Another sanction for the violation of GDPR
On the 26th of September 2019, the National Supervisory Authority completed an investigation at INTELIGO MEDIA SA, finding the following:
Violation of the provisions of Article 5 paragraph (1) letters a) and b), Article 6 paragraph (1) letter a) and Article 7 of the GDPR, which led to imposing an administrative fine in the amount of 9000 Euros.
The sanction was imposed as a result of an intimation indicating that for the creation of a new account on the website avocatnet.ro - belonging to the controller Inteligo Media SA, an unchecked box will be displayed, with a text having the following content: «I do not want to receive “Personal Update”, the information sent daily, free of charge, by email, by avocatnet.ro».
According to these conditions established by the controller, to the extent that a user omits the check this box, he/she is automatically subscribed, respectively his/her e-mail is entered automatically in the subscriber database to this information.
Thus, the subscription took place in the absence of a manifestation of will on the part of the users, which clearly indicates the acceptance of the processing for the purpose established by the controller.
During the investigation, the controller could not prove that it obtained an explicit consent, under the conditions provided by Article 7 of the GDPR, for a number of 4357 users, for which it processed their personal data.
Also, for the transmission of daily information by e-mail, the controller processed the data on the basis of a legal basis that is not appropriate for the purpose, namely the “execution of a contract”.
In this context, we emphasize that according to Article 7 of the GDPR, if the processing is based on consent, the controller must be able to demonstrate that the data subject has given his/her consent for the processing of his/her personal data.
At the same time, recital (32) of the same regulation states:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
Legal and Communication Department