Spain - Make sure the opt-out mechanisms work from the very beginning The Spanish DPA's Resolution No. 03013/2015 dated 1 December 2015 concerns a case where an entity sent out a consent notice to subscribing customers informing them of an intended assignment of the customer personal database to a third party entity for the purpose of continuing the distribution of its newsletter/magazine. Customers were granted a 30-day period to object to the data assignment with a warning that silence will be construed as consent to the data assignment. In the consent notice, the company provided customers with opt-out mechanisms (a dedicated email address and a telephone number), which one subscriber (out of 10,000 recipients) tried out, without success, on the same day of receipt of the said consent notice. The subscriber then filed a complaint with the Spanish DPA reporting a consent breach, which brought about the proceeding against the company for serious infringement with sanctions ranging from 40,001 up to 300,000 Euros. In the proceeding, the company proved that the opt-out mechanisms worked well for 51 other customers who successfully opted-out. In addition, it also admitted culpability for the faulty implementation of the consent notice at the very beginning. In its resolution, the Spanish DPA deemed the act to merely constitute a minor infringement. It took into consideration that recognition of culpability and other circumstances, including the non-continuing nature of the infringement, the volume of the data processing carried out, and the intention of the erring party, merited the application of the lower range of fines (from 900 up to 40,000 Euros) for minor infringements, which resulted to the imposition of a fine on the company of 900 Euros. For more information, please contact Jordi Masdevall.
- Checklist Checklist: Managing a dawn raid Recently updated
- Checklist Checklist: When and how to appoint a data protection officer (UK)
- Checklist Checklist: Data subject access rights under the GDPR (UK)