EN
Technology

Criticism and order to correct processing activities on “No thank you-list”

logo
Legal news
calendar 27 October 2022
globus Denmark

The Danish Data Protection Agency launched an investigation of how a marketing company transmitted personal data in connection with online competitions and connected questionnaires. The investigation resulted in different observations of data processing for marketing purposes, namely relating to data retention.

Upon request from the Danish Consumer Ombudsman, the Danish Data Protection Agency initiated an investigation of how a marketing company was processing data. The data was collected via online competitions where participants were required to fill out questionnaires. Based on the information in the answers provided, it was possible to make personalized marketing content for each participant.

As a result of the processing activities, the company was retaining data to prove that it had obtained lawful consent to carry out the processing activities. This data included the participant’s contact information, IP address and a time stamp. When a participant withdrew their consent, this data was also retained on a so-called “No thank you-list”. The basis for retaining the data was the company’s legitimate interest.

Data relating to the participant’s consent was then stored for 5 years after being given or withdrawn. Other data from the questionnaire was automatically anonymized after 1 year.

Out of sight is not out of mind

Data proving the validity of a consent can as a main rule be retained while the data processing activity is ongoing. After that, the data can exceptionally be retained for a limited period of time if it is necessary to clarify if a dispute exists or is likely to arise. Consequently, the Data Protection Agency emphasized that the 5-year retention period defined by the company was unlawful.

The company had defined the 5-year retention period based on the statute of limitation period under the data protection rules. According to the Data Protection Agency, the mere chance that criminal proceedings could be initiated against the company was not sufficient to make it necessary to apply a longer retention period derogating from the main rule.

Also, the Danish Data Protection Agency clarified that the “No thank you-list” clearly was unnecessary. The company should be able to document a valid consent. However, for that same reason, it was also unnecessary to make a list for invalid consents. Besides for criticism of the list, the company also received an order to delete the content on the list within four weeks.

IUNO’s opinion

It is undoubtfully difficult to navigate in the different retention and deletion requirements. Companies should create general guidelines for data retention in addition to case-by-case assessments of when deletion is an appropriate measure.

When it comes to data retention, IUNO especially recommends for companies to pay attention as to whether there are specific reasons that support that a dispute could arise. If this is the case, a longer retention period may be necessary in order for the company to document that it complied with the data protection rules.

[The Danish Data Protection’s judgement in case 2020-431-0075 of 30 September 2022]

Upon request from the Danish Consumer Ombudsman, the Danish Data Protection Agency initiated an investigation of how a marketing company was processing data. The data was collected via online competitions where participants were required to fill out questionnaires. Based on the information in the answers provided, it was possible to make personalized marketing content for each participant.

As a result of the processing activities, the company was retaining data to prove that it had obtained lawful consent to carry out the processing activities. This data included the participant’s contact information, IP address and a time stamp. When a participant withdrew their consent, this data was also retained on a so-called “No thank you-list”. The basis for retaining the data was the company’s legitimate interest.

Data relating to the participant’s consent was then stored for 5 years after being given or withdrawn. Other data from the questionnaire was automatically anonymized after 1 year.

Out of sight is not out of mind

Data proving the validity of a consent can as a main rule be retained while the data processing activity is ongoing. After that, the data can exceptionally be retained for a limited period of time if it is necessary to clarify if a dispute exists or is likely to arise. Consequently, the Data Protection Agency emphasized that the 5-year retention period defined by the company was unlawful.

The company had defined the 5-year retention period based on the statute of limitation period under the data protection rules. According to the Data Protection Agency, the mere chance that criminal proceedings could be initiated against the company was not sufficient to make it necessary to apply a longer retention period derogating from the main rule.

Also, the Danish Data Protection Agency clarified that the “No thank you-list” clearly was unnecessary. The company should be able to document a valid consent. However, for that same reason, it was also unnecessary to make a list for invalid consents. Besides for criticism of the list, the company also received an order to delete the content on the list within four weeks.

IUNO’s opinion

It is undoubtfully difficult to navigate in the different retention and deletion requirements. Companies should create general guidelines for data retention in addition to case-by-case assessments of when deletion is an appropriate measure.

When it comes to data retention, IUNO especially recommends for companies to pay attention as to whether there are specific reasons that support that a dispute could arise. If this is the case, a longer retention period may be necessary in order for the company to document that it complied with the data protection rules.

[The Danish Data Protection’s judgement in case 2020-431-0075 of 30 September 2022]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

26 January 2023

DPO across the Nordics

logo
Technology

8 December 2022

Company spilled the tea and got reported to the police

logo
Technology

24 November 2022

Colored cookie consent can be illegal nudging

logo
Technology

10 November 2022

Deadline to create whistleblower schemes for medium-sized companies approaching

logo
Technology

13 October 2022

Investigation criticized by the Danish Data Protection Agency

logo
Technology

22 September 2022

The Danish Data Protection Agency is testing the use of cloud solutions

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate