Spain - Fine imposed for unsolicited communication send through a 'tell-a-friend' system
Published 10 May 2016
The Spanish Data Protection Agency ("SDPA") has imposed a sanction amounting to EUR 10,000 on a company for sending unsolicited commercial communications through a "tell-a-friend" system, violating article 21 of Law 34/2002 on Information Security and Electronic Commerce Services.
The infringing company managed a mobile application which allows users to find leisure plans in their city. The app has an offer for its already registered users consisting of a EUR 5 discount if they send an invitation to join the app to their contacts.
The complainant in this case requested that the company stop using their personal data and stop sending the unsolicited communications. However, the company did not comply with this request and continued to use the complainant's personal data to send these communications. As a result the individual filed a complaint before the SDPA for the violation of article 21 of Law 34/2002.
Article 21 of Law 34/2002 prevents companies from sending unsolicited marketing communications unless they are expressly authorised by the recipients or there is a contractual relationship between the company and the recipient and the recipient has not opted out of receiving those communications. In addition, even if the communication is permitted, the company should establish an easy and free mechanism to allow the recipient to withdraw the authorisation to receive such communications.
One of the main arguments of the infringing company during the proceedings is that the invitations to join the app were sent by the already registered users, and not by the company itself. The SDPA explained that regardless of the fact that the company did not send the messages directly to the potential users itself, it was the company that designed the system to send the messages to potential users. The company decided, amongst other things, the content of the messages sent, the incentive of EUR 5 discount to the registered user for sending the messages and the technical solution which the messages were sent through. The SDPA also clarified that despite the already registered users being the ones choosing which contacts to send the messages to, they do not have control over the communications, because the decisions on content and means were taken by the company.
Furthermore, once the SDPA reached the conclusion that the company was liable for these unsolicited communications, it examined the communications themselves and found that the invitations to join the app did not contain an easy and free mechanism for the recipient to oppose to such communications thus breaching also section 2 of article 21 of Law 34/2002.
Although fines for minor infringements can amount to a maximum of EUR 30,000, in this case, because it was demonstrated that the claimant has suffered any damage by receiving the messages and the fact that the company did not increase its profitability thanks to the violation of the law, the SDPA did not to impose the maximum sanction.
This decision is a reminder that where marketing communications are to be sent to customers, organisations should ensure that they have a legal basis for sending the communications and that they provide a straightforward opt out mechanism from such communications.
A copy of the decision can be accessed here.