The Danish Data Protection Agency has just published a guideline on the storage of personal data with the aim of demonstrating that data controllers comply with the rules on consent.
The guiding text comes in continuation of the Danish Data Protection Agency's decision on SmartResponse, which concerns the processing of personal data in connection with tenders for online competitions.
In the decision, the Danish Data Protection Agency has considered the storage of consents and several other matters of importance to the data controller's processing of personal data in connection with marketing.
Below you can read more about the issues that the Danish Data Protection Agency has considered in connection with the decision and the guiding text on the storage of personal data for documentation.
Storage of personal data
In connection with SmartResponse's contests, SmartResponse collected a number of personal data about the contest participants, including, among other things, phone numbers and email addresses.
In connection with the audit, SmartResponse stated that this personal data was not deleted if a contest participant withdrew their consent, but that it was stored on a so-called "no-take list" for five years after the consent was withdrawn. This was done in order to be able to document the withdrawal and to ensure that no marketing was sent to the person concerned after the withdrawal. The list was also used to block the use of false consents and the disclosure of withdrawn consents.
SmartResponse has set the retention period to five years to comply with the five-year statute of limitations in data protection law, after which violations of data protection law are no longer punishable and documentation of compliance is no longer required.
The Danish Data Protection Agency notes that documentation for a revoked consent may be stored for a limited period of time in order to clarify whether a dispute may exist or arise.
However, the legitimate interest justifying the continued retention of the documentation of consent must represent a real and present interest rather than a hypothetical interest, which is not the case with a "no-take list". In other words, it is contrary to the GDPR to keep the personal data on a "no-take list" for five years when there is no concrete prospect of disputes where the documentation of the consents is necessary and relevant.
Against this background, the Danish Data Protection Agency expressed serious criticism and noted that this continued processing was unnecessary and thus violated both the data minimization principle and the balancing of interests rule.
The Danish Data Protection Agency also ordered that the personal data on the opt-out list be deleted.
In addition, the Danish Data Protection Agency stated that a retention period of five years was too long and contrary to the principle of storage limitation, and that the mere possibility of a criminal case does not justify or necessitate storage for five years.
In the Danish Data Protection Agency's guiding text on the retention of personal data for documentation, the Danish Data Protection Agency confirms and clarifies the extent to which documentation for consents can be processed after the consent has been withdrawn.
The Danish Data Protection Agency refers in its guidance text to the fact that the data controller is not obliged to retain, obtain or process additional information to identify the data subject solely for the purpose of complying with the GDPR.
The controller must therefore only be able to demonstrate that the data subject has given consent for the duration of the processing. If the data subject withdraws his or her consent, the controller is therefore no longer obliged to be able to prove the consent, so this further processing is not necessary.
The clear starting point is therefore that personal data processed on the basis of the data subject's consent, including the consent itself, must be deleted immediately after the end of the processing activity.
The use of "no-acceptance lists", "blacklists" or similar registers, which are currently used by many companies, is significantly limited by the decision and the guiding text, as the storage of the documentation of the revoked consent must be justified by a probable or concrete dispute that necessitates the additional storage. This will largely mean that there are so few "problematic" consents that such lists are not really possible.
This is in contrast to the Consumer Ombudsman's previous practice on the storage of documentation in the Consumer Ombudsman's spam guide, according to which documentation for consent may be stored until two years after it has been used for the last time, and the statute of limitations begins pursuant to the Danish Marketing Practices Act.
If your company uses a similar "no-thank-you list", the decision and the guidance is therefore an obvious opportunity to update internal procedures so that such lists are no longer used. In continuation of this, it is particularly important to generally be aware that it is not necessarily legal to store personal data with reference to a statutory limitation period, and that it is important that an assessment is also made of how long it is necessary to store the personal data in question in the specific case.
Duty of disclosure
It follows directly from the GDPR that data controllers must provide data subjects with a range of information about the processing of their personal data before the company's obligation to provide information is fulfilled.
The duty of disclosure means, among other things, that the company must provide data subjects with information about how long the company processes the personal data, or if this is not possible, the criteria used to determine this period.
This also applies when the company processes personal data in connection with competitions or other marketing.
In connection with the specific supervision, the Danish Data Protection Agency found that SmartResponse had not informed contest participants that their personal data would not be deleted if their consent was withdrawn.
The Danish Data Protection Agency criticized SmartResponse for not sufficiently observing its duty of disclosure.
Legal consent
In connection with the supervision, the Danish Data Protection Agency assessed, among other things, whether the consent obtained by SmartResponse as a basis for their processing and disclosure of personal data in connection with the competitions complied with the requirements of the GDPR.
According to the GDPR, consent must be freely given, specific, informed and unambiguously expressed by the data subject.
It also follows from the Danish Data Protection Agency's guidelines on consent that consent cannot be considered voluntary if the data subject has not had a genuine free choice. This means that consent must be broken down (granular) so that the data subject can give consent for each processing purpose separately.
In the case in question, SmartResponses obtained consent in one consent for SmartResponses' use of the personal data and disclosure to 46 business partners for the purpose of these business partners' use of the personal data for direct marketing.
However, in this specific case, the Danish Data Protection Agency assessed that the consent met the requirements of voluntariness, even though it was not granular. In this connection, the Danish Data Protection Agency notes that it was crucial that the purpose of both their own processing and the disclosure was direct marketing. In this connection, the Danish Data Protection Agency's decision partially reverses the practice of the Consumer Ombudsman regarding group-wide consents, as according to the Consumer Ombudsman, it has so far been necessary that all group companies included were named directly in the consent text.
The decision therefore opens up for the possibility that in certain contexts it is not necessary to use granulation in consent forms, and that the granulation should be governed to a greater extent by the purposes of the processing. This may, among other things, be relevant in the case of group-wide consents, where a common consent can be used in certain situations if the purposes coincide.
However, it is still important to be aware that a concrete assessment must always be made as to whether the purposes are so similar that one consent is sufficient. The clear starting point remains that granulation is often necessary to obtain valid consent.
Disclosure of questionnaire
As part of the specific internet competition that was the subject of the inspection, participants were offered to fill out a questionnaire with the aim of customizing the marketing to the individual's needs.
These questionnaires were passed on to SmartResponse's business partners without consent but based on the so-called balancing of interests rule.
It follows from section 13 of the Danish Data Protection Act that the disclosure of personal data about a consumer for the purpose of direct marketing requires consent, unless it is general customer information that forms the basis for division into customer categories and if the conditions of the balancing of interests rule in Article 6(1)(f) of the GDPR are met. The Danish Data Protection Agency states in the decision that personal data that is intended to classify the consumer into a customer category may, for example, be whether the consumer is a car owner or is interested in wine.
On the other hand, it is not allowed to disclose sensitive information or more detailed information about the consumer and their consumption patterns, e.g. that the car was purchased on credit or what type of wine the consumer buys.
The questionnaire in the case in question contained questions about mobile and TV provider, streaming services, affiliation with a mortgage credit institution and hourly affiliation with the labor market.
In this specific case, the Danish Data Protection Agency therefore assessed that the personal data that the participants were required to provide was too detailed for the disclosure to SmartResponse's business partners to be based on the balancing of interests rule and therefore required consent.
The decision thus contributes to clarifying the framework of section 13 of the Data Protection Act on the disclosure of personal data about consumers and when the information is so detailed that disclosure requires consent.
The questionnaire in question did not allow for partial completion. Even though the questionnaire thus also included "general customer information", which in isolation does not require consent for disclosure, the Danish Data Protection Agency assessed that disclosure of the questionnaire data "as a whole" required consent. It is thus worth considering whether a simple division in the setup can accommodate contamination of otherwise lawful processing.
You can find the Danish Data Protection Agency's guiding text here, and you can read the decision on SmartResponse here.
If you have any questions about the case, the processing of personal data for marketing purposes or personal data law in general, you are always welcome to contact our experts in the CLEMENS data protection team.
