The Hungarian data protection authority (NAIH) fined Magyar Éremkibocsátó Kft, a limited liability company engaged in the numismatic business, HUF 30m (approx. EUR 73,000) for unlawful direct marketing activities.
A key message of the decision is that the data subject's consent to data processing may not be "smuggled into" statements that do not explicitly provide for it.
In the company's letter sent to its customers by regular post, customers received an order form which, if they signed it (i.e. by placing an order) was automatically considered by the company as consent to the processing of the customer's data for the purpose of direct marketing. In other words, it was not possible to place an order without the data subject's consent to direct marketing data processing.
The Authority's decision confirms that personal data may only be processed on the basis of consent if the data subject gives their consent to the processing of their data genuinely and explicitly. Thus, consent is invalid and personal data may not be processed if the consent statement is "provided" together with another statement without the data subject's explicit consent to the processing.
This common practice of data controllers treating event registrations or purchases on a website as the granting of consent is flawed and should definitely be reviewed by clients. The solution may be to obtain consent through active engagement or to choose another legal basis for such direct marketing data processing.
By Aron Hegyi, Associate, Schoenherr