The President of the Personal Data Protection Office imposed an administrative fine of over PLN 201,000 for obstructing the exercise of the right to withdraw consent to the processing of personal data.
The punished company did not implement appropriate technical and organizational measures that would enable easy and effective withdrawal of consent to the processing of personal data and the exercise of the right to obtain the erasure of personal data (the „right to be forgotten”). Thus, it violated the principles of lawfulness, fairness and transparency of processing of personal data, specified in the GDPR.
The proceedings of the President of the Personal Data Protection Office (PDPO) established that the company violated the abovementioned provisions of the GDPR, because the mechanism of the consent withdrawal, involving the use of a link included in the commercial information, did not result in a quick withdrawal. After the link was set up, messages addressed to the person interested in withdrawing consent were misleading. Moreover, the company forced stating the reason for withdrawing consent, which is not required by law. Furthermore, failure to indicate the reason resulted in discontinuation of the process of withdrawing consent.
In the decision, the President of the PDPO also pointed out that the company processed, without any legal basis, the data of data subjects, who are not its customers and from whom the company received objections to processing their personal data. Thus, it also violated the so-called „right to be forgotten”.
When determining the amount of the administrative fine, the President of the PDPO did not take into account any mitigating circumstances affecting the final penalty. He also decided that the company’s action was intentional – providing contradictory communications to the data subject interested in withdrawing consent resulted in an ineffective withdrawal of consent. In this way, the company made it difficult, or even impossible, to exercise the rights of the data subjects.
The President of PDPO also ordered the entity to adjust the process of processing requests for withdrawing consent to data processing to the provisions of the GDPR. The company has 14 days from the date of delivery of the decision to comply with it. The company must also delete the data of it ex- consumers who objected to processing the personal data concerning them.
