Criticism and order to correct processing activities on “No thank you-list”
The Danish Data Protection Agency launched an investigation of how a marketing company transmitted personal data in connection with online competitions and connected questionnaires. The investigation resulted in different observations of data processing for marketing purposes, namely relating to data retention.
Upon request from the Danish Consumer Ombudsman, the Danish Data Protection Agency initiated an investigation of how a marketing company was processing data. The data was collected via online competitions where participants were required to fill out questionnaires. Based on the information in the answers provided, it was possible to make personalized marketing content for each participant.
As a result of the processing activities, the company was retaining data to prove that it had obtained lawful consent to carry out the processing activities. This data included the participant’s contact information, IP address and a time stamp. When a participant withdrew their consent, this data was also retained on a so-called “No thank you-list”. The basis for retaining the data was the company’s legitimate interest.
Data relating to the participant’s consent was then stored for 5 years after being given or withdrawn. Other data from the questionnaire was automatically anonymized after 1 year.
Out of sight is not out of mind
Data proving the validity of a consent can as a main rule be retained while the data processing activity is ongoing. After that, the data can exceptionally be retained for a limited period of time if it is necessary to clarify if a dispute exists or is likely to arise. Consequently, the Data Protection Agency emphasized that the 5-year retention period defined by the company was unlawful.
The company had defined the 5-year retention period based on the statute of limitation period under the data protection rules. According to the Data Protection Agency, the mere chance that criminal proceedings could be initiated against the company was not sufficient to make it necessary to apply a longer retention period derogating from the main rule.
Also, the Danish Data Protection Agency clarified that the “No thank you-list” clearly was unnecessary. The company should be able to document a valid consent. However, for that same reason, it was also unnecessary to make a list for invalid consents. Besides for criticism of the list, the company also received an order to delete the content on the list within four weeks.
IUNO’s opinion
It is undoubtfully difficult to navigate in the different retention and deletion requirements. Companies should create general guidelines for data retention in addition to case-by-case assessments of when deletion is an appropriate measure.
When it comes to data retention, IUNO especially recommends for companies to pay attention as to whether there are specific reasons that support that a dispute could arise. If this is the case, a longer retention period may be necessary in order for the company to document that it complied with the data protection rules.
[The Danish Data Protection’s judgement in case 2020-431-0075 of 30 September 2022]
Upon request from the Danish Consumer Ombudsman, the Danish Data Protection Agency initiated an investigation of how a marketing company was processing data. The data was collected via online competitions where participants were required to fill out questionnaires. Based on the information in the answers provided, it was possible to make personalized marketing content for each participant.
As a result of the processing activities, the company was retaining data to prove that it had obtained lawful consent to carry out the processing activities. This data included the participant’s contact information, IP address and a time stamp. When a participant withdrew their consent, this data was also retained on a so-called “No thank you-list”. The basis for retaining the data was the company’s legitimate interest.
Data relating to the participant’s consent was then stored for 5 years after being given or withdrawn. Other data from the questionnaire was automatically anonymized after 1 year.
Out of sight is not out of mind
Data proving the validity of a consent can as a main rule be retained while the data processing activity is ongoing. After that, the data can exceptionally be retained for a limited period of time if it is necessary to clarify if a dispute exists or is likely to arise. Consequently, the Data Protection Agency emphasized that the 5-year retention period defined by the company was unlawful.
The company had defined the 5-year retention period based on the statute of limitation period under the data protection rules. According to the Data Protection Agency, the mere chance that criminal proceedings could be initiated against the company was not sufficient to make it necessary to apply a longer retention period derogating from the main rule.
Also, the Danish Data Protection Agency clarified that the “No thank you-list” clearly was unnecessary. The company should be able to document a valid consent. However, for that same reason, it was also unnecessary to make a list for invalid consents. Besides for criticism of the list, the company also received an order to delete the content on the list within four weeks.
IUNO’s opinion
It is undoubtfully difficult to navigate in the different retention and deletion requirements. Companies should create general guidelines for data retention in addition to case-by-case assessments of when deletion is an appropriate measure.
When it comes to data retention, IUNO especially recommends for companies to pay attention as to whether there are specific reasons that support that a dispute could arise. If this is the case, a longer retention period may be necessary in order for the company to document that it complied with the data protection rules.
[The Danish Data Protection’s judgement in case 2020-431-0075 of 30 September 2022]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing