Just for you, I've compiled a list of several selected fines issued by data protection authorities in EU countries. While these penalties haven't always been imposed on e-commerce entities, it seems to me that each of the processes discussed below is occurring or may occur in this industry. The decisions discussed here pertain to broadly defined electronic and telephone marketing, which, in our experience, is clearly present in e-commerce. Hence, the following examples.
The Romanian Personal Data Protection Authority
In this case, the data subject filed a complaint with the authority against SC Tensa Art Design SA, owner of the website www.lensa.ro . The complainant alleged that the company processed his telephone number for direct marketing purposes without his consent by sending him promotional SMS messages containing the company's offers.
During the proceedings, the company was unable to prove the data subject's consent to sending him or her such marketing messages, or any other legal basis for such actions.
The investigation established that the operator SC Tensa Art D
esign SA had not proved the existence of the petitioner’s consent or any other legal basis for the processing of his personal data for direct marketing purposes, thus violating the provisions of Article 6 of the GDPR in conjunction with Article 83(5)(a) of Regulation (EU) 2016/679.
In addition to the financial penalty itself, the company whatsapp number list was ordered to take the necessary measures to ensure compliance of processing operations with the provisions of the GDPR in the future, i.e. to avoid processing personal data for marketing purposes without the consent of the data subjects and without another legal basis referred to in Article 6 of the GDPR.
The Croatian Personal Data Protection Authority (Agencija za zaštitu osobnih podataka) imposed a fine of €20,000 on the bookmaker this year.
It results from the fact that the company collected and processed personal data of website users using cookies, without the user's prior, informed consent, expressed voluntarily and without ensuring the withdrawal of such consent.
The authority noted that where personal data processing is based on consent (especially for multiple purposes), the consent text (in this specific case, the cookie consent mechanism, such as a cookie banner) must be clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language. Since in this specific case, the data controller failed to distinguish the cookie banner and simultaneously obtained a single consent from website users covering various purposes (marketing, analytics/statistics), it was clear that the consent did not meet the requirements of the GDPR (it was not given knowingly and voluntarily), and therefore did not constitute an appropriate legal basis for data processing.
The supervisory authority also found that the controller failed to inform users about the processing of their personal data using cookies in accordance with the principle of transparency. The company's privacy policy did not include information about the legal basis, groups/types of cookies, the function/purpose of each cookie, or the cookie storage period. Therefore, there was a lack of comprehensive information about the processing of users' personal data, which consequently led to a violation of the information obligation referred to in Article 13 of the GDPR.
Furthermore, the data controller processed the personal data of website users as soon as the website was loaded, even though they had not yet consented to the collection of individual cookies. According to the data controller, this action is unfair because website visitors were unaware that their personal data was being collected upon entering the website, and this data was processed before users could consent to its processing.
In Italy, the local data protection authority (Garante per la protezione dei dati personali) imposed a fine of €60,000 on a call center company.
The company had previously been fined €10,000 for failing to respond to a request for information from the Italian regulator, which was sent to the company after a data subject complained about receiving marketing calls without consent. Following the fine for failing to respond, the regulator launched an audit to verify the legality of the call center's data processing.
The audit revealed that the company obtained the complainant's contact information from another company (based in Moldova), from which it acquired 100,000 contacts that were used to make over 32,600 phone calls. These calls led to approximately 300 contracts.