28 May 2018

In the recent past the Hungarian Data Protection Authority imposed a fine of 2 Million Hungarian Forints against Telekom, a major Hungarian telecommunication company, because of his unlawful direct marketing activity. Although the decision has been made before the entering into force of the GDPR, it is worth to examine the mistakes of Telekom. Indeed, the fine would have been much higher if it was imposed after the GDPR.

1. The lack of freely given consent

Telekom has based his data processing activity in relation with the direct marketing on the consent of the complainant which firstly he requested and „obtained” in the service contract. Nevertheless, in the contract the client did not have a real choice to opt-in since if he signed the contract, he has “given” his consent with his signature.

The Data Protection Authority pointed out that if the client does not have a real choice whether he gives his consent to the data processing or not, the consent cannot be considered as freely given thus it is invalid.

The practice of Telekom would be unlawful after the GDPR too, since based on the Regulation “combined” consent requests cannot be applied. For example, if you enter into a sales contract with your client, you cannot hide the consent to direct marketing activity in the terms of the contract. Instead, you need to request the client’s consent distinguishable from the basic objective of the contract.

2. Pre-ticked checkbox

The second basis of Telekom to send promotional information to the complainant was the declaration of the client made during the registration of his Telekom account in which he has consented to the processing of his data for direct marketing purposes.

However, the checkbox with the consent for direct marketing purposes was pre-ticked by Telekom during the registration. The client should have un-ticked the checkbox in order not to receive direct marketing messages.

According to the Data Protection Authority this practice is inappropriate as the pre-ticked checkbox does not enable the consent to be clear and unambiguous, thus it is also invalid. The GDPR sets forth the same requirements in relation with the consent, so you better forget the pre-ticked checkboxes.

3. The lack of prior notification

Another mistake of Telekom was that before „obtaining” the consent of his clients, he failed to inform them about the circumstances of the data processing. Both during the conclusion of the service contact and during the registration of the Telekom account Telekom provided only an incomplete and general information to the client about his data processing activity.

The lack of the sufficient prior notification about the data processing results in the invalidity of the consent, too, as the Data Protection Authority emphasized.

The GDPR provides a detailed list about the sets of information which the controller shall give to the data subject in relation with the facts and circumstances of the data processing. Further, the GDPR sets forth that in order for the consent to be valid you must at least inform the client who the data controller is and what the exact purpose of the data processing is.

4. Ignoring the objection of the client

Telekom has crowned his already unlawful direct marketing activity by sending further direct marketing (DM) messages to the client after he has revoked his consent and objected to the processing of his data.

The Data Protection Authority, to put it mildly, has not praised Telekom when he discovered that despite the client has revoked his “consent” in his Telekom account and requested Telekom 3 times not to send him promotional information, Telekom has sent him at least 10 DM messages through different channels.

Based on the GDPR that data subject has a right the erasure of his data by the controller if he has revoked his consent or objected to the processing of his data. Thus, for the future it is better if you take such requests of your clients seriously.

5. Lesson learnt

The mistakes of Telekom show what you should pay attention to in case you process personal data for direct marketing purposes.

First, you shall request the consent of your client in a clear and concise was. Forget the pre-ticked checkboxes and notify your client in prior how you will process his personal data.

Further, if your client does not want to receive DM messages from you, respect his request. An annoyed client could very quickly turn into a complainant before the Data Protection Authority and you will find yourself in an official procedure where you need to explain yourself while the threat of a fine of 20 Million Euros hanging over you.