Polish marketing agency fined €47.000
Polish advertising agency QuickClickNow must be in dire straits after being bound to pay major GDPR fine of 47.000 euros. On top, theymust get compliant with the GDPR on central aspects of personal data processing within 14 days.
The fine is given to QuickClickNow for “obstructing the exercise of the right to withdraw consent to the processing of personal data” and a number of other violations to the GDPR.
The President of the Personal Data Protection Office (PDPO) found that the company:
- Failed to provide users with an easy way to revoke their consent
- Breached the principles of transparency and fairness of processing
- Violated the right to be forgotten
- Processed personal data without a lawful basis
- Failed to implement appropriate measures under article 24 (responsibility of data controller)
Withdrawal of consent must be as easy as giving consent
The President of the PDPO established that the procedure for withdrawing consent to data processing was not at all simple and could not be completed in a quick manner.
The mechanism for withdrawal of consent involved link upon link with misleading information on the procedure. Moreover, the company forced users to state the reason for withdrawing consent. Failing to indicate the reason resulted in discontinuation of the process of withdrawing consent.
As such, the company did not implement appropriate technical and organizational measures that would enable an easy and effective withdrawal of consent to the processing of personal data.
Neither did QuickClickNow provide users with the right to be forgotten.
This violated the principles of lawfulness, fairness and transparency of processing of personal data, specified in Article 7(3) and Article 12(2) of the GDPR.
Processing without legal basis
In the decision, the President of the PDPO also found that QuickClickNow processed their users’ personal data without any legal basis. This included users not being customers and users who had declined processing of their personal data.
The PDPO decided that the company’s actions were intentional e.g. the contradictory communications regarding withdrawal of consent; the ineffective withdrawal of consent; the difficulties – and impossibilities to exercise the rights of the data subjects.
QuickClickNow is now ordered by the PDPO to adjust the process of withdrawing consent to data processing to the provisions of the GDPR. The company must also delete the data of data subjects who are not their customers and objected to processing the personal data.
4 tips to avoid same fine
Whether you use email marketing, marketing on social media or search and display campaigns, your target users have certain rights regarding their personal privacy.
Here we give you 4 tips to do marketing in a lawful manner.
- Be sure to collect and process your users’ personal data properly. That is, you must have a lawful basis that being either consent (most probably) or legitimate interest (if can be proven).
- Be transparent and inform your users what data you collect; process; for how long; and who else have access to the data (third-party providers).
- Provide your users with an option to decline processing of their data and offer them an easy way to revoke their consent.
- Citizens in the EU have the right to be forgotten. You must be able to delete all data on your users if required.
Get free assessment
If you have a website, you can always get a free assessment from Cookie Information on whether your users are provided with sufficient information on data processing and whether you collect their consent to data processing with cookies.
You can also book a meeting with us, and we’ll go through your cookie consent solution together.