Komplett Bank ASA – Complaint Upheld (Norway, 2021)

A data subject received direct marketing in e-mail from the controller Komplett Bank ASA despite of having previously objected to such processing pursuant to Article 21(3) GDPR. The controller's privacy statement and on-line customer portal suggested the lawful basis used for the direct marketing was «Consent» pursuant to Article 6(1)(a) GDPR. The data subject had at no point given consent for processing of his personal information for direct marketing purposes. Communication between the data subject and the controller's data privacy officer eventually revealed that the controller was using another lawful basis for this processing, specifically «Necessary for the performance of a contract» pursuant to Article 6(1)(b) GDPR. The contract in question regarded a credit card service bundled with a non-optional customer benefit / loyalty program. While the customer benefit program part of the contract did contain a clause stating the controller would send direct marketing to its customers, the data subject considered that such marketing activity could not be considered objectively necessary for the performance of the contract. The responses from the controller's data privacy officer to the data subject's requests for information did on multiple occasions exceed the maximum time limit of 30 days pursuant to Article 12(3) GDPR. The DPA held that Komplett Bank ASA had: * violated Article 6(1) GDPR by processing personal data for direct marketing purposes without a lawful basis. The DPA held that main subject-matter of the contract was the issuance of a credit card, not direct marketing, and that the controller's use of Article 6(1)(b) GDPR «Necessary for the performance of a contract» was unlawful. * violated Articles 12(1) and 13(1) GDPR by providing misleading information about the lawful basis used for processing of personal data for direct marketing purposes. * violated Article 12(3) GDPR by exceeding the time limit for responding to the data subjects requests for info