Are you selling or buying marketing databases in the Czech Republic? Watch out
As we have previously reported, the Czech Data Protection Authority (“DPA“) has repeatedly warned against a common practice on the Czech market: companies using personal contact details acquired from third parties for marketing communications. Nevertheless, it seems this practice continues and has again been attracting the attention of the DPA’s inspectors. The DPA has expressly stated that it will look into the use of marketing databases very intensively.
It is also clear from the DPA’s Annual Report for 2018 that the use of marketing databases was one of the hot topics in 2018. The DPA has imposed overall fines totalling approx. CZK 7.2 million (EUR 281,250). Almost half of those fines, totalling approximately CZK 3.5 million (EUR 136,719), were imposed for unsolicited marketing communications. The DPA has even established a new department dealing exclusively with unsolicited marketing communications.
It’s worth reminding readers that the problem with the use of marketing databases acquired from third parties is the lack of valid consent. Consequently, both the actual sender (e.g. a marketing company) as well as the client on whose behalf the communication is sent may be liable for wrongdoing.
Let’s have a look at some published cases
A recent case regarding SOLIDIS, a company trading marketing databases, gave rise to further inspections of the DPA in this field. SOLIDIS was processing, without a legal basis, personal data of several hundred thousand people (at least their names, addresses, and phone numbers) that it acquired from third parties. It is important to remember that persons’ consent granted to a particular data controller cannot be considered as automatic consent for another data controller. SOLIDIS was using personal data, acquired from third parties and from its own activities, to create databases which it then provided to its clients for a fee. SOLIDIS breached the Czech Data Protection Act (note that the case is from the pre-GDPR era) as it was using personal data for marketing communications and provided them to other controllers without persons’ consent. In addition, it failed to provide complete information about the scope of data processing and source of personal data. It could not avoid liability by referring to a contract with another party which should have ensured a legal basis for the processing (consent in this case). A relatively high fine (from the Czech perspective) was imposed on SOLIDIS, amounting to CZK 800,000 (approx. EUR 31,250). Its appeal was rejected.
The DPA’s Annual Report for 2018 (p. 40) cites another interesting case. Following a massive data breach in 2016, a market research company STEM/MARK was subject to proceedings by the DPA because the DPA had learned (from the press) that STEM/MARK purchased a database containing personal data from that data breach. STEM/MARK had not further used the data because it did not need them at the time and they were subsequently seized by the police. Nevertheless, STEM/MARK was fined CZK 400,000 (approx. EUR 15,625) because it unlawfully processed personal data of approx. 83 thousand persons (including individual entrepreneurs). STEM/MARK’s appeal was rejected.
Are fines the only consequence?
Surprisingly, a fine imposed by the DPA is not the only negative consequence that has followed from its inspections.
A company trading with marketing databases – VESNALORE – was subject to the DPA’s inspection based on three complaints. However, the inspection could not be carried out because the company’s registered office was merely virtual and its Executive Director was living abroad. Having requested information about the company from the Trade Licensing Office and from the Financial Authority, the DPA was informed that the company is non-responsive. The DPA concluded the inspection as it was not possible to evaluate the case and obtain the necessary documents. But the DPA informed the competent registry court that the company was not actually present at its registered office. In line with the relevant legislation, the registry court requested the company to remedy the situation. Apparently, the company failed to do so and the court initiated winding-up proceedings. The company was duly deleted from the Commercial Register in February 2019.
These cases are a reminder to companies engaging in this type of business to undertake proper due diligence. Before using databases provided by third parties it is essential to check that their contractual counterpart has obtained valid consents and will be able to provide them upon request.
MediaWrites will be keeping an eye out for any future developments in this area.