The Danish Data Protection Agency focuses on the processing of personal data in online competitions
The case concerned a lead generation company’s disclosure of personal data in connection with the offering of internet competitions and the use and disclosure of questionnaires to business partners.
OBTAINING CONSENTS
By participating in the competition, participants had to give their consent for the company to process and pass on personal data.
The Danish Data Protection Agency assessed the case and decided that the consent was compliant with the data protection rules, but that it gave reason to consider whether the consent was given voluntarily. This is because the company did not just collect personal data for its own use, but also disclosed the personal data to the partners for direct marketing. It was therefore a matter of different processing activities.
According to the Data Protection Agency’s practice, consent has not been given voluntarily if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent to various processing activities regarding personal data and is thus forced to consent for all purposes. Consent must therefore be granular.
The Data Protection Agency also assessed that the information in the questionnaires was too detailed to be passed on according to the processing on basis of legitimate interests under the GDPR and that passing on the information, therefore, required consent.
STORAGE OF PERSONAL DATA
The company announced that the information is stored to document the validity of consent obtained.
The Danish Data Protection Agency stated that when the processing ends, the information must, as a starting point, be deleted, but that these can, however, be stored for a limited period of time in the event of any disputes.
In addition, the company kept the participants’ phone numbers and e-mails on a no-thanks list.
The Danish Data Protection Authority stated that with the no-thanks list, the company carried out unnecessary processing of personal data, and therefore raised serious criticism of the company’s unnecessary processing of personal data.
PARTICIPANTS RECEIVED INSUFFICIENT INFORMATION
The company stated that the participants in the competition were directed to the company’s personal data policy through a link in the competition, where the participants received the necessary information according to the GDPR.
The Danish Data Protection Agency stated that the information about the processing of the participant's personal data was insufficient, as the participants were not made aware that the company continued to store the personal data after consent had been withdrawn.
Read the decision here.
LUND ELMER SANDAGER’S COMMENT
The decision has implications for companies that generate leads and for the companies that receive leads from these companies. It is important that, when marketing consents are collected, the persons involved are properly and sufficiently informed about the processing to which they have consented. It is equally important that the companies that receive leads get access to and securely store consent from the registered.
It is also important that companies do not store personal data unnecessarily, not even to ensure that people are not contacted unnecessarily.
It is particularly important that companies familiarize themselves thoroughly with the rules for deletion so that there is no doubt about where and when personal data must be deleted.
Read more about the rules for deletion on the Danish Data Protection Agency’s website here.
You can also read about the right of data subjects and your obligations as a company on the Danish Data Protection Agency’s website here.
If you have any questions about the case or about the rules for marketing and GDPR, please do not hesitate to contact our specialists in the area Partner, Attorney Torsten Hylleberg or Attorney Jimmy Fuglsbjerg Christensen.