Blog » HOW NOT TO DO DIRECT MARKETING? LEARN FROM THE MISTAKES OF TELEKOM!
HOW NOT TO DO DIRECT MARKETING? LEARN FROM THE MISTAKES OF TELEKOM!
28 May 2018
In the recent past the Hungarian Data Protection Authority imposed a fine of 2 Million Hungarian Forints against Telekom, a major Hungarian telecommunication company, because of his unlawful direct marketing activity. Although the decision has been made before the entering into force of the GDPR, it is worth to examine the mistakes of Telekom. Indeed, the fine would have been much higher if it was imposed after the GDPR.
1. The lack of freely given consent
Telekom has based his data processing activity in relation with the direct marketing on the consent of the complainant which firstly he requested and „obtained” in the service contract. Nevertheless, in the contract the client did not have a real choice to opt-in since if he signed the contract, he has “given” his consent with his signature.
The Data Protection Authority pointed out that if the client does not have a real choice whether he gives his consent to the data processing or not, the consent cannot be considered as freely given thus it is invalid.
The practice of Telekom would be unlawful after the GDPR too, since based on the Regulation “combined” consent requests cannot be applied. For example, if you enter into a sales contract with your client, you cannot hide the consent to direct marketing activity in the terms of the contract. Instead, you need to request the client’s consent distinguishable from the basic objective of the contract.
2. Pre-ticked checkbox
The second basis of Telekom to send promotional information to the complainant was the declaration of the client made during the registration of his Telekom account in which he has consented to the processing of his data for direct marketing purposes.
However, the checkbox with the consent for direct marketing purposes was pre-ticked by Telekom during the registration. The client should have un-ticked the checkbox in order not to receive direct marketing messages.
According to the Data Protection Authority this practice is inappropriate as the pre-ticked checkbox does not enable the consent to be clear and unambiguous, thus it is also invalid. The GDPR sets forth the same requirements in relation with the consent, so you better forget the pre-ticked checkboxes.
3. The lack of prior notification
Another mistake of Telekom was that before „obtaining” the consent of his clients, he failed to inform them about the circumstances of the data processing. Both during the conclusion of the service contact and during the registration of the Telekom account Telekom provided only an incomplete and general information to the client about his data processing activity.
The lack of the sufficient prior notification about the data processing results in the invalidity of the consent, too, as the Data Protection Authority emphasized.
The GDPR provides a detailed list about the sets of information which the controller shall give to the data subject in relation with the facts and circumstances of the data processing. Further, the GDPR sets forth that in order for the consent to be valid you must at least inform the client who the data controller is and what the exact purpose of the data processing is.
4. Ignoring the objection of the client
Telekom has crowned his already unlawful direct marketing activity by sending further direct marketing (DM) messages to the client after he has revoked his consent and objected to the processing of his data.
The Data Protection Authority, to put it mildly, has not praised Telekom when he discovered that despite the client has revoked his “consent” in his Telekom account and requested Telekom 3 times not to send him promotional information, Telekom has sent him at least 10 DM messages through different channels.
Based on the GDPR that data subject has a right the erasure of his data by the controller if he has revoked his consent or objected to the processing of his data. Thus, for the future it is better if you take such requests of your clients seriously.
5. Lesson learnt
The mistakes of Telekom show what you should pay attention to in case you process personal data for direct marketing purposes.
First, you shall request the consent of your client in a clear and concise was. Forget the pre-ticked checkboxes and notify your client in prior how you will process his personal data.
Further, if your client does not want to receive DM messages from you, respect his request. An annoyed client could very quickly turn into a complainant before the Data Protection Authority and you will find yourself in an official procedure where you need to explain yourself while the threat of a fine of 20 Million Euros hanging over you.
CAN THE EMPLOYER EXPAND THE EMPLOYEES’ DUTIES WITHOUT CHANGING THE JOB DESCRIPTION IN HUNGARY?
The position and tasks of the employee are one of the key elements of the employment contract and are typically recorded in the job description. It is often a matter of dispute between the parties whether the employer can unilaterally modify the job description at all, and if so, to what extent. In a recent court decision, a Hungarian appellate court addressed the above question in a situation where the employer supplemented the employee's tasks with new tasks similar to his existing tasks. In this article, we analyse the recent decision on this matter.Read more »
CAN A HARSH FACEBOOK COMMENT BE A LAWFUL GROUND FOR DISMISSAL IN HUNGARY?
Social media platforms significantly changed the ways how people express their opinions: sharing views became easier than ever. On the one hand, this is positive, but on the other hand, it is also dangerous in the employment context, as the employee's opinion may be prejudicial to the employer's interests. A recent decision of the Hungarian Supreme Court gives answer to the question whether the employer can dismiss the employee for expressing his opinion on Facebook.Read more »
NEW EU – US DATA PRIVACY FRAMEWORK - SIMPLIFIED DATA TRANSFER TO THE US
With the Schrems II judgment, which invalidated the Privacy Shield, the CJEU (Court of Justice of the European Union) make it more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. However, the new EU-US Data Privacy Framework (or “Framework”) adopted on 10 July aims to put an end to this situation. But how does the Framework make data transfers between the EU and US easier? In this short article, we explain the basics of the new Framework and answer the above question.Read more »