Closely related to the exercise of the right to erasure is the controller’s obligation under Article 12(3) of the GDPR to provide the data subject with information regarding the measures taken in response to their request, without undue delay and in any event within one month of receipt of the request. How does this affect companies’ marketing activities? What if the deadline is not met and/or the data is not erased?
Every day, each of us finds a number of emails containing newsletters in our inboxes. A newsletter is sent at regular intervals—usually on a weekly basis—to subscribers who have given their consent to receive it. The main purpose of newsletters, which are primarily used by e-shops, is to maintain regular contact with customers, inform them about discounts and seasonal sales, promote new products, and, above all, attract customers to the e-shop’s website. In addition to email communication, websites also send brief updates via SMS messages to phone numbers provided by customers—primarily when placing orders—as part of their marketing strategy.
A private phone number, as well as an email address, can be considered personal data through which a natural person can be identified. Websites typically store email addresses and phone numbers in their databases in such a way that a specific customer’s first and last name is linked to the contact information used for sending newsletters.
However, after a certain period of time, emails or SMS messages containing newsletters usually begin to overwhelm subscribers, leading them to decide to unsubscribe. Pursuant to Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the so-called GDPR), data subjects have the right to be forgotten, which consists of the right to obtain from the controller, without undue delay, the erasure of personal data concerning the data subject, and the controller is obliged to erase such personal data without undue delay if the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing.
Closely related to the exercise of the right to erasure is the controller’s obligation under Article 12(3) of the GDPR to provide the data subject with information regarding the measures taken in response to their request, without undue delay and in any event within one month of receipt of the request. However, the one-month period may be extended if necessary.
Failure to respect the right to erasure constitutes a significant infringement of the right to the protection of personal data and is also a frequent reason for the imposition of fines by the Office for Personal Data Protection (hereinafter the “Office”). In a recent decision, the Office imposed a fine of EUR 400 on a data controller—a sporting goods store—for violating Article 12(3) of the GDPR.
The personal data breach consisted of the controller continuing to send unsolicited SMS messages to the complainant despite her having exercised her right to erasure. The controller defended itself by arguing that the applicant’s email exercising her right to erasure had inadvertently ended up in the spam folder for technical reasons, as a result of which the controller was unaware that the applicant had exercised her right to erasure of personal data. Otherwise, the applicant’s phone number would have been immediately deleted from the controller’s database. Given that the controller processed the applicant’s request only five months after the right to erasure was exercised, the Office concluded that there had been a violation of Article 12(3) of the GDPR.
Several important conclusions can be drawn from the Office’s decision described above, specifically:
- The fact that unsubscribing results in the message being marked as spam does not relieve the controller of the obligation to respect the data subject’s right to erasure.
- When exercising the right to erasure, it is necessary to remember the obligation to notify the data subject of the measures taken pursuant to Article 12(3) of the GDPR.
- Subscribers have the right to unsubscribe at any time, and if the controller fails to respect the right to erasure, they may contact the Office for Personal Data Protection, which is authorized to impose a fine on the controller.
