GDPR decisions – September 2020

Holst, Advokater | View firm profile

In 2019, the Finnish DPA received complaints on the electronic direct marketing and neglection of rights of the data subject, contrary to what is provided for under the GDPR. The topics of direct marketing included various courses within building supply and asbestos removal. The data subjects reported that they had received direct marketing messages from the company without consenting to it first. Some of the data subjects had responded to the marketing message and requested the controller to stop sending such messages. Despite this, the data subjects still received direct marketing messages from the controller.

The controller argued that the electronic direct marketing was targeted at companies, to which the rules of prior consent do not apply. The controller stated that the telephone numbers of data subjects were used by the company, in which the data subjects worked, and therefore it was legitimate to send the messages.

The Finnish DPA stated that before targeting the data subjects with direct marketing, the controller should have separately determined the position of the person and decided whether the marketed courses were significantly relevant for the person’s duties. Therefore, the direct marketing by the controller targeted at natural persons could not be considered as intended for a company, and the controller should have requested the consent of the data subject for the electronic direct marketing, upon which the controller was given a reprimand. Furthermore, the data subjects had made requests concerning their rights in accordance with the GDPR, but the controller did not respond within one month of receiving the request as required by the GDPR. The controller had therefore not organized its operating methods legally and was also given a reprimand for not complying with the rights of the data subjects.

The sanctions board of the Finnish DPA imposed a financial sanction of EUR 7,000 in addition to the disciplinary measures mentioned above due to the intentional nature of the act, the number of similar offences over a short period of time, the disinterest of the controller in cooperating with the DPA and the fact that the controller had not shown any interest in the data subjects rights.

The decisions of the Finnish DPA can be read here (in Finnish)

ICO fines company for direct marketing to profit from COVID-19

The (ICO) has fined a company GBP 60,000 for sending thousands of nuisance marketing texts at the peak of the COVID-19 pandemic during spring. In order to capitalize and profit from the pandemic, the company sent over 16,000 texts between 29 February and 30 April 2020 promoting a hand sanitizing product which the company claimed was “effective against corona virus”.

The messages were all sent to people who had not consented in receiving them.

The company had been unable to evidence any consent, instead providing unclear and inconsistent explanations for its practices.

It seemed as if the company had relied on data from an online marketplace account belonging to its director, which he had operated since 2003. In addition, the company stated that some of its marketing texts were sent to individuals who had previously expressed an interest in ‘eBay’ offers on the director’s account page. The ICO concluded that it was not possible that individuals, whose data had been saved on the Director’s own ‘eBay’ account since 2003, or even those who may have expressed an interest in unrelated products on this account within the previous 24 months, could have provided valid consent to receive direct marketing text messages from the company in relation to hand sanitizer many years later.

The decision of the ICO can be read here

NCC in Denmark (part of NCC Group) is criticized for sharing data internally about a dismissed employee and for the company’s lack of compliance in respect of the obligation to disclose

On the basis of a complaint, the Danish DPA has severely criticised NCC Danmark A/S (NCC) for not processing personal data in compliance with the GDPR on lawful processing of personal data and sensitive personal data. NCC was also criticized for not having fulfilled its obligation to disclose in respect of the data that NCC had collected on its employees.

On 1 November 2018, NCC had dismissed the complainant with effect as at 4 November 2018. Danish trade union 3F represented the complainant in the matter, and given the dismissal, a case was initiated at the Danish Labour Court with the assertion about hostile acting on the part of NCC during the dismissal.

At the request of 3F, the dispute was covered by the press, however leaving out the complainant’s name during the coverage. As a result of the court proceedings, 3F and the Danish trade organisation for carpenters (“BJMF Snedker Tømrernes Brancheklub”) turned up unexpectedly on 18 February 2019 at NCC’s headquarters to protest and demonstrate with the participance of approx. 30-50 carpenters from Copenhagen representing the industry.

By sending out an email on 29 February 2019 in which “Dispute with 3F in the media“ was stated in the subject line, a senior production manager at NCC informed 17 construction managers about the background for the dispute with 3F. Thereby, NCC processed personal data about the complainant by disclosing name, the reason for dismissal, former employment and trade union memberships. NCC justified the email briefing with the turmoil on the construction sites caused by the coverage of the dispute in the media.

The DPA found that NCC’s processing of personal data and sensitive personal data in the email was not in compliance with the GDPR, seeing that NCC had not substantiated any legitimate interest in informing about the complainant’s dismissal nor about the complainant’s former employment. In addition, briefing about a dispute with a trade union may not contain personal data, since it is completely prohibited to process data about trade union memberships, and none of the exceptions to the prohibition applied.

Furthermore, the DPA found that NCC had not fulfilled its obligation to provide information to its employees, as it was found insufficient that the personal data policy for employees could be accessed through the company intranet, if the data subject (the employee) had not been specifically told that the policy could be found there.

The whole decision is available here (in Danish):



Henrik Christian Strand, Associated Partner
M, +45 3010 2186

Pernille Kristensen, Attorney
+45 3010 2224


More from Holst, Advokater