European Data Protection Authorities Crack Down: Dutch Pharmacy Chain and Telecom Giant Face GDPR Sanctions

Data protection authorities across Europe continue to enforce GDPR regulations, with recent actions targeting both a major Dutch retailer and a telecommunications company in Spain.

The Dutch Data Protection Authority (AP) has imposed a fine of €600,000 on AS Watson (Health & Beauty Continental Europe) B.V., the company behind the popular drugstore chain Kruidvat. The penalty comes after the company was found to have used tracking cookies on its website, Kruidvat.nl, without obtaining proper consent from visitors or informing them about the practice.

The AP's investigation revealed that the company had been collecting sensitive personal data from millions of website visitors, violating privacy regulations. The collected information included visitors' location data, browsed pages, products added to shopping carts, purchases, and clicked recommendations. Given the nature of drugstore products, such as pregnancy tests, contraceptives, and medications, this data was deemed particularly sensitive.

Aleid Wolfsen, Chairman of the AP, stated, "Organizations cannot monitor your internet behavior without consent and without informing their customers. What you do on the internet is very personal. An organization may only track this if you explicitly agree to it, and you must have the option to refuse this tracking software without any negative consequences."

The investigation found that Kruidvat.nl's cookie banner had pre-ticked boxes for consent, which is not allowed under privacy laws. Visitors who wished to refuse cookies had to go through multiple steps, making the process unnecessarily complicated. The AP concluded that personal data of Kruidvat.nl visitors had been processed unlawfully.

The AP initiated its investigation into several websites, including Kruidvat.nl, in late 2019. After finding non-compliance, the authority sent a letter to the company. A follow-up check in April 2020 showed that Kruidvat.nl was still not compliant, prompting further investigation. The violation was eventually ended in October 2020.

In response to growing public concern over cookies and cookie notifications, the AP plans to increase its checks on websites' compliance with tracking cookie regulations in 2024. The authority emphasizes the importance of clear cookie banners that allow users to make informed choices about their personal data.

Spanish Data Protection Agency Initiates Sanction Procedure Against Vodafone

In a similar action, the Spanish Data Protection Agency (AEPD) has initiated a sanction procedure against Vodafone España, S.A.U. for failing to provide requested information during an investigation. The case originated from a complaint about unsolicited commercial calls allegedly made on behalf of Vodafone.

The AEPD repeatedly requested confirmation from Vodafone regarding specific calls made to a complainant's phone numbers. Despite multiple requests, Vodafone reportedly failed to provide the requested information, instead stating that the calling number belonged to another operator since May 2021.

This lack of cooperation led the AEPD to initiate a sanction procedure against Vodafone for a potential violation of Article 58.1 of the GDPR, which outlines the investigative powers of supervisory authorities. The AEPD's action emphasizes that companies must not only comply with direct GDPR rules but also fully cooperate with regulatory investigations.

Vodafone España, part of Vodafone Group PLC with an annual turnover of 45.706 billion euros, now faces potential fines under Article 83.5 of the GDPR. The company has submitted initial arguments, claiming it has cooperated fully and never intended to hinder the investigation.

These cases underscore the ongoing challenges in balancing digital marketing practices and telecommunications operations with privacy rights in the evolving landscape of data protection. They also highlight the increasing scrutiny and enforcement actions by data protection authorities across the European Union, sending a clear message to businesses about the importance of GDPR compliance and cooperation with regulatory bodies.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.