Polish DPA imposes fine for not having appropriate controls around ‘withdrawal of consent’

Updated: Apr 13, 2020

The President of the Personal Data Protection Office fines over PLN 201,000 for issues over the right to withdraw consent.

The Polish DPA press release can be found here

The organization ClickQuickNow Sp. z o.o. didn’t execute fitting technical and business controls that would allow simple and viable withdrawal of consent to the preparing of PII and the activity of the privilege to get the deletion of said PII (the “right to be forgotten”). Consequently, it abused the standards of legality, reasonableness and transparency of handling of PII indicated in the GDPR.

The President of the Personal Data Protection Office (PDPO) found that the organization’s activities were additionally conflicting with Article 7(3) of the GDPR. The organization didn’t consider the rule that withdrawal of consent ought to be as simple as giving consent – despite what might be expected, it applied confused authoritative and specialized arrangements as to the withdrawal of consent.

Also, the organization didn’t encourage the activity of the subject rights, as required by Article 12(2) of the GDPR.

In light of the fact that the system of the consent withdrawal, including the utilization of a connection remembered for the business data, didn’t bring about a snappy withdrawal. After the connection was set up, messages routed to the individual keen on pulling back consent were misdirecting. Also, the organization constrained expressing the explanation behind pulling back consent, which isn’t required by the law. Besides, the inability to demonstrate the explanation brought about the suspension of the way toward pulling back consent.

In his choice, the President of the PDPO likewise called attention to that the organization prepared, with no lawful premise, the PII of data subjects, who are not its clients. Along these lines, it likewise abused the purported “right to be forgotten”.

While deciding the measure of the managerial fine, the President of the PDPO didn’t consider any relieving conditions influencing the final fine. He additionally chose that the organization’s activity was deliberate – giving conflicting interchanges to the information subject keen on pulling back consent brought about an inadequate withdrawal of consent. The organization made it troublesome, or even unimaginable, to practice the rights of the information subjects.

The President of PDPO has not just fined on the organization, yet in addition, requested it to change the approach toward withdrawing consent. ClickQuickNow Sp. z o.o. had 14 days (from November 6th) from the date of conveyance of the choice to comply with the recommendations. The organization should likewise erase PII of data subjects who are not its clients and questioned processing the PII concerning them.