Spanish Data Protection Agency sanctions an entity for sending unsolicited commercial
communications through the "tell a friend" system
On 10 May 2016, the Spanish Data Protection Agency (SDPA) made a determination that an entity
which caused the sending out of unsolicited commercial communications via the "tell a friend" system
to third parties with whom it did not have any contractual relationships with is guilty of infringing Law
34/2002 on Information Society and Electronic Commerce Services, for the sending out of unsolicited
commercial communications without the unknown recipient's prior consent.
The entity asserted that it did not commit the actual sending out of said commercial communications.
It alleged that it was the registered users who did so by using the 'tell a friend' functionality. They
further claimed that they were not in possession of these third parties' email addresses.
However, according to the SDPA, in spite of the fact that (i) the performance of the sending of
commercial communications was not directly performed by the entity and (ii) the third parties' email
addresses were not accessible by the entity, the commercial communications were actually sent
using a functionality designed to promote its services and which was under the entity's control. As
such, while the SDPA considers that the registered users involved in the sending out of commercial
communications could select the recipients of said communication, the users neither had control over
its content nor the option to choose the means by which it was going to be sent.
For more information, please contact Raul Rubio, Patricia Perez, Rosario Alvarez, Ignacio Vela,
Alvaro Ubeda or Cristina Monereo.