Komplett Bank ASA – Complaint Upheld (Norway, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Komplett Bank ASA was found to have sent marketing emails to a customer who had previously opted out of such communications. This is important because it highlights the need for companies to respect user preferences regarding marketing. Businesses must ensure they are following the rules about consent and communication.
What happened
Komplett Bank ASA sent direct marketing emails to a customer despite that customer having objected to such processing.
Who was affected
A customer who received marketing emails from Komplett Bank ASA after opting out of direct marketing communications.
What the authority found
The authority determined that Komplett Bank ASA violated GDPR by processing personal data for direct marketing without a lawful basis.
Why this matters
This ruling underscores the importance of respecting customer preferences and consent in marketing practices. Companies should review their processes to ensure compliance with data protection laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
A data subject received direct marketing in e-mail from the controller Komplett Bank ASA despite of having previously objected to such processing pursuant to Article 21(3) GDPR. The controller's privacy statement and on-line customer portal suggested the lawful basis used for the direct marketing was «Consent» pursuant to Article 6(1)(a) GDPR. The data subject had at no point given consent for processing of his personal information for direct marketing purposes. Communication between the data subject and the controller's data privacy officer eventually revealed that the controller was using another lawful basis for this processing, specifically «Necessary for the performance of a contract» pursuant to Article 6(1)(b) GDPR. The contract in question regarded a credit card service bundled with a non-optional customer benefit / loyalty program. While the customer benefit program part of the contract did contain a clause stating the controller would send direct marketing to its customers, the data subject considered that such marketing activity could not be considered objectively necessary for the performance of the contract. The responses from the controller's data privacy officer to the data subject's requests for information did on multiple occasions exceed the maximum time limit of 30 days pursuant to Article 12(3) GDPR. The DPA held that Komplett Bank ASA had: * violated Article 6(1) GDPR by processing personal data for direct marketing purposes without a lawful basis. The DPA held that main subject-matter of the contract was the issuance of a credit card, not direct marketing, and that the controller's use of Article 6(1)(b) GDPR «Necessary for the performance of a contract» was unlawful. * violated Articles 12(1) and 13(1) GDPR by providing misleading information about the lawful basis used for processing of personal data for direct marketing purposes. * violated Article 12(3) GDPR by exceeding the time limit for responding to the data subjects requests for info
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Violations (1)
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Komplett Bank ASA in NO
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Komplett Bank ASA - Norway (2021). Retrieved from cookiefines.eu
Last updated: