GDPR - Article 07

Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.

BORJAMOTOR, S.A. received a complaint from a customer who expressed their objection to the company's processing of their personal data for direct marketing purposes via email. Despite this objection, the customer continued to receive emails with offers from the company, at a reduced frequency. BORJAMOTOR, S.A. was found to have used a deceptive pattern known as "hard to cancel", which made it difficult for customers to cancel their subscription to the company's marketing emails.

The Belgian DPA fined the private company targeting pregnant mothers. The company through its marketing campaign collected personal data without informing clearly of the processing. Despite withdrawing consent, the complainant was contacted by third parties for its promotions wherein it technically made it difficult to withdraw consent and stop receiving unwanted phone calls from the defendant's partners.

Caixabank Bank was fined by the Spanish DPA for using pre-ticked boxes to request consent for processing personal data, and charging customers who did not accept the terms a monthly maintenance fee of €5.

The PREICO JURÍDICOS website was fined by the Spanish DPA for violating regulations regarding the use of cookies. The website was found to have used non-technical and non-necessary cookies without obtaining proper consent, failed to display an appropriate cookie banner, and provided insufficient information in its Cookies Policy.

The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.

The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.

The Spanish Data Protection Authority (AEPD) initiated a sanction procedure against Eslora Proyectos, S.L. based on a complaint filed by a Spanish citizen, which alleged that the defendant, the owner of three websites, failed to provide the necessary basic layer information to users regarding the cookies loaded on the websites.

The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.

Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.

Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.

The Italian DPA fined Douglas for providing a single button to accept the general terms and conditions, privacy policy and cookie policy. Additionally, there was no information about data processing in its privacy policy.

The Hungarian DPA fined a hotel booking service for sending direct marketing emails without valid legal basis, not obtaining separate consent for specific purposes, not expressly mentioning data processing purposes in the privacy policy.

Add Event Staff, S.L. was warned by the Spanish DPA (AEPD) for not obtaining separate consent for processing activities related to job search and commercial purposes. 

Iweb Internet Learning, S.L. was fined by the Spanish Data Protection Agency for failing to identify the data controller, not allowing separate consent for each purpose, and providing insufficient information on the use of cookies.

Orange România SA was found responsible for using pre-ticked boxes as a form of obtaining consent from customers for storing copies of their identity documents, which does not constitute active consent.

CNIL found Google liable for providing information in a fragmented and generic manner, and for using pre-ticked boxes for personalization settings of the account.

The news service was fined by the Hungarian DPA where the controller's newsletter subscribers were automatically enrolled in electronic marketing and a prize draw without adequate information or the ability to provide specific consent.

The UODO imposed a fine against a company for preventing data subjects to withdraw consent easily and effectively their consent and to request the erasure of their personal data

Canary Click Consulting website was held liable for failure to provide information about the storage or deletion of their data and for not providing an option to reject cookies.

The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.

Italian DPA found Ediscom guilty of using misleading interfaces and unclear submission procedures, such as prompting users to provide consent for marketing despite already denying it.