Polish Data Protection Authority UODO fines marketing agency QuickClickNow €47.000 for intentionally complicating their users’ right to withdraw consent to personal data processing. Here are 4 tips to avoid the same fine.
Polish marketing agency GDPR fined €47.000
Polish marketing agency QuickClickNow must be in dire straits after being bound not only to pay a fine of 47.000 euros, but also to get compliant with the GDPR on central aspects of personal data processing within 14 days.
“obstructed the right
to withdraw consent”
The fine is given to QuickClickNow for “obstructing the exercise of the right to withdraw consent to the processing of personal data” and a number of other violations to the GDPR.
The President of the Personal Data Protection Office (PDPO) found that the company:
- Failed to provide users with an easy way to revoke their consent
- Breached the principles of transparency and fairness of processing
- Violated the right to be forgotten
- Processed personal data without a lawful basis
- Failed to implement appropriate measures under article 24 (responsibility of data controller)
Withdrawal of consent must be as easy as to give consent
The President of the PDPO established that the procedure for withdrawing consent to data processing was not at all simple and could not be completed in a quick manner.
The mechanism for withdrawal of consent involved link upon link with misleading information on the procedure. Moreover, the company forced users to state the reason for withdrawing consent. Failing to indicate the reason resulted in discontinuation of the process of withdrawing consent.
As such, the company did not implement appropriate technical and organizational measures that would enable easy and effective withdrawal of consent to the processing of personal data.
Neither did QuickClickNow provide users with the right to be forgotten.
This violated the principles of lawfulness, fairness and transparency of processing of personal data, specified in Article 7(3) and Article 12(2) of the GDPR.
GDPR article 7(3)
Conditions for consent.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
GDPR article 12(2)
Transparent information, communication and modalities for the exercise of the rights of the data subject.
2. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
Processing without legal basis
In the decision, the President of the PDPO also found that QuickClickNow processed their users’ personal data without any legal basis. This included users not being customers and users who had declined processing of their personal data.
"processed their users’
without any legal basis"
The PDPO decided that the company’s actions were intentional e.g. the contradictory communications regarding withdrawal of consent; the ineffective withdrawal of consent; the difficulties – and impossibilities to exercise the rights of the data subjects.
QuickClickNow is now ordered by the PDPO to adjust the process of withdrawing consent to data processing to the provisions of the GDPR. The company must also delete the data of data subjects who are not their customers and objected to processing the personal data.
4 tips to avoid same fine
Whether you use email marketing, marketing on social media or search and display campaigns, your target users have certain rights regarding their personal privacy.
Here we give you 4 tips to do marketing in a lawful manner.
- Be sure to collect and process your users’ personal data properly. That is, you must have a lawful basis that being either consent (most probably) or legitimate interest (if can be proven).
- Be transparent and inform your users what data you collect; process; for how long; and who else have access to the data (third-party providers).
- Provide your users with an option to decline processing of their data and offer them an easy way to revoke their consent.
- Citizens in the EU have the right to be forgotten. You must be able to delete all data on your users if required.
Get free assessment
If you have a website, you can always get a free assessment from Cookie Information on whether your users are provided with sufficient information on data processing and whether you collect their consent to data processing with cookies.
You can also book a meeting with us, and we’ll go through your cookie consent solution together.