Processing of personal data in the context of online competitions Summary The Danish Data Protection Agency’s SmartResponse obtained consent from data subjects decision who participated in its online competitions to process The Danish DPA concluded that SmartResponse’s personal data for marketing purposes. Consent for this processing of personal data based on data subjects’ was obtained on behalf of SmartResponse and its 45 consent was carried out in accordance with GDPR, business partners. Article 6 (lawful basis). Contestants were asked to provide information and However, the Danish DPA expressed serious criticism were informed of the consent request on the same that SmartResponse’s processing of personal data page. They were made aware that their personal using the company’s internal ”no thanks” list had not data would be shared with 45 partners, and a link was been carried out within the framework of GDPR, Article 6. provided for information about these partners. The Danish DPA imposed an injunction on Participants were given the option to complete SmartResponse to delete the personal data included in additional questionnaires for more targeted marketing the company’s ”no thanks” list, as the data can only be information but it was not a requirement to participate temporarily stored to clarify whether a specific dispute in the competition. exists or arises. SmartResponse included a link to withdraw consent The Danish DPA expressed serious criticism that on each competition page which could be accessed SmartResponse’s storage of personal data for the regardless of whether they entered the contest (again) purpose of documenting consent was in breach of or not. Additionally, contestants received a confirmation GDPR, Article 5(1)(e) (storage limitation). email with information and a link to withdraw consent. Finally, the Danish DPA criticized that SmartResponse If contestants withdrew their consent, SmartResponse did not sufficiently comply with the obligation to inform recorded the contestants’ phone numbers and email under GDPR, Article 13, cf. Article 12. addresses on an internal ”no thanks” list. The data was stored for five years based on the limitation period in Section 41(7) of the Danish Data Protection Act. Published: 30-09-2022, Journal number: 2020-431-0075 Tags: 01 Legal basis for processing and principles for processing 102