The UODO imposed a fine against a company for preventing data subjects to withdraw consent easily and effectively their consent and to request the erasure of their personal data
Excerpt
Our analysis
The UODO conducted an investigation into ClickQuickNow Sp. z o. o.'s processing operations compliance with GDPR in February 2019. During the investigation, it was revealed that the company did not implement appropriate technical and organizational measures that allowed data subjects to withdraw their consent and request the erasure of their personal data easily and effectively. This resulted in a violation of Articles 5(1)(a), 6(1), 7(3), 12(2), 17(1)(b) and Article 24(1) of the GDPR. Furthermore, the DPA found that the company processed the personal data of non-customers without a legal basis and without providing them with the option to remove their personal data. As a result, the company violated GDPR regulations. In addition to the fine of around €47,000, the DPA ordered ClickQuickNow Sp. z o. o. to rectify its processing practices to comply with GDPR requirements within 14 days. The company was also instructed to delete the personal data of non-customers who had requested their data to be deleted.
Outcome
ClickQuickNow Sp. z o. o., a limited liability company, has been fined approximately €47,000 by the UODO for impeding the exercise of the right to withdraw consent. In addition to the fine, the DPA has instructed the company to conform its processing practices to the GDPR's standards within 14 days and to remove the personal data of non-customers who have requested their data to be deleted.
Parties
UODO and ClickQuickNow Sp. z o. o.
Case number
ZSPU.421.3.201
Decision
Related deceptive patterns
Hard to cancel (aka "Roach Motel") is a deceptive pattern where it is easy to sign up for a service or subscription, but very difficult to cancel it. This typically involves hiding the cancellation option, requiring users to call customer services to cancel, and making the cancellation process overly complex and time-consuming. This can cause users to give up trying to cancel, and continue paying for the service for a longer period.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Grants individuals the right to have their personal data erased under certain circumstances.