The Romanian Supervisory Authority fines website for ‘fake’ opt-in option

Updated: Apr 13, 2020

On the 26th of September 2019, the National Supervisory Authority completed an investigation at INTELIGO MEDIA SA, finding the following:

Violation of the provisions of Article 5 paragraph (1) letters a) and b), Article 6 paragraph (1) letter a) and Article 7 of the GDPR, which led to a fine of 9000 Euros.

The sanction was imposed due for the introduction of a new account on the internet site – belonging to the controller Inteligo Media SA, and an unchecked field displayed, with a text having the subsequent content: «I do not want to receive “personal update”, the information sent daily, free of charge, by email, by».

According to the examination established by the controller, whether the user omits the check-in this field, he/she is automatically subscribed, respectively his/her e-mail is entered automatically inside the subscriber database to this information.

For this reason, the subscription came about in the absence of a manifestation of will on the part of the users, which truly indicates the acceptance of the processing for the purpose established by the controller.

During the research, the controller could not prove that it received an explicit consent, under the conditions supplied by Article 7 of the GDPR, for some of 4357 customers, for which it processed their PII.

Additionally, for the transmission of PII by e-mail, the controller processed the statistics based on a legal basis that isn’t appropriate for the purpose, particularly the “execution of a contract”.

In this context, we emphasise that in line with Article 7 of the GDPR, if the processing is based totally on consent, the controller must be capable of demonstrating that the data subject has given his/her consent for the processing of his/her PII.

At the same time, recital (32) of the same regulation states:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”

The source of this post was the European Data Protection Board website and can be found here