and without the option to opt out. The provider relied on Article 6(1)(b) GDPR to process subscriber data for the newsletter, but they also processed personal data for eDM and the prize draw. The DPA found that the provider's conduct breached GDPR regulations in several ways, including not informing data subjects about their rights, not adequately informing them about the duration of data processing, and not fulfilling the conditions for consent according to Article 7 GDPR.
During the investigation, the DPA found that between January 1st, 2021 and May 17th, 2022, all subscribers who registered online for the news service were automatically subscribed to eDM, making it impossible to subscribe to the service without also subscribing to eDM. The provider argued that the data processing was legitimate based on their legitimate interests, but the DPA rejected this argument. The absence of information regarding the legal basis and the data subject's rights generally constitutes unfair processing. The DPA also found that the data processing was not based on consent because it did not meet the criteria set out in Article 7 GDPR, such as granular consent and providing necessary information to data subjects.
Outcome
DPA deemed the data processing to be illegal due to violations of Article 7(2), Article 7(4), and Article 6(1)(a) of the GDPR, resulting in a fine of 2,000,000 HUF (approximately €5,080). The DPA considered several factors in determining the fine, including the controller's cooperation during the proceedings, admission of the infringement, implementation of remedial actions for the future, and internal training. Additionally, the infringement was limited to the email addresses of data subjects and did not include any sensitive data. However, the extended period of the data processing was seen as an aggravating circumstance.
Parties
National Data Protection and Freedom of Information Authority and Anonymous News Service Provider
Case number
NAIH-7058-5/2022
Decision
Related deceptive patterns
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.