The Lithuanian SA adopted a decision on the processing of personal data for the purpose of direct marketing

Background information

• Date of decision: 15 July 2022
• National case
• Controller or processor: provider of accommodation services (hereinafter - the Company)
• Legal references: Principles of legality, fairness and transparency (Art. 5(1)(a) of GDPR), consent of the data subject (Art. 7(2) of GDPR), direct marketing (Art. 81(1) of ECL)
• Decision: The complaint was upheld, infringements of Art. 5(1)(a) and Art. 7(2) of GDPR and Art. 81(1) ECL

Summary of the Decision

Origin of the case

The State Data Protection Inspectorate (hereinafter - the Inspectorate) accepted to examine the applicant’s complaint, which states that during his stay in a hotel operated by the Company, the Company started sending advertising communications to the applicant’s e-mail. The applicant noted that the Company did not provide an opportunity to object to the processing of his personal data for the purpose of direct marketing.

The Company provided explanations that the applicant’s e-mail address was received upon submission thereof by the applicant to the hotel website at the time of reservation of accommodation services, since each buyer when making a hotel room reservation, agrees with the booking rules, which stipulate that, when booking services, the customer agrees that his personal data will be entered into the Company’s database and be used to perform the hotel reservation procedure and for direct marketing purposes. The Company indicated that it was possible to unsubscribe from its newsletters at any time by clicking on the link in each of them, and also pointed out that the applicant did not make use of this opportunity and did not refuse the Company’s direct marketing communications.

Key Findings

Although the concept of consent of the ECL for direct marketing is not provided, however, when applying legislation systematically and taking into account Article 3(102) of the ECL and Article 2(3) of the LPPDL, the definition of consent provided in Article 4(11) of the GDPR is followed, according to which the consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her. In accordance with the provisions of Article 5(1)(a), Article 7(2) of the GDPR, recital 43 of the GDPR, and provisions of clauses 13, 26 and 42 of the EDPB Guidelines on consent, the Inspectorate concluded that the applicant, before submitting his or her personal data to the Company, was not given the possibility to separately give consent/do not give consent to the processing of his or her personal data specifically for the purpose of direct marketing, regardless of the consents given for other purposes (e.g. for the purpose of booking hotel accommodation).

Decision

Since the Company provided individuals, including the applicant, with the opportunity to make a hotel reservation only bundled with the consent for direct marketing communications (newsletters), the Inspectorate found infringements of the provisions of Article 5(1)(a) and Article 7(2) of the GDPR. The Inspectorate also found that the Company had infringed the provisions of Article 81(1) of the ECL by not having collected consent of the applicant that meets the requirements of the legislation regarding the receipt of direct marketing messages.

For further information: Išnagrinėjus skundą priimtas sprendimas dėl asmens duomenų tvarkymo tiesioginės
rinkodaros tikslu