Hesse data protection authority fines IT company €10,000 for email marketing
Hessian regulator issues penalty for unauthorized use of publicly available data in targeted campaigns without consent.
The Hesse Data Protection Authority announced it has imposed a €10,000 administrative fine against an IT sector company for violations related to unauthorized email marketing campaigns using publicly available data, according to the authority's latest annual report published in 2024.
The case involved an IT company that conducted a one-time email marketing campaign targeting over 2,700 recipients without obtaining proper consent. According to the data protection authority, the complainant received several marketing emails despite never having been a customer of the company or subscribing to advertising emails or newsletters.
The investigation revealed that the company had sourced publicly available contact information from the internet for its acquisition campaign. For this campaign, the company engaged a data processor who assured compliance with data protection requirements, but the controller failed to conduct its own data protection assessment of the planned campaign.
Get the PPC Land newsletter ✉️ for more like this
Summary
Who: The Hesse Data Protection Authority imposed a fine against an unnamed IT sector company
What: €10,000 administrative fine for unauthorized email marketing using publicly available data without consent, affecting over 2,700 recipients
When: The violation occurred during 2024, with the fine detailed in the authority's latest annual report
Where: Hesse, Germany, under the jurisdiction of the Hessian data protection authority
Why: The company violated GDPR by processing personal data for marketing without legal basis, failing to obtain consent and not meeting legitimate interest requirements under German competition law
According to the European Court of Justice ruling from December 5, 2023 (C-683/21), since the processor acted according to the controller's instructions, the processor's actions were attributed to the controller. The Hesse authority determined this approach violated data protection regulations as no legal basis existed for the processing.
The email recipients had not provided consent for marketing contact under Article 6(1)(a) and Article 7 of the General Data Protection Regulation (GDPR). The processing also could not be justified under Article 6(1)(f) GDPR, as the requirements for lawful email marketing under Section 7(2)(2) of the German Competition Act (UWG) were not met. The economic interests of the company could not be considered legitimate interests in this context.
When determining the fine amount, the authority applied the European Data Protection Board's guidelines for calculating administrative fines, considering the company's annual turnover and all circumstances of the case. Several mitigating factors influenced the penalty amount.
The authority considered it was the company's first data protection violation. Only a small amount of personal data per individual was affected, and recipients suffered no harm beyond inconvenience and time loss. The breach was committed negligently rather than intentionally, and the company cooperated constructively with the investigation.
The case highlights that publicly available data does not provide a blanket authorization for marketing campaigns, as noted by data protection lawyer Dr. Carlo Piltz in his analysis of the decision. Companies cannot rely solely on processor assurances and must conduct proper due diligence, since ultimately the controller, not the processor, faces regulatory sanctions.
The enforcement action reflects broader trends in GDPR implementation across Europe. European Data Protection Board statistics show authorities have imposed over 6,680 fines totaling approximately €4.2 billion since GDPR implementation in 2018, with an average of only 1.3% of cases resulting in monetary penalties.
This case forms part of the Hesse authority's broader efforts to enforce data protection compliance, particularly regarding artificial intelligence and new technologies. The authority has expanded its activities in AI oversight, participating in newly established working groups on artificial intelligence at both state and federal levels.
The authority's 53rd annual report details various AI-related initiatives in Hessian institutions. Frankfurt am Main uses AI algorithms for traffic management with real-time data analysis. The Hessen State Welfare Association employs an AI-based virtual assistant chatbot for customer inquiries. Courts utilize "FraUKe," an AI judicial assistance system for mass proceedings like passenger rights cases, and an AI anonymization tool for preparing court decisions for publication.
Law enforcement agencies apply AI for forensic analysis of large datasets, particularly in combating child pornography. These implementations demonstrate how public sector organizations are integrating AI technologies while navigating data protection requirements.
The European Data Protection Board issued Statement 28/2024 on legal questions concerning large language models on December 17, 2024. German data protection authorities participated intensively in developing this unified position on AI technologies after stakeholder consultations with industry representatives, organizations, and legal experts.
The Hesse authority emphasizes that despite AI representing new technology, controllers must observe GDPR provisions that have been in effect since 2018. The authority recommends organizations rely on established data protection expertise when evaluating AI technology deployment in data processing procedures.
Key considerations include establishing purposes and legal bases for personal data processing, ensuring transparency, guaranteeing data subject rights, determining data protection responsibility, conducting data protection impact assessments when necessary, implementing data protection by design and privacy-friendly default settings, and maintaining data security.
The Conference of Independent Data Protection Supervisory Authorities and the European Data Protection Board have issued recommendations on AI deployment and data protection, addressing these themes with practical guidance documents.
Beyond GDPR compliance, organizations must also consider the EU AI Regulation alongside data protection requirements. This creates new regulatory demands regarding transparency, explainability, bias prevention, discrimination avoidance, and documentation obligations. Complex jurisdictional and demarcation questions require further clarification.
The enforcement landscape shows significant enforcement activity beyond individual cases. The European Commission's second GDPR report revealed €4.2 billion in total fines and 72% public awareness since implementation. Ireland has imposed the highest total fines at €2.8 billion, reflecting its role as lead authority for major technology companies.
Recent enforcement actions across Europe demonstrate continued regulatory focus on marketing violations. The Belgian Data Protection Authority imposed a €100,000 fine on a telecommunications company for a 14-month delay in responding to data access requests. Swedish authorities fined Apoteket and Apohem 45 million kronor for transferring sensitive health data to Meta through tracking pixels.
Dutch authorities have been particularly active in cookie and tracking enforcement. The Dutch Data Protection Authority fined Kruidvat €600,000 for unlawful tracking cookies and imposed a €40,000 penalty on Coolblue for cookie consent violations.
For marketing professionals, this enforcement pattern demonstrates heightened scrutiny of data collection practices in advertising campaigns. The Hesse case specifically shows that using publicly available data for marketing requires the same legal basis as any other personal data processing. Companies cannot assume public availability equals permission for commercial use.
The decision emphasizes the importance of conducting independent legal assessments rather than relying on vendor assurances. While processors may claim compliance, the responsibility ultimately rests with controllers who face regulatory consequences for violations.
Organizations should implement robust compliance procedures including legal basis verification before launching campaigns, documentation of consent or legitimate interest assessments, regular auditing of marketing data sources, and clear policies regarding public data usage in marketing contexts.
The relatively modest fine amount reflects factors including first-time violation status, limited data scope, negligent rather than intentional conduct, and cooperative behavior during investigation. However, the penalty serves as a clear signal that regulators will enforce compliance regardless of data source characteristics.
As AI technologies become more prevalent in marketing applications, the intersection of AI regulation and data protection compliance will require careful navigation. The Hesse authority's expanding focus on AI oversight suggests increased attention to automated decision-making in marketing contexts.
Timeline
- May 6, 2024: Conference of Independent Data Protection Supervisory Authorities publishes AI and Data Protection Guidance Version 1.0
- July 25, 2024: European Commission publishes second GDPR report showing €4.2 billion in total fines
- August 26, 2024: Belgian DPA fines telecom company €100,000 for delayed data access response
- September 8, 2024: Swedish DPA fines pharmacy chains 45 million SEK for Meta data transfers
- December 17, 2024: European Data Protection Board adopts Statement 28/2024 on large language models
- December 26, 2024: Dutch DPA fines Coolblue €40,000 for cookie consent violations
- 2024: Hesse Data Protection Authority imposes €10,000 fine on IT company for email marketing violations