What does this cover?

On 1 December 2015 the Spanish Data Protection Authority (DPA) issued a resolution in relation to a case involving a notification to customers by a company that their customer databases were being assigned to a third party who would be responsible for the circulation of marketing materials. Customers were given 30 days to object and informed that silence would be considered acceptance of the transfer.

One customer complained of a serious breach when they were unable to successful object, however, the company was able to prove the successful operation of the opt-out function for the majority of customers and acknowledged the consent notice had not been implemented thoroughly at the start, resulting in a minor category fine of EUR 900.

What action could be taken to manage risks that may arise from this development?

Organisations in Spain should ensure any marketing opt-out functions are fully operational. On this occasion due to the failure only affecting one subscriber, the breach was deemed to be minor, however, where failures affect multiple customers such a breach is likely to be dealt with more harshly.