A decision by the Danish Data Protection Authority on operations carried out by a data broker for marketing purposes has addressed innovative aspects of interest.
In summary, the decision answered the following questions:
- If a data broker acquires personal data for its own marketing purposes but also for sharing with other data controllers identified for the same purposes, is it enough to collect a single consent or is it necessary to collect two (i.e., one for collection and the other for communication)?
- When it is the GDPR itself that imposes specific behaviors on the data controller, do these behaviors qualify as personal data processing and are they subject to compliance with the principles and legal bases as for all others?
- Article 7 of the GDPR imposes an obligation on the controller to prove the consent. Can the retention of information for the purpose of proving consent obtained be considered a personal data processing?
- If the answer to the previous one is yes, what is the legal basis of data processing for demonstrating consent?
- How should the retention period of information aimed at demonstrating consent be determined?
- Is it proper to retain evidentiary consent information for the limitation period for legal actions?
- If the data subject withdraws his/her consent, can the data controller continue to retain the information for the proof of consent?
- If the data subject withdraws marketing consent, can the data controller place and keep the name on a list of those who have objected to marketing?
In the decision involving the data broker SmartResponse, the Danish authority examined the following data collection practice for marketing purposes put in place by the data broker: website users were asked to participate in online contests on the condition that they release certain common personal data by consenting to their use for direct marketing purposes by SmartResponse itself and 45 other, specifically identified partners.
In addition, the user’s free right to withdraw consent at any time was specified, including on the same web page and in the registration confirmation e-mail sent to the registered user’s address. Withdrawal was made easy by always specifying the e-mail address to which to send the request.
A unique consent of the user was required both for the collection and use of data for SmartResponse’s own marketing purposes and for the communication of such data for the same purpose to the other 45 partners.