INTERNET LAW - The Spanish Data Protection Agency imposes a fine on a law firm for spam

Alexander Benalal (alexander.benalal@twobirds.com) and María Gómez Rodriguez (maria.gomez.rodriguez@twobirds.com), Bird & Bird Madrid
mail icon Email discuss icon Discuss printer icon Print

In an unprecedented decision in relation to a law firm, the Spanish Data Protection Agency has ruled in favor of a claimant and imposed a €30,001 fine on Cremades & Calvo Sotelo for sending unsolicited commercial messages via email (spam).

Join the Internet Law Forum (ILF) to... discuss, share information and knowledge, questions and doubts... regarding the legal aspects of the Internet. The ILF is ALL about the INTERNET... business, laws and regulations, social media... Sign up to enjoy the benefits of the Free Global membership in the IBLS international community!

In an unprecedented decision in relation to a law firm, the Spanish Data Protection Agency has ruled in favor of a claimant and imposed a €30,001 fine on Cremades & Calvo Sotelo for sending unsolicited commercial messages via email (spam). 

On September 30 and October 18, 2004, the Spanish law firm Cremades & Calvo Sotelo sent commercial messages via email to 2,670 contacts contained in its client and contacts database. The claimant was one of the addressees of these messages (the claimant, as an employee of a private company, had been included on the database in 2003, when he requested a fee estimate from Cremades & Calvo Sotelo and gave them his business card with his contact details). The purpose of the email was to advertise a postgraduate degree. 

 Although the unsolicited email did not offer the recipients the chance to object to the processing of their personal data for promotional purposes, on October 2, 2004, the claimant, asked Cremades & Calvo Sotelo to delete his details from the firm's database. His request was not acted upon and the claimant received a second unsolicited email a few days later.

 He then filed a claim against the law firm for breach of article 21 of Law 34/2002 on Information Society Services and Electronic Commerce - LSSI - (Law 34/2002 incorporates into Spanish law Directive 2000/31/EC on Electronic Commerce). Article 21 of the LSSI forbids unsolicited commercial messages via email or equivalent means unless the addressee has expressly consented or a previous contractual relationship exists between the parties, in which case a person can be sent information related to "similar products or services" to those contracted in the past. The LSSI expressly states that the provider must offer the addressee of the unsolicited message the chance of objecting to the processing of its data for commercial purposes.

Cremades argued that requesting a proposal of fees and giving his business card implied a previous contractual relationship between the firm and the claimant enabling the firm to inform the claimant of postgraduate degrees. The Data Protection Agency ruled, however, that the exemption set out article 21 of the LSSI did not apply since there was no similarity between the product or the service allegedly contracted by the claimant in the past and the product or service advertised by email (the postgraduate degree).

Other than under the article 21 exemption, in order to send unsolicited messages the LSSI and the Spanish Data Protection Act clearly state that the consent of the claimant should be express (i.e., specific, unambiguous and informed). In this respect, in its decision, the Spanish Data Protection Agency stated that the law firm had not provided any evidence of express consent of the addressees of the unsolicited messages. The Agency also found that Cremades & Calvo Sotelo did not offer the addressees the opportunity to object to the processing of their data for promotional purposes.

The Spanish Data Protection imposed a fine of €30,001 on Cremades & Calvo Sotelo, in accordance with the tariff of penalties set out in the LSSI.

This decision affecting a law firm should serve as an important reminder that providers of services should exercise great care when exploiting their databases and sending unsolicited messages to ensure that they do so in accordance with the LSSI and Data Protection Act.

Alexander Benalal (alexander.benalal@twobirds.com) and María Gómez Rodriguez (maria.gomez.rodriguez@twobirds.com), Bird & Bird Madrid

[Reference 1]

Read more...

email icon Email discuss icon Discuss printer icon Print