Closely related to the right to erasure is the obligation imposed on controllers by Article 12(3) of the GDPR to provide the data subject with information about the measures taken in response to their request, without undue delay and in any event within one month of the request being received. How does this affect companies' marketing activities? What if the deadline is not met and/or the data is not deleted?
Every day, each of us finds numerous emails containing newsletters in our inboxes. A newsletter is sent at regular intervals, usually on a weekly basis, to subscribers who have agreed to receive it. The main purpose of newsletters, which are mainly used by e-shops, is to maintain regular contact with customers, inform them about discounts and seasonal sales, promote new products, and, above all, attract customers to the e-shop's website. In addition to email communication, websites also send short news updates via SMS messages to phone numbers provided by customers, primarily when ordering goods, as part of their marketing strategy.
Private phone numbers and email addresses can be considered personal data that can be used to identify a natural person. Websites usually store email addresses and phone numbers in their databases in such a way that the first and last name of a specific customer is assigned to the contact information used for sending newsletters.
However, emails or SMS messages containing newsletters usually start to overwhelm subscribers after a certain period of time, which is why they decide to unsubscribe. Under Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which repeals Directive 95/46/EC (the GDPR), data subjects have the right to be forgotten, which consists of the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, where the controller is obliged to erase such personal data without undue delay if the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing.
Closely related to the right to erasure is the obligation of the controller under Article 12(3) of the GDPR to provide the data subject with information on the measures taken on the basis of their request, without undue delay and in any event within one month of receipt of the request. However, the one-month period may be extended if necessary.
Failure to respect the right to erasure is a significant interference with the right to the protection of personal data and is also a frequent reason for the imposition of fines by the Office for Personal Data Protection (hereinafter referred to as the "Office"). In a recent decision, the Authority imposed a fine of EUR 400 on a sports equipment retailer for violating Article 12(3) of the GDPR.
The personal data breach consisted in the fact that, despite the applicant's right to erasure, the controller continued to send her unsolicited SMS messages. The controller argued that the complainant's email exercising her right to erasure had accidentally ended up in the spam folder for technical reasons, as a result of which the controller was not aware of the complainant's right to erasure of her personal data. Otherwise, the applicant's telephone number would have been deleted from the controller's database immediately. Given that the controller did not process the applicant's request until five months after the right to erasure was exercised, the Office concluded that there had been a breach of Article 12(3) of the GDPR.
Several important conclusions can be drawn from the Office's decision for practical purposes, namely:
- The fact that unsubscribing results in messages being sent to spam does not relieve the controller of its obligation to respect the data subject's right to erasure.
- When exercising the right to erasure, it is necessary to remember the obligation to inform the data subject of the measures taken in accordance with Article 12(3) of the GDPR.
- Subscribers have the right to unsubscribe at any time and, if the controller fails to respect the right to erasure, they may contact the Office for Personal Data Protection, which is authorized to impose a fine on the controller.
