Polish advertising agency handed major GDPR fine

Polish Data Protection Authority UODO fines marketing agency QuickClickNow €47.000 for intentionally complicating their users’ right to withdraw consent to personal data processing. Here are 4 tips to avoid the same fine.
Table of Contents

Polish marketing agency fined €47.000

Polish advertising agency QuickClickNow must be in dire straits after being bound to pay a major GDPR fine of 47.000 euros. On top, they must get compliant with the GDPR on central aspects of personal data processing within 14 days.
The fine is given to QuickClickNow for “obstructing the exercise of the right to withdraw consent to the processing of personal data” and a number of other violations of the GDPR.
The President of the Personal Data Protection Office (PDPO) found that the company:
  • Failed to provide users with an easy way to revoke their consent
  • Breached the principles of transparency and fairness in processing
  • Violated the right to be forgotten
  • Processed personal data without a lawful basis
  • Failed to implement appropriate measures under article 24 (responsibility of data controller)

Withdrawal of consent must be as easy as giving consent

The President of the PDPO established that the procedure for withdrawing consent to data processing was not at all simple and could not be completed in a quick manner.
The mechanism for withdrawal of consent involved links upon the link with misleading information on the procedure. Moreover, the company forced users to state the reason for withdrawing consent. Failing to indicate the reason resulted in the discontinuation of the process of withdrawing consent.
As such, the company did not implement appropriate technical and organizational measures that would enable an easy and effective withdrawal of consent to the processing of personal data.
Neither did QuickClickNow provide users with the right to be forgotten.
This violated the principles of lawfulness, fairness, and transparency in the processing of personal data, specified in Article 7(3) and Article 12(2) of the GDPR.

Processing without a legal basis

In the decision, the President of the PDPO also found that QuickClickNow processed their users’ data without any legal basis. This included users not being customers and users who had declined to process their data.
The PDPO decided that the company’s actions were intentional, e.g., the contradictory communications regarding withdrawal of consent; the ineffective withdrawal of consent; the difficulties – and impossibilities to exercise the rights of the data subjects.
QuickClickNow is now ordered by the PDPO to adjust the process of withdrawing consent to the data processing to the provisions of the GDPR. The company must also delete the data of data subjects who are not their customers and object to processing the personal data.

4 tips to avoid the same fine

Whether you use email marketing, marketing on social media, or search and display campaigns, your target users have certain rights regarding their privacy.
Here we give you 4 tips to do marketing in a lawful manner.
  1. Be sure to collect and process your users’ data properly. You must have a lawful basis that is either consent (most probably) or legitimate interest (it can be proven).
  2. Be transparent and inform your users what data you collect, process, for how long, and who else has access to the data (third-party providers).
  3. Provide your users with an option to decline the processing of their data and offer them an easy way to revoke their consent.
  4. Citizens in the EU have the right to be forgotten. You must be able to delete all data on your users if required.

Get free assessment

If you have a website, you can always get a free assessment from Cookie Information on whether your users are provided with sufficient information on data processing and whether you collect their consent to data processing with cookies.
You can also book a meeting with us, and we’ll go through your cookie consent solution together.