A Customer Satisfaction Survey Only With Consent? Are You Sure?

Such a change would be quite a revolution in the e-commerce market.

All of this stems from a recent ruling by the Provincial Administrative Court, in which the court addressed a decision by the President of the Personal Data Protection Office concerning a complaint about processing data for marketing purposes without a valid legal basis.

At dotlaw, we took a closer look at the content of the court's ruling to determine whether data controllers have reason to change their existing practices.

The case reached the Provincial Administrative Court in Warsaw following a complaint filed with the President of the Personal Data Protection Office by a customer of an online service.

When setting up an account on the service, this customer did not check the box consenting to the processing of her personal data in connection with the service owner's marketing activities.

After making her purchases, however, she received an email asking her to review the products she had bought.

The customer regarded this as a marketing message and emailed the service owner to ask when she had ever consented to receiving marketing messages from them.

In response, she was told that her question was treated as an objection to the processing of her personal data for the purpose of "sales-related" communication, and that the legal basis for the processing was the controller's legitimate interest.

This explanation did not convince the customer, however, and she therefore filed a complaint with the President of the Personal Data Protection Office.

In response to the complaint, the President of the Personal Data Protection Office indicated that, by making her purchases, the complainant had entered into a sales agreement with the service owner, had an active purchasing account, and was in the process of making a complaint about a product, so she could reasonably expect her personal data to be processed in the controller's legitimate interest, which can be said to include a request to review a purchased product.

At the same time, the President of the Personal Data Protection Office found that processing personal data in order to send a request for a product review satisfied the lawfulness condition under Article 6(1)(f) of the GDPR (processing based on the controller's legitimate interest), and that there were therefore no grounds to grant the complainant's request.

The President of the Personal Data Protection Office also partly addressed customer satisfaction surveys in the context of the prohibition on sending unsolicited commercial information by electronic means, which arises from Article 10(1) of the Act on Providing Services by Electronic Means.

The authority found that, while the service owner did not have such consent, obtaining it would have been redundant given that the owner had a lawful basis for processing the data, as referred to in Article 6(1)(f) of the GDPR.

The shop's customer therefore appealed the decision of the President of the Personal Data Protection Office to the Provincial Administrative Court.

What does the court's ruling actually say, and do we really need consent to conduct a customer satisfaction survey?

The good news for data controllers is that, contrary to earlier media reports, nowhere in its ruling does the court state that sending customer satisfaction surveys constitutes sending unsolicited commercial information within the meaning of the Act on Providing Services by Electronic Means, nor that consent from the survey recipient is required to send such surveys.

The reason the decision was overturned and remitted for reconsideration was, in fact, procedural errors.

According to the court, in issuing the contested decision the President of the Personal Data Protection Office breached Article 107(3) of the Code of Administrative Procedure (the obligation to provide a legal and factual justification for a decision), because the authority did not adequately demonstrate that all the conditions for basing data processing on legitimate interest had been met in the case at hand.

Under the GDPR, in order to rely on the legitimate interest basis, a three-step balancing test must be carried out, which involves: demonstrating the existence of a legitimate interest; verifying that the processing is necessary to achieve the purpose arising from that interest; and assessing whether a negative condition is met, namely the existence, in the given circumstances, of interests or fundamental rights and freedoms of the data subject that override the legitimate interests of the data controller or a third party.

In the court's view, the authority confined its assessment solely to identifying the controller's legitimate interest (step 1), while failing to verify the necessity of the processing (step 2) and failing to assess whether the negative condition was met (step 3).

In other words, the President of the Personal Data Protection Office should have carried out the balancing test in the specific circumstances of this case, but instead simply assumed from the outset that satisfaction surveys may be sent by the controller on the basis of legitimate interest.

Because this constitutes a breach of the Code of Administrative Procedure, the court held that the case should be reconsidered.

For this reason, the claim that in this ruling the court prohibited carrying out customer satisfaction surveys without prior consent goes, in our view, too far.

The ruling does not, in any way, address whether sending customers satisfaction surveys qualifies as sending unsolicited commercial information.

Nevertheless, every case of processing data based on legitimate interest still requires a balancing test to be carried out.

What is the risk of sending satisfaction surveys to customers who have not consented to receiving commercial information?

Despite the absence of any legal grounds for treating satisfaction surveys as commercial information, controllers should bear in mind that the high media profile of the reports about this ruling may lead to an increase in the number of objections or complaints from customers who have not consented to receiving commercial information.

This, in turn, may require data controllers to handle such requests or proceedings and could become a significant burden on their legal or customer support departments.

Nevertheless, we still believe there is no reason to change the existing market practice, under which processing data for the purpose of customer satisfaction surveys, as an activity directly linked to the sale, falls within the controller's legitimate interest and does not require consent from the survey recipient.

Have a question?

Let's talk. A 20-minute conversation.

No briefs, no forms.

We'll give you a straight answer.

Book a call → See more articles