The Data Protection Inspectorate ('DPI') issued, on 15 June 2022, its decision in Case No 2.1.-1/21/2663, in which it issued a warning to IPF Digital AS, for violations regarding direct marketing under the Electronic Communications Act 2005 ('the Electronic Communications Act'), following a complaint lodged by an individual.

Background to the decision

In particular, the DPI explained that the complainant had received several unsolicited reminders via SMS every time they had started to fill in an application on Credit24's website, one of IPF Digital's brands, and subsequently left the application in progress. Additionally, the DPI noted that the complainant had also reported that they had refused and withdrawn their consent to direct marketing but continued to receive such communications.

Subsequently, the DPI noted that IPF Digital had explained that a reminder message was sent to the person who started the loan application on Credit24's website on the basis of legitimate interest under Article 6(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and further outlined that the sending of the reminder messages did not constitute direct marketing, therefore, by opting out of direct marketing, the customer did not opt out of receiving the reminder messages.

Findings of the DPI

Further to the above, and based on the elements acquired, the DPI rejected IPF Digital's view that the reminder messages did not constitute direct marketing, highlighting that, while there is no legal definition of direct marketing, if the sending of an offer promotes in any way the activities of an undertaking, it is always direct marketing. In light of this, the DPI outlined that the reminder messages in question constituted a promotion of IPF Digital's activity, since sending such messages potentially increases the total number of credit applications and thus the number of borrowers.  

Moreover, the DPI clarified that, according to the Electronic Communications Act, direct marketing by email or SMS may only be carried out with the prior consent of the individual concerned, while the data controller's legitimate interest is not a permissible legal basis. In fact, the DPI outlined that direct marketing may rely on legitimate interest as legal basis only in relation to activities that are not covered by the Electronic Communications Act, such as profiling.

Outcomes

In light of the above, the DPI issued a warning against IPF Digital and further ordered the same to:

• include an opt-out option in SMS messages and emails reminding of a pending loan application, through which data subjects can refuse the use of their contact data for direct marketing;
• in the case of notifications reminding of a pending application, ask for the data subject's prior consent to the use of their electronic contact data for direct marketing; and
• stop sending direct marketing offers on the basis of legitimate interest.

Lastly, the DPI highlighted that if the above orders are not complied with, it will impose a penalty of €1,000 on IPF Digital for each unfulfilled order.

You can read the decision, only available in Estonian, here.