The Spanish Data Protection Agency imposes a fine on a law firm for spam

By Alexander Benalal, María Gómez Rodriguez


In an unprecedented decision in relation to a law firm, the Spanish Data Protection Agency has ruled in favour of a claimant and imposed a €30,001 fine on Cremades & Calvo Sotelo for sending unsolicited commercial messages via email (spam).

On September 30 and October 18, 2004, the Spanish law firm Cremades & Calvo Sotelo sent commercial messages via email to 2,670 contacts contained in its client and contacts database. The claimant was one of the addressees of these messages (the claimant, as an employee of a private company, had been included on the database in 2003, when he requested a fee estimate from Cremades & Calvo Sotelo and gave them his business card with his contact details). The purpose of the email was to advertise a postgraduate degree.

Although the unsolicited email did not offer the recipients the chance to object to the processing of their personal data for promotional purposes, on October 2, 2004, the claimant, asked Cremades & Calvo Sotelo to delete his details from the firm’s database. His request was not acted upon and the claimant received a second unsolicited email a few days later.

He then filed a claim against the law firm for breach of article 21 of Law 34/2002 on Information Society Services and Electronic Commerce – LSSI – (Law 34/2002 incorporates into Spanish law Directive 2000/31/EC on Electronic Commerce). Article 21 of the LSSI forbids unsolicited commercial messages via email or equivalent means unless the addressee has expressly consented or a previous contractual relationship exists between the parties, in which case a person can be sent information related to “similar products or services” to those contracted in the past. The LSSI expressly states that the provider must offer the addressee of the unsolicited message the chance of objecting to the processing of its data for commercial purposes.

Cremades argued that requesting a proposal of fees and giving his business card implied a previous contractual relationship between the firm and the claimant enabling the firm to inform the claimant of postgraduate degrees. The Data Protection Agency ruled, however, that the exemption set out article 21 of the LSSI did not apply since there was no similarity between the product or the service allegedly contracted by the claimant in the past and the product or service advertised by email (the postgraduate degree).

Other than under the article 21 exemption, in order to send unsolicited messages the LSSI and the Spanish Data Protection Act clearly state that the consent of the claimant should be express (i.e., specific, unambiguous and informed). In this respect, in its decision, the Spanish Data Protection Agency stated that the law firm had not provided any evidence of express consent of the addressees of the unsolicited messages. The Agency also found that Cremades & Calvo Sotelo did not offer the addressees the opportunity to object to the processing of their data for promotional purposes.

The Spanish Data Protection imposed a fine of €30,001 on Cremades & Calvo Sotelo, in accordance with the tariff of penalties set out in the LSSI.

This affecting a law firm should serve as an important reminder that providers of services should exercise great care when exploiting their databases when sending unsolicited messages to ensure that they do so in accordance with the LSSI and Data Protection Act.