https://gdprhub.eu/api.php?action=feedcontributions&user=AK&feedformat=atom
GDPRhub - User contributions [en]
2024-03-28T19:56:22Z
User contributions
MediaWiki 1.39.6
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=33063
Article 20 GDPR
2023-06-01T07:05:57Z
<p>AK: /* Relevance of other EU legislation */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br /><center>'''Article 20 - Right to data portability'''</center><br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/68 GDPR}}{{Recital/73 GDPR}}{{Recital/156 GDPR}}<br />
<br />
==Commentary==<br />
<br />
The right to data portability empowers data subjects to receive a copy of their data in a structured, commonly used, and machine-readable format. They can then decide what they want to do with this data, and either store it on their computer, send it or have it sent to a third party. The recipients of this data are not limited to providers that offer similar or comparable services, as the right to portability can be exercised with any controller data subjects choose within the conditions specified below.<ref>The purpose of the right to data portability is to give data subjects more control over their personal data by granting them a certain type of "ownership". Regulators’ objective was to increase competition on the market by allowing for the free movement of data between providers. Data portability is especially relevant in cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.</ref> <br />
===(1) Right to data portability===<br />
<br />
Data subject have the right to request and obtain a copy of any personal data they have provided to the controller and which is being processed based on consent or contract. This information must be structured in an accessible and intelligible manner, so that both the data subject themselves and any controllers who may receive it in the future can understand and make use of it. <blockquote><u>EDPB</u>: Take, for instance, a scenario where a data subject desires to obtain his/her present playlist or a log of listened tracks from a music streaming service. This could be for the purpose of ascertaining the number of times specific tracks were played, or for identifying which music to buy or listen to on an alternate platform. Correspondingly, the data subject may seek to retrieve his/her contact list from a webmail application, perhaps to compile a wedding list, track purchases made with various loyalty cards, or evaluate his/her carbon footprint.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
==== Right to receive ====<br />
The request for data portability does not differ much from the request for access, at least in terms of the necessary steps to carry it out.<ref>However, it is always important to keep these two rights distinct. The right of access enables individuals to obtain information about the processing and a copy of the personal data held by the controller, in order to ensure transparency and allow for further actions by the data subject. On the other hand, data portability has a distinct economic feature. It allows for a copy of the data - which is also different and more limited than that under Article 15 - to be obtained, and the possibility to send such a dataset to another controller for similar or different purposes (i.e., essentially a competitor). In any case, a request must be made, even electronically. The controller must facilitate the request, including the authentication of the data subject (Article 12(2) GDPR). Obstructive practices in this area not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating real anti-competitive phenomena or "lock-in" effects.</ref> The controller must facilitate the request, including the authentication phase (Article 12(2) GDPR). Obstructive practices in this area will not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating anti-competitive phenomena or "lock-in" effects.<br />
<br />
As for the rest, the general rules set out in Article 12 apply. Article 12(3) requires that the data controller provides “''information on action taken''” to the data subject “''without undue delay''” and in any event “''within one month of receipt of the request''”. As usual, the one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.<blockquote><u>EDPB</u>: To meet user expectations, it is a good practice to define the timeframe in which a data portability request can typically be answered and communicate this to data subjects. Data controllers who refuse to answer a portability request shall, pursuant to Article 12(4), inform the data subject “''the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy''”, no later than one month after receiving the request.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 14-15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
===== Modalities to provide the data =====<br />
Data controllers should consider two distinct but complementary options for providing portable data to data subjects or other controllers. The first option is a direct transmission of the complete dataset or specific parts of it. The second option is an automated tool that allows for the extraction of relevant data. For complex and large datasets, the second option may be preferred as it minimizes risks and allows for the use of data synchronization mechanisms. Making portable data available through various secure means such as messaging, SFTP servers, or secured WebAPI/WebPortal would enable data subjects to use personal data stores or other trusted third parties to hold and manage their personal data. This would also reduce privacy risks for the initial data controller and promote compliance for the new data controller.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 16 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Personal data concerning him or her ====<br />
A data portability request only applies to personal data concerning the data subject. Pseudonymous data is within the scope if the corresponding identifier is provided by the subject (as per Article 11(2) GDPR). Any data that is anonymous or not related to the data subject is not included. <blockquote><u>EDPB</u>: For instance, call records in a subscriber's account history may include details of third parties, but subscribers should still be able to obtain such records in response to portability requests since they are also concerning the data subject. Nevertheless, new data controllers who receive such records should not process them in any way that would adversely affect the rights and freedoms of the third parties involved.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 9 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
==== Provided to a controller ====<br />
Article 20 specifies that only personal data "''provided''" by the data subject is covered by the right. This includes data that the user knowingly and actively provides, such as their name and mailing address,<ref>The data "''provided''" is the data that was actively given to the controller (e.g. photos uploaded to the service) or which was "''observed''" by a controller (e.g. activity logs, food preferences). This definition also includes data that has been transferred to the controller in the context of the exercise of the right to data portability. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> as well as, according to the EDPB, data that is "''observed''" from the user's activity, such as their search history or location data. <blockquote><u>EDPB</u>: Inferred data and derived data are created by the data controller on the basis of the data “''provided by the data subject''”. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as “''provided by''” the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “''provided by the data subject''” and thus will not be within scope of this new right.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote>However, it should be noted that there is a doctrinal debate regarding whether or not "observed data" should be included within the scope of application of portability. One argument in favor of a restrictive approach aims to limit the provision of data only to the types necessary for offering a comparable service. However, inferred or derived data, which is created by the data controller based on the data provided by the data subject, is not covered by the right to data portability.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 20 GDPR, margin number 13 (C.H. Beck 2018, 2nd Edition).</ref> This is one of the most remarkable differences between portability and access under Article 15(3) GDPR.<br />
<br />
==== In a structured, commonly used and machine-readable format ====<br />
According to Recital 68, the data should be available in an "''interoperable format''", which data controllers "''should be encouraged to develop''". In turn, "''interoperable''" refers to the ability of disparate and diverse organisations to "''interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems''."<ref>The WP29 defines interoperability as the "''capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units''". EDPB, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 17 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <br />
<br />
According to Article 20(1) GDPR the data should be provided to the data subject in a "''structured, commonly used and machine-readable format''". Beyond this requirement, the GDPR does not call for a specific format to be used. The terms “''structured''”, “''commonly used''” and “''machine-readable''” are a set of minimal requirements that should facilitate the "''interoperability''" of the data format provided by the data controller.<ref>In that way, “''structured, commonly used and machine readable''” are specifications for the means, whereas interoperability is the desired outcome.</ref> Formats subject to costly licensing constraints are not considered "''commonly used''". The personal data provided should have a high level of abstraction from any internal or proprietary format, and metadata should be used to describe the exchanged information accurately.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref> <br />
<br />
Industry stakeholders and trade associations are encouraged to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. The Commission has published a Communication on "''ICT Standardisation Priorities for the Digital Single Market''", which may be used as a basis on which to develop standards for the purposes of data portability.<ref>EU Commission Communication on ICT Standardisation Priorities for the Digital Single Market (Available [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0176 here]).</ref> <br />
<br />
==== and the right to transmit (the data to another controller) ====<br />
The right to data portability, as outlined in Article 20(1), enables data subjects to transmit their personal data from one data controller to another "without hindrance". This goes beyond the ability to simply obtain and reuse personal data and allows individuals to transfer their data to another service provider, regardless of whether it is within the same sector or not. By preventing "lock-in" situations, data portability empowers consumers and is expected to foster innovation and secure sharing of personal data between controllers under the control of the data subject. Additionally, it can enhance customer experiences by facilitating the controlled and limited sharing of personal data between organizations. This feature of data portability has the potential to facilitate the transfer and reuse of personal data among various services of interest to the user.<br />
<br />
==== Without hindrance (from the first controller) ====<br />
The GDPR's Article 20(1) guarantees that individuals have the right to transfer their data to another controller without facing any obstructions from the initial controller who provided the personal data. Such impediments can be identified as any legal, technical, or financial barriers that the data controller sets up to prevent or hinder the data subject's or another data controller's access, transmission, or reuse of the data. <br />
<br />
Examples of such impediments include charges for data delivery, a lack of interoperability or access to a data format or API, excessive delays or complexity in retrieving the complete dataset, the intentional concealment of the dataset, or sector-specific standards or accreditation demands that are undue or excessive. The WP29 recommends that data controllers offer several options to the data subject. They suggest, for instance, that data subjects should be offered an opportunity to directly download the data as well as to transmit it directly to another data controller, and that this could be implemented by making an Application Programme Interface ('API') available.<ref>Cormack expresses doubts regarding the viability of this solution, noting that many organisations will hold their data on internal databases that are securely firewalled from internet access as opposed to APIs. Without standards leading to interoperability, the right to data portability may "''remain more a declaration of principle than a real and effective tool for individual self-determination in the digital environment''". See, ''Lynskey'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 20 GDPR, p. 505 (Oxford University Press 2020).</ref><br />
<br />
Simultaneously, the data controller must implement measures to ensure that they are truly representing the interests of the data subject. One way to achieve this is by instituting protocols to verify that only the specific personal data that the data subject wants to transmit is actually being transmitted. This verification process could involve obtaining confirmation from the data subject either prior to transmission, or at an earlier stage such as when they provide initial consent for processing or finalize the contract.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Where these conditions cumulatively apply ====<br />
The right to data portability only applies if (i) the individual has either consented to the processing or the information is processed for the execution of a contract between the data subject and controller and, in both cases, (ii) data is processed by automated means.<ref>For example, data which is only available on paper and manually processed falls out of the scope data portability.</ref><br />
<br />
===== (i) Processing is based on either consent or contract =====<br />
The right to data portability, as per Article 20(1)(a), is only applicable when the processing of personal data by the controller is based on the data subject's consent in accordance with Article 6(1)(a), consent to the processing of special categories of personal data in accordance with Article 9(2)(a), or a contract in accordance with Article 6(1)(b) to which the data subject is a party. Recital 68 specifically highlights that the right to data portability should not be applicable if the processing is carried out on a legal basis other than the data subject's consent or a contract. Consequently, data obtained by the controller by processing personal data to protect its legitimate interests in accordance with Article 6(1)(f) is not covered by the right under Article 20 GDPR.<ref>However, according to the WP29, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, i.e. when processing is based on the legitimate interests or for the performance of a task carried out in the public interest. See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p. 8 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref><br />
<br />
===== (ii) Processing is carried out by automated means =====<br />
The right to data portability under Art. 20(1)(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files. This limitation alleviates the controller's burden of converting non-machine-readable records into machine-readable data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref><br />
<br />
===(2) Right to have personal data directly transmitted to another controller===<br />
Article 20(2) introduces the right for data subjects to request that their personal data be transmitted directly from the first controller<ref>Controllers that address portability requests ("''sending controllers''") act on behalf of a data subject and are responsible for providing prior information about the right’s existence (e.g. in the privacy notice) and clearly explaining the difference between the right of access and the right to data portability; processing the request without undue delay, within 1 month (up to 3 months); carrying out authentication; setting safeguards to ensure they genuinely act on the data subject’s behalf (e.g. ensure that they transmit the exact type of personal data that the data subject wants to receive); in light of the principles set forth in [https://gdprhub.eu/Article%205%20GDPR Article 5(1) GDPR], ensuring that the data transmitted is accurate and up to date; and, taking all necessary security measures for transmissions. The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. In this respect, "''the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient".'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> to a second one.<ref>Data controllers that receive portability requests ("''receiving controllers''") have an obligation to "''clearly and directly''" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [https://gdprhub.eu/Article%2014%20GDPR Article 14 GDPR]; process the request without undue delay, within 1 month (up to 3 months); ensure that the data they accept is relevant and not excessive for the intended data processing; delete the personal data which are not necessary to achieve the purpose of the new processing as soon as possible. The receiving controllers can decide whether to accept and process data from a portability request.</ref> This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. The request can be typically fulfilled through automated transmission, such as an application programming interface (API) that allows for data transfer to other systems implementing the same API. Therefore, it suffices if the data subject is given the opportunity to initiate the transfer by selecting a field labeled "''Transfer of data to another provider''" choosing a provider, selecting the data to be transferred, and clicking on a corresponding field to initiate the automated transfer.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 25 (Beck 2020, 3rd edition).</ref> <br />
==== Where technically feasible ====<br />
If the provider has not established an automated data transmission, they may be required to comply with Article 20(2) to the extent that it is "''technically feasible''".<ref>It should be noted that the "''where technically feasible''" safeguard clause only applies to the direct transmission from one controller to another under paragraph 2. Therefore, it does not apply to the scenario outlined in paragraph 1 where the data subject directly requests to receive the data. Such requests shall always be fulfilled, regardless of technical reasons.</ref> Recital 68 states that the controller is not required to adopt or maintain technically compatible data processing systems. Therefore, the technical feasibility of direct data transfer is primarily dependent on the existing technical capabilities of the controller. However, according to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights, including the right to data portability. As such, the data subject may request reasonable cooperation from the controller, such as adapting data transmission formats, to carry out the intended portability.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> <blockquote><u>EDPB</u>: Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way29, and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).<ref>WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
===(3) Other conditions===<br />
The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if data subjects want to delete their data from the controller's system (right to erasure under [[Article 17 GDPR]]), the controller cannot justify its denial to erase such data because of the data portability request.<br />
<br />
The second sentence excludes that the right to data portability apply if the processing is necessary for the controller to perform a task that is in the public interest or carried out in the exercise of official authority. This exception corresponds to the legal basis of Article 6(1)(e) GDPR. In such cases, the public administration operating under public law is not required to provide data portability.<br />
===(4) Rights of third parties===<br />
In accordance with Paragraph 4, the right to data portability must not infringe upon the rights and freedoms of others, including both individuals and legal entities. When data is transferred with reference to a third party, such as transaction data from a current account agreement or data from the use of a webmail service, the rights and freedoms of others are generally not affected if the new provider uses the data solely under the control of the data subject and for the same purposes as before.<ref>The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 11 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> However, data transmission may be restricted by trade secrets, business secrets, or copyrights, such as those pertaining to software, if there is a specific risk of harm resulting from the transmission. Controllers cannot refuse to transfer data based solely on the possibility of such legally protected interests being infringed; instead, they must seek ways to transfer the data in a manner that avoids the disclosure of legally protected secrets.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 20 GDPR, margin number 18 (C.H. Beck 2019).</ref><br />
<br />
==Relevance of other EU legislation==<br />
It is important to refer to the interplay of the right to data portability with the proposed or adopted legislation under the umbrella of the EU digital strategy<ref>European Commission, 'A Europe fit for the digital age' (available [https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_en here])</ref>. <br />
<br />
The Digital Markets Act (DMA)<ref>Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925 here]).</ref> imposes a new obligation on "gatekeepers" that enhances the right to data portability. According to Article 6(9) DMA, gatekeepers shall provide an end user and third parties authorised by an end user with effective portability of data provided by the end user or generated through their activity through use of the gatekeeper’s core platform services (CPSs), including by the provision of continuous and real-time access to such data. Recital 59 DMA clarifies that this obligation on the gatekeeper complements the right to data portability under the GDPR.<br />
<br />
Further, the proposed EU Data Act<ref>Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN here]).</ref> that is supposed to help users of connected devices to unlock access to data generated by them, reinforces the right to data portability by creating an obligation on "data holders" to make available the data generated by such devices (Article 5). This obligation would empower a user (e.g. a data subject) to request the porting of personal and non-personal data from their Internet of Things devices (IoT) to a third party "''without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time''". The scope of the data to be transmitted is not limited by the legal basis under which the data is processed by the "data holder" (e.g. controller) and therefore has the potential to unlock the portability of more data. Note: at the time of writing of this Commentary, the EU Data Act proposal was still under trialogues between the EU institutions (EU Commission, EU Parliament and the Council of Ministers). <br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=32997
Article 20 GDPR
2023-05-30T11:40:27Z
<p>AK: /* Relevance of other EU legislation */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br /><center>'''Article 20 - Right to data portability'''</center><br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/68 GDPR}}{{Recital/73 GDPR}}{{Recital/156 GDPR}}<br />
<br />
==Commentary==<br />
<br />
The right to data portability empowers data subjects to receive a copy of their data in a structured, commonly used, and machine-readable format. They can then decide what they want to do with this data, and either store it on their computer, send it or have it sent to a third party. The recipients of this data are not limited to providers that offer similar or comparable services, as the right to portability can be exercised with any controller data subjects choose within the conditions specified below.<ref>The purpose of the right to data portability is to give data subjects more control over their personal data by granting them a certain type of "ownership". Regulators’ objective was to increase competition on the market by allowing for the free movement of data between providers. Data portability is especially relevant in cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.</ref> <br />
===(1) Right to data portability===<br />
<br />
Data subject have the right to request and obtain a copy of any personal data they have provided to the controller and which is being processed based on consent or contract. This information must be structured in an accessible and intelligible manner, so that both the data subject themselves and any controllers who may receive it in the future can understand and make use of it. <blockquote><u>EDPB</u>: Take, for instance, a scenario where a data subject desires to obtain his/her present playlist or a log of listened tracks from a music streaming service. This could be for the purpose of ascertaining the number of times specific tracks were played, or for identifying which music to buy or listen to on an alternate platform. Correspondingly, the data subject may seek to retrieve his/her contact list from a webmail application, perhaps to compile a wedding list, track purchases made with various loyalty cards, or evaluate his/her carbon footprint.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
==== Right to receive ====<br />
The request for data portability does not differ much from the request for access, at least in terms of the necessary steps to carry it out.<ref>However, it is always important to keep these two rights distinct. The right of access enables individuals to obtain information about the processing and a copy of the personal data held by the controller, in order to ensure transparency and allow for further actions by the data subject. On the other hand, data portability has a distinct economic feature. It allows for a copy of the data - which is also different and more limited than that under Article 15 - to be obtained, and the possibility to send such a dataset to another controller for similar or different purposes (i.e., essentially a competitor). In any case, a request must be made, even electronically. The controller must facilitate the request, including the authentication of the data subject (Article 12(2) GDPR). Obstructive practices in this area not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating real anti-competitive phenomena or "lock-in" effects.</ref> The controller must facilitate the request, including the authentication phase (Article 12(2) GDPR). Obstructive practices in this area will not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating anti-competitive phenomena or "lock-in" effects.<br />
<br />
As for the rest, the general rules set out in Article 12 apply. Article 12(3) requires that the data controller provides “''information on action taken''” to the data subject “''without undue delay''” and in any event “''within one month of receipt of the request''”. As usual, the one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.<blockquote><u>EDPB</u>: To meet user expectations, it is a good practice to define the timeframe in which a data portability request can typically be answered and communicate this to data subjects. Data controllers who refuse to answer a portability request shall, pursuant to Article 12(4), inform the data subject “''the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy''”, no later than one month after receiving the request.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 14-15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
===== Modalities to provide the data =====<br />
Data controllers should consider two distinct but complementary options for providing portable data to data subjects or other controllers. The first option is a direct transmission of the complete dataset or specific parts of it. The second option is an automated tool that allows for the extraction of relevant data. For complex and large datasets, the second option may be preferred as it minimizes risks and allows for the use of data synchronization mechanisms. Making portable data available through various secure means such as messaging, SFTP servers, or secured WebAPI/WebPortal would enable data subjects to use personal data stores or other trusted third parties to hold and manage their personal data. This would also reduce privacy risks for the initial data controller and promote compliance for the new data controller.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 16 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Personal data concerning him or her ====<br />
A data portability request only applies to personal data concerning the data subject. Pseudonymous data is within the scope if the corresponding identifier is provided by the subject (as per Article 11(2) GDPR). Any data that is anonymous or not related to the data subject is not included. <blockquote><u>EDPB</u>: For instance, call records in a subscriber's account history may include details of third parties, but subscribers should still be able to obtain such records in response to portability requests since they are also concerning the data subject. Nevertheless, new data controllers who receive such records should not process them in any way that would adversely affect the rights and freedoms of the third parties involved.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 9 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
==== Provided to a controller ====<br />
Article 20 specifies that only personal data "''provided''" by the data subject is covered by the right. This includes data that the user knowingly and actively provides, such as their name and mailing address,<ref>The data "''provided''" is the data that was actively given to the controller (e.g. photos uploaded to the service) or which was "''observed''" by a controller (e.g. activity logs, food preferences). This definition also includes data that has been transferred to the controller in the context of the exercise of the right to data portability. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> as well as, according to the EDPB, data that is "''observed''" from the user's activity, such as their search history or location data. <blockquote><u>EDPB</u>: Inferred data and derived data are created by the data controller on the basis of the data “''provided by the data subject''”. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as “''provided by''” the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “''provided by the data subject''” and thus will not be within scope of this new right.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote>However, it should be noted that there is a doctrinal debate regarding whether or not "observed data" should be included within the scope of application of portability. One argument in favor of a restrictive approach aims to limit the provision of data only to the types necessary for offering a comparable service. However, inferred or derived data, which is created by the data controller based on the data provided by the data subject, is not covered by the right to data portability.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 20 GDPR, margin number 13 (C.H. Beck 2018, 2nd Edition).</ref> This is one of the most remarkable differences between portability and access under Article 15(3) GDPR.<br />
<br />
==== In a structured, commonly used and machine-readable format ====<br />
According to Recital 68, the data should be available in an "''interoperable format''", which data controllers "''should be encouraged to develop''". In turn, "''interoperable''" refers to the ability of disparate and diverse organisations to "''interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems''."<ref>The WP29 defines interoperability as the "''capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units''". EDPB, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 17 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <br />
<br />
According to Article 20(1) GDPR the data should be provided to the data subject in a "''structured, commonly used and machine-readable format''". Beyond this requirement, the GDPR does not call for a specific format to be used. The terms “''structured''”, “''commonly used''” and “''machine-readable''” are a set of minimal requirements that should facilitate the "''interoperability''" of the data format provided by the data controller.<ref>In that way, “''structured, commonly used and machine readable''” are specifications for the means, whereas interoperability is the desired outcome.</ref> Formats subject to costly licensing constraints are not considered "''commonly used''". The personal data provided should have a high level of abstraction from any internal or proprietary format, and metadata should be used to describe the exchanged information accurately.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref> <br />
<br />
Industry stakeholders and trade associations are encouraged to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. The Commission has published a Communication on "''ICT Standardisation Priorities for the Digital Single Market''", which may be used as a basis on which to develop standards for the purposes of data portability.<ref>EU Commission Communication on ICT Standardisation Priorities for the Digital Single Market (Available [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0176 here]).</ref> <br />
<br />
==== and the right to transmit (the data to another controller) ====<br />
The right to data portability, as outlined in Article 20(1), enables data subjects to transmit their personal data from one data controller to another "without hindrance". This goes beyond the ability to simply obtain and reuse personal data and allows individuals to transfer their data to another service provider, regardless of whether it is within the same sector or not. By preventing "lock-in" situations, data portability empowers consumers and is expected to foster innovation and secure sharing of personal data between controllers under the control of the data subject. Additionally, it can enhance customer experiences by facilitating the controlled and limited sharing of personal data between organizations. This feature of data portability has the potential to facilitate the transfer and reuse of personal data among various services of interest to the user.<br />
<br />
==== Without hindrance (from the first controller) ====<br />
The GDPR's Article 20(1) guarantees that individuals have the right to transfer their data to another controller without facing any obstructions from the initial controller who provided the personal data. Such impediments can be identified as any legal, technical, or financial barriers that the data controller sets up to prevent or hinder the data subject's or another data controller's access, transmission, or reuse of the data. <br />
<br />
Examples of such impediments include charges for data delivery, a lack of interoperability or access to a data format or API, excessive delays or complexity in retrieving the complete dataset, the intentional concealment of the dataset, or sector-specific standards or accreditation demands that are undue or excessive. The WP29 recommends that data controllers offer several options to the data subject. They suggest, for instance, that data subjects should be offered an opportunity to directly download the data as well as to transmit it directly to another data controller, and that this could be implemented by making an Application Programme Interface ('API') available.<ref>Cormack expresses doubts regarding the viability of this solution, noting that many organisations will hold their data on internal databases that are securely firewalled from internet access as opposed to APIs. Without standards leading to interoperability, the right to data portability may "''remain more a declaration of principle than a real and effective tool for individual self-determination in the digital environment''". See, ''Lynskey'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 20 GDPR, p. 505 (Oxford University Press 2020).</ref><br />
<br />
Simultaneously, the data controller must implement measures to ensure that they are truly representing the interests of the data subject. One way to achieve this is by instituting protocols to verify that only the specific personal data that the data subject wants to transmit is actually being transmitted. This verification process could involve obtaining confirmation from the data subject either prior to transmission, or at an earlier stage such as when they provide initial consent for processing or finalize the contract.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Where these conditions cumulatively apply ====<br />
The right to data portability only applies if (i) the individual has either consented to the processing or the information is processed for the execution of a contract between the data subject and controller and, in both cases, (ii) data is processed by automated means.<ref>For example, data which is only available on paper and manually processed falls out of the scope data portability.</ref><br />
<br />
===== (i) Processing is based on either consent or contract =====<br />
The right to data portability, as per Article 20(1)(a), is only applicable when the processing of personal data by the controller is based on the data subject's consent in accordance with Article 6(1)(a), consent to the processing of special categories of personal data in accordance with Article 9(2)(a), or a contract in accordance with Article 6(1)(b) to which the data subject is a party. Recital 68 specifically highlights that the right to data portability should not be applicable if the processing is carried out on a legal basis other than the data subject's consent or a contract. Consequently, data obtained by the controller by processing personal data to protect its legitimate interests in accordance with Article 6(1)(f) is not covered by the right under Article 20 GDPR.<ref>However, according to the WP29, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, i.e. when processing is based on the legitimate interests or for the performance of a task carried out in the public interest. See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p. 8 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref><br />
<br />
===== (ii) Processing is carried out by automated means =====<br />
The right to data portability under Art. 20(1)(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files. This limitation alleviates the controller's burden of converting non-machine-readable records into machine-readable data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref><br />
<br />
===(2) Right to have personal data directly transmitted to another controller===<br />
Article 20(2) introduces the right for data subjects to request that their personal data be transmitted directly from the first controller<ref>Controllers that address portability requests ("''sending controllers''") act on behalf of a data subject and are responsible for providing prior information about the right’s existence (e.g. in the privacy notice) and clearly explaining the difference between the right of access and the right to data portability; processing the request without undue delay, within 1 month (up to 3 months); carrying out authentication; setting safeguards to ensure they genuinely act on the data subject’s behalf (e.g. ensure that they transmit the exact type of personal data that the data subject wants to receive); in light of the principles set forth in [https://gdprhub.eu/Article%205%20GDPR Article 5(1) GDPR], ensuring that the data transmitted is accurate and up to date; and, taking all necessary security measures for transmissions. The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. In this respect, "''the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient".'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> to a second one.<ref>Data controllers that receive portability requests ("''receiving controllers''") have an obligation to "''clearly and directly''" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [https://gdprhub.eu/Article%2014%20GDPR Article 14 GDPR]; process the request without undue delay, within 1 month (up to 3 months); ensure that the data they accept is relevant and not excessive for the intended data processing; delete the personal data which are not necessary to achieve the purpose of the new processing as soon as possible. The receiving controllers can decide whether to accept and process data from a portability request.</ref> This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. The request can be typically fulfilled through automated transmission, such as an application programming interface (API) that allows for data transfer to other systems implementing the same API. Therefore, it suffices if the data subject is given the opportunity to initiate the transfer by selecting a field labeled "''Transfer of data to another provider''" choosing a provider, selecting the data to be transferred, and clicking on a corresponding field to initiate the automated transfer.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 25 (Beck 2020, 3rd edition).</ref> <br />
==== Where technically feasible ====<br />
If the provider has not established an automated data transmission, they may be required to comply with Article 20(2) to the extent that it is "''technically feasible''".<ref>It should be noted that the "''where technically feasible''" safeguard clause only applies to the direct transmission from one controller to another under paragraph 2. Therefore, it does not apply to the scenario outlined in paragraph 1 where the data subject directly requests to receive the data. Such requests shall always be fulfilled, regardless of technical reasons.</ref> Recital 68 states that the controller is not required to adopt or maintain technically compatible data processing systems. Therefore, the technical feasibility of direct data transfer is primarily dependent on the existing technical capabilities of the controller. However, according to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights, including the right to data portability. As such, the data subject may request reasonable cooperation from the controller, such as adapting data transmission formats, to carry out the intended portability.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> <blockquote><u>EDPB</u>: Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way29, and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).<ref>WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
===(3) Other conditions===<br />
The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if data subjects want to delete their data from the controller's system (right to erasure under [[Article 17 GDPR]]), the controller cannot justify its denial to erase such data because of the data portability request.<br />
<br />
The second sentence excludes that the right to data portability apply if the processing is necessary for the controller to perform a task that is in the public interest or carried out in the exercise of official authority. This exception corresponds to the legal basis of Article 6(1)(e) GDPR. In such cases, the public administration operating under public law is not required to provide data portability.<br />
===(4) Rights of third parties===<br />
In accordance with Paragraph 4, the right to data portability must not infringe upon the rights and freedoms of others, including both individuals and legal entities. When data is transferred with reference to a third party, such as transaction data from a current account agreement or data from the use of a webmail service, the rights and freedoms of others are generally not affected if the new provider uses the data solely under the control of the data subject and for the same purposes as before.<ref>The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 11 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> However, data transmission may be restricted by trade secrets, business secrets, or copyrights, such as those pertaining to software, if there is a specific risk of harm resulting from the transmission. Controllers cannot refuse to transfer data based solely on the possibility of such legally protected interests being infringed; instead, they must seek ways to transfer the data in a manner that avoids the disclosure of legally protected secrets.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 20 GDPR, margin number 18 (C.H. Beck 2019).</ref><br />
<br />
==Relevance of other EU legislation==<br />
It is important to refer to the interplay of the right to data portability with the proposed or adopted legislation under the umbrella of the EU digital strategy<ref>European Commission, 'A Europe fit for the digital age' (available [https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_en here])</ref>. <br />
<br />
The Digital Markets Act (DMA)<ref>Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925 here]).</ref> imposes a new obligation on "gatekeepers" that enhances the right to data portability. According to Article 6(9) DMA, gatekeepers shall provide an end user and third parties authorised by an end user with effective portability of data provided by the end user or generated through their activity through use of the gatekeeper’s core platform services (CPSs), including by the provision of continuous and real-time access to such data. Recital 59 DMA clarifies that this obligation on the gatekeeper complements the right to data portability under the GDPR.<br />
<br />
Further, the proposed EU Data Act<ref>Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN here]).</ref> that is supposed to help users of connected devices to unlock access to data generated by them, reinforces the right to data portability by creating an obligation on "data holders" to make available the data generated by such devices (Article 5). Note: at the time of writing of this Commentary, the EU Data Act proposal was being discussed under trialogues between the EU institutions (EU Commission, EU Parliament and the Council of Ministers). <br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=32996
Article 20 GDPR
2023-05-30T11:39:47Z
<p>AK: /* Relevance of other EU legislation */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br /><center>'''Article 20 - Right to data portability'''</center><br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/68 GDPR}}{{Recital/73 GDPR}}{{Recital/156 GDPR}}<br />
<br />
==Commentary==<br />
<br />
The right to data portability empowers data subjects to receive a copy of their data in a structured, commonly used, and machine-readable format. They can then decide what they want to do with this data, and either store it on their computer, send it or have it sent to a third party. The recipients of this data are not limited to providers that offer similar or comparable services, as the right to portability can be exercised with any controller data subjects choose within the conditions specified below.<ref>The purpose of the right to data portability is to give data subjects more control over their personal data by granting them a certain type of "ownership". Regulators’ objective was to increase competition on the market by allowing for the free movement of data between providers. Data portability is especially relevant in cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.</ref> <br />
===(1) Right to data portability===<br />
<br />
Data subject have the right to request and obtain a copy of any personal data they have provided to the controller and which is being processed based on consent or contract. This information must be structured in an accessible and intelligible manner, so that both the data subject themselves and any controllers who may receive it in the future can understand and make use of it. <blockquote><u>EDPB</u>: Take, for instance, a scenario where a data subject desires to obtain his/her present playlist or a log of listened tracks from a music streaming service. This could be for the purpose of ascertaining the number of times specific tracks were played, or for identifying which music to buy or listen to on an alternate platform. Correspondingly, the data subject may seek to retrieve his/her contact list from a webmail application, perhaps to compile a wedding list, track purchases made with various loyalty cards, or evaluate his/her carbon footprint.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
==== Right to receive ====<br />
The request for data portability does not differ much from the request for access, at least in terms of the necessary steps to carry it out.<ref>However, it is always important to keep these two rights distinct. The right of access enables individuals to obtain information about the processing and a copy of the personal data held by the controller, in order to ensure transparency and allow for further actions by the data subject. On the other hand, data portability has a distinct economic feature. It allows for a copy of the data - which is also different and more limited than that under Article 15 - to be obtained, and the possibility to send such a dataset to another controller for similar or different purposes (i.e., essentially a competitor). In any case, a request must be made, even electronically. The controller must facilitate the request, including the authentication of the data subject (Article 12(2) GDPR). Obstructive practices in this area not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating real anti-competitive phenomena or "lock-in" effects.</ref> The controller must facilitate the request, including the authentication phase (Article 12(2) GDPR). Obstructive practices in this area will not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating anti-competitive phenomena or "lock-in" effects.<br />
<br />
As for the rest, the general rules set out in Article 12 apply. Article 12(3) requires that the data controller provides “''information on action taken''” to the data subject “''without undue delay''” and in any event “''within one month of receipt of the request''”. As usual, the one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.<blockquote><u>EDPB</u>: To meet user expectations, it is a good practice to define the timeframe in which a data portability request can typically be answered and communicate this to data subjects. Data controllers who refuse to answer a portability request shall, pursuant to Article 12(4), inform the data subject “''the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy''”, no later than one month after receiving the request.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 14-15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
===== Modalities to provide the data =====<br />
Data controllers should consider two distinct but complementary options for providing portable data to data subjects or other controllers. The first option is a direct transmission of the complete dataset or specific parts of it. The second option is an automated tool that allows for the extraction of relevant data. For complex and large datasets, the second option may be preferred as it minimizes risks and allows for the use of data synchronization mechanisms. Making portable data available through various secure means such as messaging, SFTP servers, or secured WebAPI/WebPortal would enable data subjects to use personal data stores or other trusted third parties to hold and manage their personal data. This would also reduce privacy risks for the initial data controller and promote compliance for the new data controller.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 16 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Personal data concerning him or her ====<br />
A data portability request only applies to personal data concerning the data subject. Pseudonymous data is within the scope if the corresponding identifier is provided by the subject (as per Article 11(2) GDPR). Any data that is anonymous or not related to the data subject is not included. <blockquote><u>EDPB</u>: For instance, call records in a subscriber's account history may include details of third parties, but subscribers should still be able to obtain such records in response to portability requests since they are also concerning the data subject. Nevertheless, new data controllers who receive such records should not process them in any way that would adversely affect the rights and freedoms of the third parties involved.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 9 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
==== Provided to a controller ====<br />
Article 20 specifies that only personal data "''provided''" by the data subject is covered by the right. This includes data that the user knowingly and actively provides, such as their name and mailing address,<ref>The data "''provided''" is the data that was actively given to the controller (e.g. photos uploaded to the service) or which was "''observed''" by a controller (e.g. activity logs, food preferences). This definition also includes data that has been transferred to the controller in the context of the exercise of the right to data portability. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> as well as, according to the EDPB, data that is "''observed''" from the user's activity, such as their search history or location data. <blockquote><u>EDPB</u>: Inferred data and derived data are created by the data controller on the basis of the data “''provided by the data subject''”. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as “''provided by''” the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “''provided by the data subject''” and thus will not be within scope of this new right.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote>However, it should be noted that there is a doctrinal debate regarding whether or not "observed data" should be included within the scope of application of portability. One argument in favor of a restrictive approach aims to limit the provision of data only to the types necessary for offering a comparable service. However, inferred or derived data, which is created by the data controller based on the data provided by the data subject, is not covered by the right to data portability.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 20 GDPR, margin number 13 (C.H. Beck 2018, 2nd Edition).</ref> This is one of the most remarkable differences between portability and access under Article 15(3) GDPR.<br />
<br />
==== In a structured, commonly used and machine-readable format ====<br />
According to Recital 68, the data should be available in an "''interoperable format''", which data controllers "''should be encouraged to develop''". In turn, "''interoperable''" refers to the ability of disparate and diverse organisations to "''interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems''."<ref>The WP29 defines interoperability as the "''capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units''". EDPB, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 17 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <br />
<br />
According to Article 20(1) GDPR the data should be provided to the data subject in a "''structured, commonly used and machine-readable format''". Beyond this requirement, the GDPR does not call for a specific format to be used. The terms “''structured''”, “''commonly used''” and “''machine-readable''” are a set of minimal requirements that should facilitate the "''interoperability''" of the data format provided by the data controller.<ref>In that way, “''structured, commonly used and machine readable''” are specifications for the means, whereas interoperability is the desired outcome.</ref> Formats subject to costly licensing constraints are not considered "''commonly used''". The personal data provided should have a high level of abstraction from any internal or proprietary format, and metadata should be used to describe the exchanged information accurately.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref> <br />
<br />
Industry stakeholders and trade associations are encouraged to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. The Commission has published a Communication on "''ICT Standardisation Priorities for the Digital Single Market''", which may be used as a basis on which to develop standards for the purposes of data portability.<ref>EU Commission Communication on ICT Standardisation Priorities for the Digital Single Market (Available [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0176 here]).</ref> <br />
<br />
==== and the right to transmit (the data to another controller) ====<br />
The right to data portability, as outlined in Article 20(1), enables data subjects to transmit their personal data from one data controller to another "without hindrance". This goes beyond the ability to simply obtain and reuse personal data and allows individuals to transfer their data to another service provider, regardless of whether it is within the same sector or not. By preventing "lock-in" situations, data portability empowers consumers and is expected to foster innovation and secure sharing of personal data between controllers under the control of the data subject. Additionally, it can enhance customer experiences by facilitating the controlled and limited sharing of personal data between organizations. This feature of data portability has the potential to facilitate the transfer and reuse of personal data among various services of interest to the user.<br />
<br />
==== Without hindrance (from the first controller) ====<br />
The GDPR's Article 20(1) guarantees that individuals have the right to transfer their data to another controller without facing any obstructions from the initial controller who provided the personal data. Such impediments can be identified as any legal, technical, or financial barriers that the data controller sets up to prevent or hinder the data subject's or another data controller's access, transmission, or reuse of the data. <br />
<br />
Examples of such impediments include charges for data delivery, a lack of interoperability or access to a data format or API, excessive delays or complexity in retrieving the complete dataset, the intentional concealment of the dataset, or sector-specific standards or accreditation demands that are undue or excessive. The WP29 recommends that data controllers offer several options to the data subject. They suggest, for instance, that data subjects should be offered an opportunity to directly download the data as well as to transmit it directly to another data controller, and that this could be implemented by making an Application Programme Interface ('API') available.<ref>Cormack expresses doubts regarding the viability of this solution, noting that many organisations will hold their data on internal databases that are securely firewalled from internet access as opposed to APIs. Without standards leading to interoperability, the right to data portability may "''remain more a declaration of principle than a real and effective tool for individual self-determination in the digital environment''". See, ''Lynskey'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 20 GDPR, p. 505 (Oxford University Press 2020).</ref><br />
<br />
Simultaneously, the data controller must implement measures to ensure that they are truly representing the interests of the data subject. One way to achieve this is by instituting protocols to verify that only the specific personal data that the data subject wants to transmit is actually being transmitted. This verification process could involve obtaining confirmation from the data subject either prior to transmission, or at an earlier stage such as when they provide initial consent for processing or finalize the contract.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Where these conditions cumulatively apply ====<br />
The right to data portability only applies if (i) the individual has either consented to the processing or the information is processed for the execution of a contract between the data subject and controller and, in both cases, (ii) data is processed by automated means.<ref>For example, data which is only available on paper and manually processed falls out of the scope data portability.</ref><br />
<br />
===== (i) Processing is based on either consent or contract =====<br />
The right to data portability, as per Article 20(1)(a), is only applicable when the processing of personal data by the controller is based on the data subject's consent in accordance with Article 6(1)(a), consent to the processing of special categories of personal data in accordance with Article 9(2)(a), or a contract in accordance with Article 6(1)(b) to which the data subject is a party. Recital 68 specifically highlights that the right to data portability should not be applicable if the processing is carried out on a legal basis other than the data subject's consent or a contract. Consequently, data obtained by the controller by processing personal data to protect its legitimate interests in accordance with Article 6(1)(f) is not covered by the right under Article 20 GDPR.<ref>However, according to the WP29, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, i.e. when processing is based on the legitimate interests or for the performance of a task carried out in the public interest. See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p. 8 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref><br />
<br />
===== (ii) Processing is carried out by automated means =====<br />
The right to data portability under Art. 20(1)(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files. This limitation alleviates the controller's burden of converting non-machine-readable records into machine-readable data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref><br />
<br />
===(2) Right to have personal data directly transmitted to another controller===<br />
Article 20(2) introduces the right for data subjects to request that their personal data be transmitted directly from the first controller<ref>Controllers that address portability requests ("''sending controllers''") act on behalf of a data subject and are responsible for providing prior information about the right’s existence (e.g. in the privacy notice) and clearly explaining the difference between the right of access and the right to data portability; processing the request without undue delay, within 1 month (up to 3 months); carrying out authentication; setting safeguards to ensure they genuinely act on the data subject’s behalf (e.g. ensure that they transmit the exact type of personal data that the data subject wants to receive); in light of the principles set forth in [https://gdprhub.eu/Article%205%20GDPR Article 5(1) GDPR], ensuring that the data transmitted is accurate and up to date; and, taking all necessary security measures for transmissions. The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. In this respect, "''the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient".'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> to a second one.<ref>Data controllers that receive portability requests ("''receiving controllers''") have an obligation to "''clearly and directly''" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [https://gdprhub.eu/Article%2014%20GDPR Article 14 GDPR]; process the request without undue delay, within 1 month (up to 3 months); ensure that the data they accept is relevant and not excessive for the intended data processing; delete the personal data which are not necessary to achieve the purpose of the new processing as soon as possible. The receiving controllers can decide whether to accept and process data from a portability request.</ref> This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. The request can be typically fulfilled through automated transmission, such as an application programming interface (API) that allows for data transfer to other systems implementing the same API. Therefore, it suffices if the data subject is given the opportunity to initiate the transfer by selecting a field labeled "''Transfer of data to another provider''" choosing a provider, selecting the data to be transferred, and clicking on a corresponding field to initiate the automated transfer.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 25 (Beck 2020, 3rd edition).</ref> <br />
==== Where technically feasible ====<br />
If the provider has not established an automated data transmission, they may be required to comply with Article 20(2) to the extent that it is "''technically feasible''".<ref>It should be noted that the "''where technically feasible''" safeguard clause only applies to the direct transmission from one controller to another under paragraph 2. Therefore, it does not apply to the scenario outlined in paragraph 1 where the data subject directly requests to receive the data. Such requests shall always be fulfilled, regardless of technical reasons.</ref> Recital 68 states that the controller is not required to adopt or maintain technically compatible data processing systems. Therefore, the technical feasibility of direct data transfer is primarily dependent on the existing technical capabilities of the controller. However, according to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights, including the right to data portability. As such, the data subject may request reasonable cooperation from the controller, such as adapting data transmission formats, to carry out the intended portability.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> <blockquote><u>EDPB</u>: Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way29, and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).<ref>WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
===(3) Other conditions===<br />
The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if data subjects want to delete their data from the controller's system (right to erasure under [[Article 17 GDPR]]), the controller cannot justify its denial to erase such data because of the data portability request.<br />
<br />
The second sentence excludes that the right to data portability apply if the processing is necessary for the controller to perform a task that is in the public interest or carried out in the exercise of official authority. This exception corresponds to the legal basis of Article 6(1)(e) GDPR. In such cases, the public administration operating under public law is not required to provide data portability.<br />
===(4) Rights of third parties===<br />
In accordance with Paragraph 4, the right to data portability must not infringe upon the rights and freedoms of others, including both individuals and legal entities. When data is transferred with reference to a third party, such as transaction data from a current account agreement or data from the use of a webmail service, the rights and freedoms of others are generally not affected if the new provider uses the data solely under the control of the data subject and for the same purposes as before.<ref>The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 11 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> However, data transmission may be restricted by trade secrets, business secrets, or copyrights, such as those pertaining to software, if there is a specific risk of harm resulting from the transmission. Controllers cannot refuse to transfer data based solely on the possibility of such legally protected interests being infringed; instead, they must seek ways to transfer the data in a manner that avoids the disclosure of legally protected secrets.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 20 GDPR, margin number 18 (C.H. Beck 2019).</ref><br />
<br />
==Relevance of other EU legislation==<br />
It is important to refer to the interplay of the right to data portability with the proposed or adopted legislation under the umbrella of the EU digital strategy<ref>European Commission, 'A Europe fit for the digital age' (available [https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_en here])</ref>. <br />
<br />
The Digital Markets Act (DMA)<ref>Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925 here]).</ref> imposes a new obligation on "gatekeepers" that enhances the right to data portability. According to Article 6(9) DMA, gatekeepers shall provide an end user and third parties authorised by an end user with effective portability of data provided by the end user or generated through their activity through use of the gatekeeper’s core platform services (CPSs), including by the provision of continuous and real-time access to such data. Recital 59 DMA clarifies that this obligation on the gatekeeper complements the right to data portability under the GDPR.<br />
<br />
Further, the proposed EU Data Act<ref>Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN here]).</ref> that is supposed to help users of connected devices to unlock access to data generated by them, reinforces the right to data portability by creating an obligation on "data holders" to make available the data generated by such devices (Article 5). At the time of writing of this Commentary, the EU Data Act proposal is being discussed under trialogues between the EU institutions (EU Commission, EU Parliament and the Council of Ministers). <br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=32995
Article 20 GDPR
2023-05-30T11:39:32Z
<p>AK: /* Relevance of other legislation */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br /><center>'''Article 20 - Right to data portability'''</center><br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/68 GDPR}}{{Recital/73 GDPR}}{{Recital/156 GDPR}}<br />
<br />
==Commentary==<br />
<br />
The right to data portability empowers data subjects to receive a copy of their data in a structured, commonly used, and machine-readable format. They can then decide what they want to do with this data, and either store it on their computer, send it or have it sent to a third party. The recipients of this data are not limited to providers that offer similar or comparable services, as the right to portability can be exercised with any controller data subjects choose within the conditions specified below.<ref>The purpose of the right to data portability is to give data subjects more control over their personal data by granting them a certain type of "ownership". Regulators’ objective was to increase competition on the market by allowing for the free movement of data between providers. Data portability is especially relevant in cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.</ref> <br />
===(1) Right to data portability===<br />
<br />
Data subject have the right to request and obtain a copy of any personal data they have provided to the controller and which is being processed based on consent or contract. This information must be structured in an accessible and intelligible manner, so that both the data subject themselves and any controllers who may receive it in the future can understand and make use of it. <blockquote><u>EDPB</u>: Take, for instance, a scenario where a data subject desires to obtain his/her present playlist or a log of listened tracks from a music streaming service. This could be for the purpose of ascertaining the number of times specific tracks were played, or for identifying which music to buy or listen to on an alternate platform. Correspondingly, the data subject may seek to retrieve his/her contact list from a webmail application, perhaps to compile a wedding list, track purchases made with various loyalty cards, or evaluate his/her carbon footprint.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
==== Right to receive ====<br />
The request for data portability does not differ much from the request for access, at least in terms of the necessary steps to carry it out.<ref>However, it is always important to keep these two rights distinct. The right of access enables individuals to obtain information about the processing and a copy of the personal data held by the controller, in order to ensure transparency and allow for further actions by the data subject. On the other hand, data portability has a distinct economic feature. It allows for a copy of the data - which is also different and more limited than that under Article 15 - to be obtained, and the possibility to send such a dataset to another controller for similar or different purposes (i.e., essentially a competitor). In any case, a request must be made, even electronically. The controller must facilitate the request, including the authentication of the data subject (Article 12(2) GDPR). Obstructive practices in this area not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating real anti-competitive phenomena or "lock-in" effects.</ref> The controller must facilitate the request, including the authentication phase (Article 12(2) GDPR). Obstructive practices in this area will not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating anti-competitive phenomena or "lock-in" effects.<br />
<br />
As for the rest, the general rules set out in Article 12 apply. Article 12(3) requires that the data controller provides “''information on action taken''” to the data subject “''without undue delay''” and in any event “''within one month of receipt of the request''”. As usual, the one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.<blockquote><u>EDPB</u>: To meet user expectations, it is a good practice to define the timeframe in which a data portability request can typically be answered and communicate this to data subjects. Data controllers who refuse to answer a portability request shall, pursuant to Article 12(4), inform the data subject “''the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy''”, no later than one month after receiving the request.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 14-15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
===== Modalities to provide the data =====<br />
Data controllers should consider two distinct but complementary options for providing portable data to data subjects or other controllers. The first option is a direct transmission of the complete dataset or specific parts of it. The second option is an automated tool that allows for the extraction of relevant data. For complex and large datasets, the second option may be preferred as it minimizes risks and allows for the use of data synchronization mechanisms. Making portable data available through various secure means such as messaging, SFTP servers, or secured WebAPI/WebPortal would enable data subjects to use personal data stores or other trusted third parties to hold and manage their personal data. This would also reduce privacy risks for the initial data controller and promote compliance for the new data controller.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 16 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Personal data concerning him or her ====<br />
A data portability request only applies to personal data concerning the data subject. Pseudonymous data is within the scope if the corresponding identifier is provided by the subject (as per Article 11(2) GDPR). Any data that is anonymous or not related to the data subject is not included. <blockquote><u>EDPB</u>: For instance, call records in a subscriber's account history may include details of third parties, but subscribers should still be able to obtain such records in response to portability requests since they are also concerning the data subject. Nevertheless, new data controllers who receive such records should not process them in any way that would adversely affect the rights and freedoms of the third parties involved.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 9 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
==== Provided to a controller ====<br />
Article 20 specifies that only personal data "''provided''" by the data subject is covered by the right. This includes data that the user knowingly and actively provides, such as their name and mailing address,<ref>The data "''provided''" is the data that was actively given to the controller (e.g. photos uploaded to the service) or which was "''observed''" by a controller (e.g. activity logs, food preferences). This definition also includes data that has been transferred to the controller in the context of the exercise of the right to data portability. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> as well as, according to the EDPB, data that is "''observed''" from the user's activity, such as their search history or location data. <blockquote><u>EDPB</u>: Inferred data and derived data are created by the data controller on the basis of the data “''provided by the data subject''”. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as “''provided by''” the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “''provided by the data subject''” and thus will not be within scope of this new right.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote>However, it should be noted that there is a doctrinal debate regarding whether or not "observed data" should be included within the scope of application of portability. One argument in favor of a restrictive approach aims to limit the provision of data only to the types necessary for offering a comparable service. However, inferred or derived data, which is created by the data controller based on the data provided by the data subject, is not covered by the right to data portability.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 20 GDPR, margin number 13 (C.H. Beck 2018, 2nd Edition).</ref> This is one of the most remarkable differences between portability and access under Article 15(3) GDPR.<br />
<br />
==== In a structured, commonly used and machine-readable format ====<br />
According to Recital 68, the data should be available in an "''interoperable format''", which data controllers "''should be encouraged to develop''". In turn, "''interoperable''" refers to the ability of disparate and diverse organisations to "''interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems''."<ref>The WP29 defines interoperability as the "''capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units''". EDPB, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 17 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <br />
<br />
According to Article 20(1) GDPR the data should be provided to the data subject in a "''structured, commonly used and machine-readable format''". Beyond this requirement, the GDPR does not call for a specific format to be used. The terms “''structured''”, “''commonly used''” and “''machine-readable''” are a set of minimal requirements that should facilitate the "''interoperability''" of the data format provided by the data controller.<ref>In that way, “''structured, commonly used and machine readable''” are specifications for the means, whereas interoperability is the desired outcome.</ref> Formats subject to costly licensing constraints are not considered "''commonly used''". The personal data provided should have a high level of abstraction from any internal or proprietary format, and metadata should be used to describe the exchanged information accurately.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref> <br />
<br />
Industry stakeholders and trade associations are encouraged to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. The Commission has published a Communication on "''ICT Standardisation Priorities for the Digital Single Market''", which may be used as a basis on which to develop standards for the purposes of data portability.<ref>EU Commission Communication on ICT Standardisation Priorities for the Digital Single Market (Available [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0176 here]).</ref> <br />
<br />
==== and the right to transmit (the data to another controller) ====<br />
The right to data portability, as outlined in Article 20(1), enables data subjects to transmit their personal data from one data controller to another "without hindrance". This goes beyond the ability to simply obtain and reuse personal data and allows individuals to transfer their data to another service provider, regardless of whether it is within the same sector or not. By preventing "lock-in" situations, data portability empowers consumers and is expected to foster innovation and secure sharing of personal data between controllers under the control of the data subject. Additionally, it can enhance customer experiences by facilitating the controlled and limited sharing of personal data between organizations. This feature of data portability has the potential to facilitate the transfer and reuse of personal data among various services of interest to the user.<br />
<br />
==== Without hindrance (from the first controller) ====<br />
The GDPR's Article 20(1) guarantees that individuals have the right to transfer their data to another controller without facing any obstructions from the initial controller who provided the personal data. Such impediments can be identified as any legal, technical, or financial barriers that the data controller sets up to prevent or hinder the data subject's or another data controller's access, transmission, or reuse of the data. <br />
<br />
Examples of such impediments include charges for data delivery, a lack of interoperability or access to a data format or API, excessive delays or complexity in retrieving the complete dataset, the intentional concealment of the dataset, or sector-specific standards or accreditation demands that are undue or excessive. The WP29 recommends that data controllers offer several options to the data subject. They suggest, for instance, that data subjects should be offered an opportunity to directly download the data as well as to transmit it directly to another data controller, and that this could be implemented by making an Application Programme Interface ('API') available.<ref>Cormack expresses doubts regarding the viability of this solution, noting that many organisations will hold their data on internal databases that are securely firewalled from internet access as opposed to APIs. Without standards leading to interoperability, the right to data portability may "''remain more a declaration of principle than a real and effective tool for individual self-determination in the digital environment''". See, ''Lynskey'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 20 GDPR, p. 505 (Oxford University Press 2020).</ref><br />
<br />
Simultaneously, the data controller must implement measures to ensure that they are truly representing the interests of the data subject. One way to achieve this is by instituting protocols to verify that only the specific personal data that the data subject wants to transmit is actually being transmitted. This verification process could involve obtaining confirmation from the data subject either prior to transmission, or at an earlier stage such as when they provide initial consent for processing or finalize the contract.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Where these conditions cumulatively apply ====<br />
The right to data portability only applies if (i) the individual has either consented to the processing or the information is processed for the execution of a contract between the data subject and controller and, in both cases, (ii) data is processed by automated means.<ref>For example, data which is only available on paper and manually processed falls out of the scope data portability.</ref><br />
<br />
===== (i) Processing is based on either consent or contract =====<br />
The right to data portability, as per Article 20(1)(a), is only applicable when the processing of personal data by the controller is based on the data subject's consent in accordance with Article 6(1)(a), consent to the processing of special categories of personal data in accordance with Article 9(2)(a), or a contract in accordance with Article 6(1)(b) to which the data subject is a party. Recital 68 specifically highlights that the right to data portability should not be applicable if the processing is carried out on a legal basis other than the data subject's consent or a contract. Consequently, data obtained by the controller by processing personal data to protect its legitimate interests in accordance with Article 6(1)(f) is not covered by the right under Article 20 GDPR.<ref>However, according to the WP29, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, i.e. when processing is based on the legitimate interests or for the performance of a task carried out in the public interest. See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p. 8 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref><br />
<br />
===== (ii) Processing is carried out by automated means =====<br />
The right to data portability under Art. 20(1)(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files. This limitation alleviates the controller's burden of converting non-machine-readable records into machine-readable data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref><br />
<br />
===(2) Right to have personal data directly transmitted to another controller===<br />
Article 20(2) introduces the right for data subjects to request that their personal data be transmitted directly from the first controller<ref>Controllers that address portability requests ("''sending controllers''") act on behalf of a data subject and are responsible for providing prior information about the right’s existence (e.g. in the privacy notice) and clearly explaining the difference between the right of access and the right to data portability; processing the request without undue delay, within 1 month (up to 3 months); carrying out authentication; setting safeguards to ensure they genuinely act on the data subject’s behalf (e.g. ensure that they transmit the exact type of personal data that the data subject wants to receive); in light of the principles set forth in [https://gdprhub.eu/Article%205%20GDPR Article 5(1) GDPR], ensuring that the data transmitted is accurate and up to date; and, taking all necessary security measures for transmissions. The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. In this respect, "''the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient".'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> to a second one.<ref>Data controllers that receive portability requests ("''receiving controllers''") have an obligation to "''clearly and directly''" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [https://gdprhub.eu/Article%2014%20GDPR Article 14 GDPR]; process the request without undue delay, within 1 month (up to 3 months); ensure that the data they accept is relevant and not excessive for the intended data processing; delete the personal data which are not necessary to achieve the purpose of the new processing as soon as possible. The receiving controllers can decide whether to accept and process data from a portability request.</ref> This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. The request can be typically fulfilled through automated transmission, such as an application programming interface (API) that allows for data transfer to other systems implementing the same API. Therefore, it suffices if the data subject is given the opportunity to initiate the transfer by selecting a field labeled "''Transfer of data to another provider''" choosing a provider, selecting the data to be transferred, and clicking on a corresponding field to initiate the automated transfer.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 25 (Beck 2020, 3rd edition).</ref> <br />
==== Where technically feasible ====<br />
If the provider has not established an automated data transmission, they may be required to comply with Article 20(2) to the extent that it is "''technically feasible''".<ref>It should be noted that the "''where technically feasible''" safeguard clause only applies to the direct transmission from one controller to another under paragraph 2. Therefore, it does not apply to the scenario outlined in paragraph 1 where the data subject directly requests to receive the data. Such requests shall always be fulfilled, regardless of technical reasons.</ref> Recital 68 states that the controller is not required to adopt or maintain technically compatible data processing systems. Therefore, the technical feasibility of direct data transfer is primarily dependent on the existing technical capabilities of the controller. However, according to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights, including the right to data portability. As such, the data subject may request reasonable cooperation from the controller, such as adapting data transmission formats, to carry out the intended portability.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> <blockquote><u>EDPB</u>: Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way29, and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).<ref>WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
===(3) Other conditions===<br />
The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if data subjects want to delete their data from the controller's system (right to erasure under [[Article 17 GDPR]]), the controller cannot justify its denial to erase such data because of the data portability request.<br />
<br />
The second sentence excludes that the right to data portability apply if the processing is necessary for the controller to perform a task that is in the public interest or carried out in the exercise of official authority. This exception corresponds to the legal basis of Article 6(1)(e) GDPR. In such cases, the public administration operating under public law is not required to provide data portability.<br />
===(4) Rights of third parties===<br />
In accordance with Paragraph 4, the right to data portability must not infringe upon the rights and freedoms of others, including both individuals and legal entities. When data is transferred with reference to a third party, such as transaction data from a current account agreement or data from the use of a webmail service, the rights and freedoms of others are generally not affected if the new provider uses the data solely under the control of the data subject and for the same purposes as before.<ref>The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 11 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> However, data transmission may be restricted by trade secrets, business secrets, or copyrights, such as those pertaining to software, if there is a specific risk of harm resulting from the transmission. Controllers cannot refuse to transfer data based solely on the possibility of such legally protected interests being infringed; instead, they must seek ways to transfer the data in a manner that avoids the disclosure of legally protected secrets.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 20 GDPR, margin number 18 (C.H. Beck 2019).</ref><br />
<br />
==Relevance of other EU legislation==<br />
It is important to refer to the interplay of the right to data portability with the proposed or adopted legislation under the umbrella of the EU digital strategy<ref>European Commission, 'A Europe fit for the digital age' (available [https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_en here])</ref>. The Digital Markets Act (DMA)<ref>Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925 here]).</ref> imposes a new obligation on "gatekeepers" that enhances the right to data portability. According to Article 6(9) DMA, gatekeepers shall provide an end user and third parties authorised by an end user with effective portability of data provided by the end user or generated through their activity through use of the gatekeeper’s core platform services (CPSs), including by the provision of continuous and real-time access to such data. Recital 59 DMA clarifies that this obligation on the gatekeeper complements the right to data portability under the GDPR.<br />
<br />
Further, the proposed EU Data Act<ref>Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN here]).</ref> that is supposed to help users of connected devices to unlock access to data generated by them, reinforces the right to data portability by creating an obligation on "data holders" to make available the data generated by such devices (Article 5). At the time of writing of this Commentary, the EU Data Act proposal is being discussed under trialogues between the EU institutions (EU Commission, EU Parliament and the Council of Ministers). <br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=32994
Article 20 GDPR
2023-05-30T11:39:18Z
<p>AK: /* Decisions */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br /><center>'''Article 20 - Right to data portability'''</center><br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/68 GDPR}}{{Recital/73 GDPR}}{{Recital/156 GDPR}}<br />
<br />
==Commentary==<br />
<br />
The right to data portability empowers data subjects to receive a copy of their data in a structured, commonly used, and machine-readable format. They can then decide what they want to do with this data, and either store it on their computer, send it or have it sent to a third party. The recipients of this data are not limited to providers that offer similar or comparable services, as the right to portability can be exercised with any controller data subjects choose within the conditions specified below.<ref>The purpose of the right to data portability is to give data subjects more control over their personal data by granting them a certain type of "ownership". Regulators’ objective was to increase competition on the market by allowing for the free movement of data between providers. Data portability is especially relevant in cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.</ref> <br />
===(1) Right to data portability===<br />
<br />
Data subject have the right to request and obtain a copy of any personal data they have provided to the controller and which is being processed based on consent or contract. This information must be structured in an accessible and intelligible manner, so that both the data subject themselves and any controllers who may receive it in the future can understand and make use of it. <blockquote><u>EDPB</u>: Take, for instance, a scenario where a data subject desires to obtain his/her present playlist or a log of listened tracks from a music streaming service. This could be for the purpose of ascertaining the number of times specific tracks were played, or for identifying which music to buy or listen to on an alternate platform. Correspondingly, the data subject may seek to retrieve his/her contact list from a webmail application, perhaps to compile a wedding list, track purchases made with various loyalty cards, or evaluate his/her carbon footprint.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
==== Right to receive ====<br />
The request for data portability does not differ much from the request for access, at least in terms of the necessary steps to carry it out.<ref>However, it is always important to keep these two rights distinct. The right of access enables individuals to obtain information about the processing and a copy of the personal data held by the controller, in order to ensure transparency and allow for further actions by the data subject. On the other hand, data portability has a distinct economic feature. It allows for a copy of the data - which is also different and more limited than that under Article 15 - to be obtained, and the possibility to send such a dataset to another controller for similar or different purposes (i.e., essentially a competitor). In any case, a request must be made, even electronically. The controller must facilitate the request, including the authentication of the data subject (Article 12(2) GDPR). Obstructive practices in this area not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating real anti-competitive phenomena or "lock-in" effects.</ref> The controller must facilitate the request, including the authentication phase (Article 12(2) GDPR). Obstructive practices in this area will not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating anti-competitive phenomena or "lock-in" effects.<br />
<br />
As for the rest, the general rules set out in Article 12 apply. Article 12(3) requires that the data controller provides “''information on action taken''” to the data subject “''without undue delay''” and in any event “''within one month of receipt of the request''”. As usual, the one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.<blockquote><u>EDPB</u>: To meet user expectations, it is a good practice to define the timeframe in which a data portability request can typically be answered and communicate this to data subjects. Data controllers who refuse to answer a portability request shall, pursuant to Article 12(4), inform the data subject “''the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy''”, no later than one month after receiving the request.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 14-15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
===== Modalities to provide the data =====<br />
Data controllers should consider two distinct but complementary options for providing portable data to data subjects or other controllers. The first option is a direct transmission of the complete dataset or specific parts of it. The second option is an automated tool that allows for the extraction of relevant data. For complex and large datasets, the second option may be preferred as it minimizes risks and allows for the use of data synchronization mechanisms. Making portable data available through various secure means such as messaging, SFTP servers, or secured WebAPI/WebPortal would enable data subjects to use personal data stores or other trusted third parties to hold and manage their personal data. This would also reduce privacy risks for the initial data controller and promote compliance for the new data controller.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 16 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Personal data concerning him or her ====<br />
A data portability request only applies to personal data concerning the data subject. Pseudonymous data is within the scope if the corresponding identifier is provided by the subject (as per Article 11(2) GDPR). Any data that is anonymous or not related to the data subject is not included. <blockquote><u>EDPB</u>: For instance, call records in a subscriber's account history may include details of third parties, but subscribers should still be able to obtain such records in response to portability requests since they are also concerning the data subject. Nevertheless, new data controllers who receive such records should not process them in any way that would adversely affect the rights and freedoms of the third parties involved.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 9 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
==== Provided to a controller ====<br />
Article 20 specifies that only personal data "''provided''" by the data subject is covered by the right. This includes data that the user knowingly and actively provides, such as their name and mailing address,<ref>The data "''provided''" is the data that was actively given to the controller (e.g. photos uploaded to the service) or which was "''observed''" by a controller (e.g. activity logs, food preferences). This definition also includes data that has been transferred to the controller in the context of the exercise of the right to data portability. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> as well as, according to the EDPB, data that is "''observed''" from the user's activity, such as their search history or location data. <blockquote><u>EDPB</u>: Inferred data and derived data are created by the data controller on the basis of the data “''provided by the data subject''”. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as “''provided by''” the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “''provided by the data subject''” and thus will not be within scope of this new right.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote>However, it should be noted that there is a doctrinal debate regarding whether or not "observed data" should be included within the scope of application of portability. One argument in favor of a restrictive approach aims to limit the provision of data only to the types necessary for offering a comparable service. However, inferred or derived data, which is created by the data controller based on the data provided by the data subject, is not covered by the right to data portability.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 20 GDPR, margin number 13 (C.H. Beck 2018, 2nd Edition).</ref> This is one of the most remarkable differences between portability and access under Article 15(3) GDPR.<br />
<br />
==== In a structured, commonly used and machine-readable format ====<br />
According to Recital 68, the data should be available in an "''interoperable format''", which data controllers "''should be encouraged to develop''". In turn, "''interoperable''" refers to the ability of disparate and diverse organisations to "''interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems''."<ref>The WP29 defines interoperability as the "''capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units''". EDPB, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 17 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <br />
<br />
According to Article 20(1) GDPR the data should be provided to the data subject in a "''structured, commonly used and machine-readable format''". Beyond this requirement, the GDPR does not call for a specific format to be used. The terms “''structured''”, “''commonly used''” and “''machine-readable''” are a set of minimal requirements that should facilitate the "''interoperability''" of the data format provided by the data controller.<ref>In that way, “''structured, commonly used and machine readable''” are specifications for the means, whereas interoperability is the desired outcome.</ref> Formats subject to costly licensing constraints are not considered "''commonly used''". The personal data provided should have a high level of abstraction from any internal or proprietary format, and metadata should be used to describe the exchanged information accurately.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref> <br />
<br />
Industry stakeholders and trade associations are encouraged to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. The Commission has published a Communication on "''ICT Standardisation Priorities for the Digital Single Market''", which may be used as a basis on which to develop standards for the purposes of data portability.<ref>EU Commission Communication on ICT Standardisation Priorities for the Digital Single Market (Available [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0176 here]).</ref> <br />
<br />
==== and the right to transmit (the data to another controller) ====<br />
The right to data portability, as outlined in Article 20(1), enables data subjects to transmit their personal data from one data controller to another "without hindrance". This goes beyond the ability to simply obtain and reuse personal data and allows individuals to transfer their data to another service provider, regardless of whether it is within the same sector or not. By preventing "lock-in" situations, data portability empowers consumers and is expected to foster innovation and secure sharing of personal data between controllers under the control of the data subject. Additionally, it can enhance customer experiences by facilitating the controlled and limited sharing of personal data between organizations. This feature of data portability has the potential to facilitate the transfer and reuse of personal data among various services of interest to the user.<br />
<br />
==== Without hindrance (from the first controller) ====<br />
The GDPR's Article 20(1) guarantees that individuals have the right to transfer their data to another controller without facing any obstructions from the initial controller who provided the personal data. Such impediments can be identified as any legal, technical, or financial barriers that the data controller sets up to prevent or hinder the data subject's or another data controller's access, transmission, or reuse of the data. <br />
<br />
Examples of such impediments include charges for data delivery, a lack of interoperability or access to a data format or API, excessive delays or complexity in retrieving the complete dataset, the intentional concealment of the dataset, or sector-specific standards or accreditation demands that are undue or excessive. The WP29 recommends that data controllers offer several options to the data subject. They suggest, for instance, that data subjects should be offered an opportunity to directly download the data as well as to transmit it directly to another data controller, and that this could be implemented by making an Application Programme Interface ('API') available.<ref>Cormack expresses doubts regarding the viability of this solution, noting that many organisations will hold their data on internal databases that are securely firewalled from internet access as opposed to APIs. Without standards leading to interoperability, the right to data portability may "''remain more a declaration of principle than a real and effective tool for individual self-determination in the digital environment''". See, ''Lynskey'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 20 GDPR, p. 505 (Oxford University Press 2020).</ref><br />
<br />
Simultaneously, the data controller must implement measures to ensure that they are truly representing the interests of the data subject. One way to achieve this is by instituting protocols to verify that only the specific personal data that the data subject wants to transmit is actually being transmitted. This verification process could involve obtaining confirmation from the data subject either prior to transmission, or at an earlier stage such as when they provide initial consent for processing or finalize the contract.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Where these conditions cumulatively apply ====<br />
The right to data portability only applies if (i) the individual has either consented to the processing or the information is processed for the execution of a contract between the data subject and controller and, in both cases, (ii) data is processed by automated means.<ref>For example, data which is only available on paper and manually processed falls out of the scope data portability.</ref><br />
<br />
===== (i) Processing is based on either consent or contract =====<br />
The right to data portability, as per Article 20(1)(a), is only applicable when the processing of personal data by the controller is based on the data subject's consent in accordance with Article 6(1)(a), consent to the processing of special categories of personal data in accordance with Article 9(2)(a), or a contract in accordance with Article 6(1)(b) to which the data subject is a party. Recital 68 specifically highlights that the right to data portability should not be applicable if the processing is carried out on a legal basis other than the data subject's consent or a contract. Consequently, data obtained by the controller by processing personal data to protect its legitimate interests in accordance with Article 6(1)(f) is not covered by the right under Article 20 GDPR.<ref>However, according to the WP29, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, i.e. when processing is based on the legitimate interests or for the performance of a task carried out in the public interest. See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p. 8 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref><br />
<br />
===== (ii) Processing is carried out by automated means =====<br />
The right to data portability under Art. 20(1)(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files. This limitation alleviates the controller's burden of converting non-machine-readable records into machine-readable data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref><br />
<br />
===(2) Right to have personal data directly transmitted to another controller===<br />
Article 20(2) introduces the right for data subjects to request that their personal data be transmitted directly from the first controller<ref>Controllers that address portability requests ("''sending controllers''") act on behalf of a data subject and are responsible for providing prior information about the right’s existence (e.g. in the privacy notice) and clearly explaining the difference between the right of access and the right to data portability; processing the request without undue delay, within 1 month (up to 3 months); carrying out authentication; setting safeguards to ensure they genuinely act on the data subject’s behalf (e.g. ensure that they transmit the exact type of personal data that the data subject wants to receive); in light of the principles set forth in [https://gdprhub.eu/Article%205%20GDPR Article 5(1) GDPR], ensuring that the data transmitted is accurate and up to date; and, taking all necessary security measures for transmissions. The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. In this respect, "''the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient".'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> to a second one.<ref>Data controllers that receive portability requests ("''receiving controllers''") have an obligation to "''clearly and directly''" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [https://gdprhub.eu/Article%2014%20GDPR Article 14 GDPR]; process the request without undue delay, within 1 month (up to 3 months); ensure that the data they accept is relevant and not excessive for the intended data processing; delete the personal data which are not necessary to achieve the purpose of the new processing as soon as possible. The receiving controllers can decide whether to accept and process data from a portability request.</ref> This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. The request can be typically fulfilled through automated transmission, such as an application programming interface (API) that allows for data transfer to other systems implementing the same API. Therefore, it suffices if the data subject is given the opportunity to initiate the transfer by selecting a field labeled "''Transfer of data to another provider''" choosing a provider, selecting the data to be transferred, and clicking on a corresponding field to initiate the automated transfer.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 25 (Beck 2020, 3rd edition).</ref> <br />
==== Where technically feasible ====<br />
If the provider has not established an automated data transmission, they may be required to comply with Article 20(2) to the extent that it is "''technically feasible''".<ref>It should be noted that the "''where technically feasible''" safeguard clause only applies to the direct transmission from one controller to another under paragraph 2. Therefore, it does not apply to the scenario outlined in paragraph 1 where the data subject directly requests to receive the data. Such requests shall always be fulfilled, regardless of technical reasons.</ref> Recital 68 states that the controller is not required to adopt or maintain technically compatible data processing systems. Therefore, the technical feasibility of direct data transfer is primarily dependent on the existing technical capabilities of the controller. However, according to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights, including the right to data portability. As such, the data subject may request reasonable cooperation from the controller, such as adapting data transmission formats, to carry out the intended portability.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> <blockquote><u>EDPB</u>: Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way29, and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).<ref>WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
===(3) Other conditions===<br />
The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if data subjects want to delete their data from the controller's system (right to erasure under [[Article 17 GDPR]]), the controller cannot justify its denial to erase such data because of the data portability request.<br />
<br />
The second sentence excludes that the right to data portability apply if the processing is necessary for the controller to perform a task that is in the public interest or carried out in the exercise of official authority. This exception corresponds to the legal basis of Article 6(1)(e) GDPR. In such cases, the public administration operating under public law is not required to provide data portability.<br />
===(4) Rights of third parties===<br />
In accordance with Paragraph 4, the right to data portability must not infringe upon the rights and freedoms of others, including both individuals and legal entities. When data is transferred with reference to a third party, such as transaction data from a current account agreement or data from the use of a webmail service, the rights and freedoms of others are generally not affected if the new provider uses the data solely under the control of the data subject and for the same purposes as before.<ref>The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 11 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> However, data transmission may be restricted by trade secrets, business secrets, or copyrights, such as those pertaining to software, if there is a specific risk of harm resulting from the transmission. Controllers cannot refuse to transfer data based solely on the possibility of such legally protected interests being infringed; instead, they must seek ways to transfer the data in a manner that avoids the disclosure of legally protected secrets.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 20 GDPR, margin number 18 (C.H. Beck 2019).</ref><br />
<br />
==Relevance of other legislation==<br />
It is important to refer to the interplay of the right to data portability with the proposed or adopted legislation under the umbrella of the EU digital strategy<ref>European Commission, 'A Europe fit for the digital age' (available [https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_en here])</ref>. The Digital Markets Act (DMA)<ref>Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (Text with EEA relevance) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925 here]).</ref> imposes a new obligation on "gatekeepers" that enhances the right to data portability. According to Article 6(9) DMA, gatekeepers shall provide an end user and third parties authorised by an end user with effective portability of data provided by the end user or generated through their activity through use of the gatekeeper’s core platform services (CPSs), including by the provision of continuous and real-time access to such data. Recital 59 DMA clarifies that this obligation on the gatekeeper complements the right to data portability under the GDPR.<br />
<br />
Further, the proposed EU Data Act<ref>Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN here]).</ref> that is supposed to help users of connected devices to unlock access to data generated by them, reinforces the right to data portability by creating an obligation on "data holders" to make available the data generated by such devices (Article 5). At the time of writing of this Commentary, the EU Data Act proposal is being discussed under trialogues between the EU institutions (EU Commission, EU Parliament and the Council of Ministers). <br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=32988
Article 20 GDPR
2023-05-30T10:29:30Z
<p>AK: /* Provided to a controller */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br /><center>'''Article 20 - Right to data portability'''</center><br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/68 GDPR}}{{Recital/73 GDPR}}{{Recital/156 GDPR}}<br />
<br />
==Commentary==<br />
<br />
The right to data portability empowers data subjects to receive a copy of their data in a structured, commonly used, and machine-readable format. They can then decide what they want to do with this data, and either store it on their computer, send it or have it sent to a third party. The recipients of this data are not limited to providers that offer similar or comparable services, as the right to portability can be exercised with any controller data subjects choose within the conditions specified below.<ref>The purpose of the right to data portability is to give data subjects more control over their personal data by granting them a certain type of "ownership". Regulators’ objective was to increase competition on the market by allowing for the free movement of data between providers. Data portability is especially relevant in cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.</ref> <br />
===(1) Right to data portability===<br />
<br />
Data subject have the right to request and obtain a copy of any personal data they have provided to the controller and which is being processed based on consent or contract. This information must be structured in an accessible and intelligible manner, so that both the data subject themselves and any controllers who may receive it in the future can understand and make use of it. <blockquote><u>EDPB</u>: Take, for instance, a scenario where a data subject desires to obtain his/her present playlist or a log of listened tracks from a music streaming service. This could be for the purpose of ascertaining the number of times specific tracks were played, or for identifying which music to buy or listen to on an alternate platform. Correspondingly, the data subject may seek to retrieve his/her contact list from a webmail application, perhaps to compile a wedding list, track purchases made with various loyalty cards, or evaluate his/her carbon footprint.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
==== Right to receive ====<br />
The request for data portability does not differ much from the request for access, at least in terms of the necessary steps to carry it out.<ref>However, it is always important to keep these two rights distinct. The right of access enables individuals to obtain information about the processing and a copy of the personal data held by the controller, in order to ensure transparency and allow for further actions by the data subject. On the other hand, data portability has a distinct economic feature. It allows for a copy of the data - which is also different and more limited than that under Article 15 - to be obtained, and the possibility to send such a dataset to another controller for similar or different purposes (i.e., essentially a competitor). In any case, a request must be made, even electronically. The controller must facilitate the request, including the authentication of the data subject (Article 12(2) GDPR). Obstructive practices in this area not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating real anti-competitive phenomena or "lock-in" effects.</ref> The controller must facilitate the request, including the authentication phase (Article 12(2) GDPR). Obstructive practices in this area will not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating anti-competitive phenomena or "lock-in" effects.<br />
<br />
As for the rest, the general rules set out in Article 12 apply. Article 12(3) requires that the data controller provides “''information on action taken''” to the data subject “''without undue delay''” and in any event “''within one month of receipt of the request''”. As usual, the one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.<blockquote><u>EDPB</u>: To meet user expectations, it is a good practice to define the timeframe in which a data portability request can typically be answered and communicate this to data subjects. Data controllers who refuse to answer a portability request shall, pursuant to Article 12(4), inform the data subject “''the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy''”, no later than one month after receiving the request.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 14-15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
===== Modalities to provide the data =====<br />
Data controllers should consider two distinct but complementary options for providing portable data to data subjects or other controllers. The first option is a direct transmission of the complete dataset or specific parts of it. The second option is an automated tool that allows for the extraction of relevant data. For complex and large datasets, the second option may be preferred as it minimizes risks and allows for the use of data synchronization mechanisms. Making portable data available through various secure means such as messaging, SFTP servers, or secured WebAPI/WebPortal would enable data subjects to use personal data stores or other trusted third parties to hold and manage their personal data. This would also reduce privacy risks for the initial data controller and promote compliance for the new data controller.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 16 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Personal data concerning him or her ====<br />
A data portability request only applies to personal data concerning the data subject. Pseudonymous data is within the scope if the corresponding identifier is provided by the subject (as per Article 11(2) GDPR). Any data that is anonymous or not related to the data subject is not included. <blockquote><u>EDPB</u>: For instance, call records in a subscriber's account history may include details of third parties, but subscribers should still be able to obtain such records in response to portability requests since they are also concerning the data subject. Nevertheless, new data controllers who receive such records should not process them in any way that would adversely affect the rights and freedoms of the third parties involved.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 9 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
==== Provided to a controller ====<br />
Article 20 specifies that only personal data "''provided''" by the data subject is covered by the right. This includes data that the user knowingly and actively provides, such as their name and mailing address,<ref>The data "''provided''" is the data that was actively given to the controller (e.g. photos uploaded to the service) or which was "''observed''" by a controller (e.g. activity logs, food preferences). This definition also includes data that has been transferred to the controller in the context of the exercise of the right to data portability. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> as well as, according to the EDPB, data that is "''observed''" from the user's activity, such as their search history or location data. <blockquote><u>EDPB</u>: Inferred data and derived data are created by the data controller on the basis of the data “''provided by the data subject''”. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as “''provided by''” the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “''provided by the data subject''” and thus will not be within scope of this new right.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote>However, it should be noted that there is a doctrinal debate regarding whether or not "observed data" should be included within the scope of application of portability. One argument in favor of a restrictive approach aims to limit the provision of data only to the types necessary for offering a comparable service. However, inferred or derived data, which is created by the data controller based on the data provided by the data subject, is not covered by the right to data portability.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 20 GDPR, margin number 13 (C.H. Beck 2018, 2nd Edition).</ref> This is one of the most remarkable differences between portability and access under Article 15(3) GDPR.<br />
<br />
==== In a structured, commonly used and machine-readable format ====<br />
According to Recital 68, the data should be available in an "''interoperable format''", which data controllers "''should be encouraged to develop''". In turn, "''interoperable''" refers to the ability of disparate and diverse organisations to "''interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems''."<ref>The WP29 defines interoperability as the "''capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units''". EDPB, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 17 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <br />
<br />
According to Article 20(1) GDPR the data should be provided to the data subject in a "''structured, commonly used and machine-readable format''". Beyond this requirement, the GDPR does not call for a specific format to be used. The terms “''structured''”, “''commonly used''” and “''machine-readable''” are a set of minimal requirements that should facilitate the "''interoperability''" of the data format provided by the data controller.<ref>In that way, “''structured, commonly used and machine readable''” are specifications for the means, whereas interoperability is the desired outcome.</ref> Formats subject to costly licensing constraints are not considered "''commonly used''". The personal data provided should have a high level of abstraction from any internal or proprietary format, and metadata should be used to describe the exchanged information accurately.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref> <br />
<br />
Industry stakeholders and trade associations are encouraged to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. The Commission has published a Communication on "''ICT Standardisation Priorities for the Digital Single Market''", which may be used as a basis on which to develop standards for the purposes of data portability.<ref>EU Commission Communication on ICT Standardisation Priorities for the Digital Single Market (Available [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0176 here]).</ref> <br />
<br />
==== and the right to transmit (the data to another controller) ====<br />
The right to data portability, as outlined in Article 20(1), enables data subjects to transmit their personal data from one data controller to another "without hindrance". This goes beyond the ability to simply obtain and reuse personal data and allows individuals to transfer their data to another service provider, regardless of whether it is within the same sector or not. By preventing "lock-in" situations, data portability empowers consumers and is expected to foster innovation and secure sharing of personal data between controllers under the control of the data subject. Additionally, it can enhance customer experiences by facilitating the controlled and limited sharing of personal data between organizations. This feature of data portability has the potential to facilitate the transfer and reuse of personal data among various services of interest to the user.<br />
<br />
==== Without hindrance (from the first controller) ====<br />
The GDPR's Article 20(1) guarantees that individuals have the right to transfer their data to another controller without facing any obstructions from the initial controller who provided the personal data. Such impediments can be identified as any legal, technical, or financial barriers that the data controller sets up to prevent or hinder the data subject's or another data controller's access, transmission, or reuse of the data. <br />
<br />
Examples of such impediments include charges for data delivery, a lack of interoperability or access to a data format or API, excessive delays or complexity in retrieving the complete dataset, the intentional concealment of the dataset, or sector-specific standards or accreditation demands that are undue or excessive. The WP29 recommends that data controllers offer several options to the data subject. They suggest, for instance, that data subjects should be offered an opportunity to directly download the data as well as to transmit it directly to another data controller, and that this could be implemented by making an Application Programme Interface ('API') available.<ref>Cormack expresses doubts regarding the viability of this solution, noting that many organisations will hold their data on internal databases that are securely firewalled from internet access as opposed to APIs. Without standards leading to interoperability, the right to data portability may "''remain more a declaration of principle than a real and effective tool for individual self-determination in the digital environment''". See, ''Lynskey'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 20 GDPR, p. 505 (Oxford University Press 2020).</ref><br />
<br />
Simultaneously, the data controller must implement measures to ensure that they are truly representing the interests of the data subject. One way to achieve this is by instituting protocols to verify that only the specific personal data that the data subject wants to transmit is actually being transmitted. This verification process could involve obtaining confirmation from the data subject either prior to transmission, or at an earlier stage such as when they provide initial consent for processing or finalize the contract.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Where these conditions cumulatively apply ====<br />
The right to data portability only applies if (i) the individual has either consented to the processing or the information is processed for the execution of a contract between the data subject and controller and, in both cases, (ii) data is processed by automated means.<ref>For example, data which is only available on paper and manually processed falls out of the scope data portability.</ref><br />
<br />
===== (i) Processing is based on either consent or contract =====<br />
The right to data portability, as per Article 20(1)(a), is only applicable when the processing of personal data by the controller is based on the data subject's consent in accordance with Article 6(1)(a), consent to the processing of special categories of personal data in accordance with Article 9(2)(a), or a contract in accordance with Article 6(1)(b) to which the data subject is a party. Recital 68 specifically highlights that the right to data portability should not be applicable if the processing is carried out on a legal basis other than the data subject's consent or a contract. Consequently, data obtained by the controller by processing personal data to protect its legitimate interests in accordance with Article 6(1)(f) is not covered by the right under Article 20 GDPR.<ref>However, according to the WP29, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, i.e. when processing is based on the legitimate interests or for the performance of a task carried out in the public interest. See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p. 8 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref><br />
<br />
===== (ii) Processing is carried out by automated means =====<br />
The right to data portability under Art. 20(1)(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files. This limitation alleviates the controller's burden of converting non-machine-readable records into machine-readable data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref><br />
<br />
===(2) Right to have personal data directly transmitted to another controller===<br />
Article 20(2) introduces the right for data subjects to request that their personal data be transmitted directly from the first controller<ref>Controllers that address portability requests ("''sending controllers''") act on behalf of a data subject and are responsible for providing prior information about the right’s existence (e.g. in the privacy notice) and clearly explaining the difference between the right of access and the right to data portability; processing the request without undue delay, within 1 month (up to 3 months); carrying out authentication; setting safeguards to ensure they genuinely act on the data subject’s behalf (e.g. ensure that they transmit the exact type of personal data that the data subject wants to receive); in light of the principles set forth in [https://gdprhub.eu/Article%205%20GDPR Article 5(1) GDPR], ensuring that the data transmitted is accurate and up to date; and, taking all necessary security measures for transmissions. The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. In this respect, "''the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient".'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> to a second one.<ref>Data controllers that receive portability requests ("''receiving controllers''") have an obligation to "''clearly and directly''" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [https://gdprhub.eu/Article%2014%20GDPR Article 14 GDPR]; process the request without undue delay, within 1 month (up to 3 months); ensure that the data they accept is relevant and not excessive for the intended data processing; delete the personal data which are not necessary to achieve the purpose of the new processing as soon as possible. The receiving controllers can decide whether to accept and process data from a portability request.</ref> This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. The request can be typically fulfilled through automated transmission, such as an application programming interface (API) that allows for data transfer to other systems implementing the same API. Therefore, it suffices if the data subject is given the opportunity to initiate the transfer by selecting a field labeled "''Transfer of data to another provider''" choosing a provider, selecting the data to be transferred, and clicking on a corresponding field to initiate the automated transfer.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 25 (Beck 2020, 3rd edition).</ref> <br />
==== Where technically feasible ====<br />
If the provider has not established an automated data transmission, they may be required to comply with Article 20(2) to the extent that it is "''technically feasible''".<ref>It should be noted that the "''where technically feasible''" safeguard clause only applies to the direct transmission from one controller to another under paragraph 2. Therefore, it does not apply to the scenario outlined in paragraph 1 where the data subject directly requests to receive the data. Such requests shall always be fulfilled, regardless of technical reasons.</ref> Recital 68 states that the controller is not required to adopt or maintain technically compatible data processing systems. Therefore, the technical feasibility of direct data transfer is primarily dependent on the existing technical capabilities of the controller. However, according to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights, including the right to data portability. As such, the data subject may request reasonable cooperation from the controller, such as adapting data transmission formats, to carry out the intended portability.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> <blockquote><u>EDPB</u>: Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way29, and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).<ref>WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
===(3) Other conditions===<br />
The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if data subjects want to delete their data from the controller's system (right to erasure under [[Article 17 GDPR]]), the controller cannot justify its denial to erase such data because of the data portability request.<br />
<br />
The second sentence excludes that the right to data portability apply if the processing is necessary for the controller to perform a task that is in the public interest or carried out in the exercise of official authority. This exception corresponds to the legal basis of Article 6(1)(e) GDPR. In such cases, the public administration operating under public law is not required to provide data portability.<br />
===(4) Rights of third parties===<br />
In accordance with Paragraph 4, the right to data portability must not infringe upon the rights and freedoms of others, including both individuals and legal entities. When data is transferred with reference to a third party, such as transaction data from a current account agreement or data from the use of a webmail service, the rights and freedoms of others are generally not affected if the new provider uses the data solely under the control of the data subject and for the same purposes as before.<ref>The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 11 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> However, data transmission may be restricted by trade secrets, business secrets, or copyrights, such as those pertaining to software, if there is a specific risk of harm resulting from the transmission. Controllers cannot refuse to transfer data based solely on the possibility of such legally protected interests being infringed; instead, they must seek ways to transfer the data in a manner that avoids the disclosure of legally protected secrets.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 20 GDPR, margin number 18 (C.H. Beck 2019).</ref><br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=32987
Article 20 GDPR
2023-05-30T10:10:57Z
<p>AK: /* (1) Right to data portability */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
<br /><center>'''Article 20 - Right to data portability'''</center><br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/68 GDPR}}{{Recital/73 GDPR}}{{Recital/156 GDPR}}<br />
<br />
==Commentary==<br />
<br />
The right to data portability empowers data subjects to receive a copy of their data in a structured, commonly used, and machine-readable format. They can then decide what they want to do with this data, and either store it on their computer, send it or have it sent to a third party. The recipients of this data are not limited to providers that offer similar or comparable services, as the right to portability can be exercised with any controller data subjects choose within the conditions specified below.<ref>The purpose of the right to data portability is to give data subjects more control over their personal data by granting them a certain type of "ownership". Regulators’ objective was to increase competition on the market by allowing for the free movement of data between providers. Data portability is especially relevant in cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.</ref> <br />
===(1) Right to data portability===<br />
<br />
Data subject have the right to request and obtain a copy of any personal data they have provided to the controller and which is being processed based on consent or contract. This information must be structured in an accessible and intelligible manner, so that both the data subject themselves and any controllers who may receive it in the future can understand and make use of it. <blockquote><u>EDPB</u>: Take, for instance, a scenario where a data subject desires to obtain his/her present playlist or a log of listened tracks from a music streaming service. This could be for the purpose of ascertaining the number of times specific tracks were played, or for identifying which music to buy or listen to on an alternate platform. Correspondingly, the data subject may seek to retrieve his/her contact list from a webmail application, perhaps to compile a wedding list, track purchases made with various loyalty cards, or evaluate his/her carbon footprint.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 5 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
==== Right to receive ====<br />
The request for data portability does not differ much from the request for access, at least in terms of the necessary steps to carry it out.<ref>However, it is always important to keep these two rights distinct. The right of access enables individuals to obtain information about the processing and a copy of the personal data held by the controller, in order to ensure transparency and allow for further actions by the data subject. On the other hand, data portability has a distinct economic feature. It allows for a copy of the data - which is also different and more limited than that under Article 15 - to be obtained, and the possibility to send such a dataset to another controller for similar or different purposes (i.e., essentially a competitor). In any case, a request must be made, even electronically. The controller must facilitate the request, including the authentication of the data subject (Article 12(2) GDPR). Obstructive practices in this area not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating real anti-competitive phenomena or "lock-in" effects.</ref> The controller must facilitate the request, including the authentication phase (Article 12(2) GDPR). Obstructive practices in this area will not only unduly limit the requester's subjective right, but also harm the single market and the free movement of personal data, creating anti-competitive phenomena or "lock-in" effects.<br />
<br />
As for the rest, the general rules set out in Article 12 apply. Article 12(3) requires that the data controller provides “''information on action taken''” to the data subject “''without undue delay''” and in any event “''within one month of receipt of the request''”. As usual, the one month period can be extended to a maximum of three months for complex cases, provided that the data subject has been informed about the reasons for such delay within one month of the original request.<blockquote><u>EDPB</u>: To meet user expectations, it is a good practice to define the timeframe in which a data portability request can typically be answered and communicate this to data subjects. Data controllers who refuse to answer a portability request shall, pursuant to Article 12(4), inform the data subject “''the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy''”, no later than one month after receiving the request.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 14-15 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
===== Modalities to provide the data =====<br />
Data controllers should consider two distinct but complementary options for providing portable data to data subjects or other controllers. The first option is a direct transmission of the complete dataset or specific parts of it. The second option is an automated tool that allows for the extraction of relevant data. For complex and large datasets, the second option may be preferred as it minimizes risks and allows for the use of data synchronization mechanisms. Making portable data available through various secure means such as messaging, SFTP servers, or secured WebAPI/WebPortal would enable data subjects to use personal data stores or other trusted third parties to hold and manage their personal data. This would also reduce privacy risks for the initial data controller and promote compliance for the new data controller.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 16 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Personal data concerning him or her ====<br />
A data portability request only applies to personal data concerning the data subject. Pseudonymous data is within the scope if the corresponding identifier is provided by the subject (as per Article 11(2) GDPR). Any data that is anonymous or not related to the data subject is not included. <blockquote><u>EDPB</u>: For instance, call records in a subscriber's account history may include details of third parties, but subscribers should still be able to obtain such records in response to portability requests since they are also concerning the data subject. Nevertheless, new data controllers who receive such records should not process them in any way that would adversely affect the rights and freedoms of the third parties involved.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 9 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote><br />
<br />
==== Provided to a controller ====<br />
Article 21 specifies that only personal data "''provided''" by the data subject is covered by the right. This includes data that the user knowingly and actively provides, such as their name and mailing address,<ref>The data "''provided''" is the data that was actively given to the controller (e.g. photos uploaded to the service) or which was "''observed''" by a controller (e.g. activity logs, food preferences). This definition also includes data that has been transferred to the controller in the context of the exercise of the right to data portability. ''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 11 (C.H. Beck 2020, 3rd Edition).</ref> as well as, according to the EDPB, data that is "''observed''" from the user's activity, such as their search history or location data. <blockquote><u>EDPB</u>: Inferred data and derived data are created by the data controller on the basis of the data “''provided by the data subject''”. For example, the outcome of an assessment regarding the health of a user or the profile created in the context of risk management and financial regulations (e.g. to assign a credit score or comply with anti-money laundering rules) cannot in themselves be considered as “''provided by''” the data subject. Even though such data may be part of a profile kept by a data controller and are inferred or derived from the analysis of data provided by the data subject (through his actions for example), these data will typically not be considered as “''provided by the data subject''” and thus will not be within scope of this new right.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, p. 10 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref></blockquote>However, it should be noted that there is a doctrinal debate regarding whether or not "observed data" should be included within the scope of application of portability. One argument in favor of a restrictive approach aims to limit the provision of data only to the types necessary for offering a comparable service. However, inferred or derived data, which is created by the data controller based on the data provided by the data subject, is not covered by the right to data portability.<ref>''Kamann, Braun'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 20 GDPR, margin number 13 (C.H. Beck 2018, 2nd Edition).</ref> This is one of the most remarkable differences between portability and access under Article 15(3) GDPR.<br />
<br />
==== In a structured, commonly used and machine-readable format ====<br />
According to Recital 68, the data should be available in an "''interoperable format''", which data controllers "''should be encouraged to develop''". In turn, "''interoperable''" refers to the ability of disparate and diverse organisations to "''interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems''."<ref>The WP29 defines interoperability as the "''capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units''". EDPB, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 17 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> <br />
<br />
According to Article 20(1) GDPR the data should be provided to the data subject in a "''structured, commonly used and machine-readable format''". Beyond this requirement, the GDPR does not call for a specific format to be used. The terms “''structured''”, “''commonly used''” and “''machine-readable''” are a set of minimal requirements that should facilitate the "''interoperability''" of the data format provided by the data controller.<ref>In that way, “''structured, commonly used and machine readable''” are specifications for the means, whereas interoperability is the desired outcome.</ref> Formats subject to costly licensing constraints are not considered "''commonly used''". The personal data provided should have a high level of abstraction from any internal or proprietary format, and metadata should be used to describe the exchanged information accurately.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-right-data-portability-under-regulation-2016679_en here]).</ref> <br />
<br />
Industry stakeholders and trade associations are encouraged to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. The Commission has published a Communication on "''ICT Standardisation Priorities for the Digital Single Market''", which may be used as a basis on which to develop standards for the purposes of data portability.<ref>EU Commission Communication on ICT Standardisation Priorities for the Digital Single Market (Available [https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:52016DC0176 here]).</ref> <br />
<br />
==== and the right to transmit (the data to another controller) ====<br />
The right to data portability, as outlined in Article 20(1), enables data subjects to transmit their personal data from one data controller to another "without hindrance". This goes beyond the ability to simply obtain and reuse personal data and allows individuals to transfer their data to another service provider, regardless of whether it is within the same sector or not. By preventing "lock-in" situations, data portability empowers consumers and is expected to foster innovation and secure sharing of personal data between controllers under the control of the data subject. Additionally, it can enhance customer experiences by facilitating the controlled and limited sharing of personal data between organizations. This feature of data portability has the potential to facilitate the transfer and reuse of personal data among various services of interest to the user.<br />
<br />
==== Without hindrance (from the first controller) ====<br />
The GDPR's Article 20(1) guarantees that individuals have the right to transfer their data to another controller without facing any obstructions from the initial controller who provided the personal data. Such impediments can be identified as any legal, technical, or financial barriers that the data controller sets up to prevent or hinder the data subject's or another data controller's access, transmission, or reuse of the data. <br />
<br />
Examples of such impediments include charges for data delivery, a lack of interoperability or access to a data format or API, excessive delays or complexity in retrieving the complete dataset, the intentional concealment of the dataset, or sector-specific standards or accreditation demands that are undue or excessive. The WP29 recommends that data controllers offer several options to the data subject. They suggest, for instance, that data subjects should be offered an opportunity to directly download the data as well as to transmit it directly to another data controller, and that this could be implemented by making an Application Programme Interface ('API') available.<ref>Cormack expresses doubts regarding the viability of this solution, noting that many organisations will hold their data on internal databases that are securely firewalled from internet access as opposed to APIs. Without standards leading to interoperability, the right to data portability may "''remain more a declaration of principle than a real and effective tool for individual self-determination in the digital environment''". See, ''Lynskey'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 20 GDPR, p. 505 (Oxford University Press 2020).</ref><br />
<br />
Simultaneously, the data controller must implement measures to ensure that they are truly representing the interests of the data subject. One way to achieve this is by instituting protocols to verify that only the specific personal data that the data subject wants to transmit is actually being transmitted. This verification process could involve obtaining confirmation from the data subject either prior to transmission, or at an earlier stage such as when they provide initial consent for processing or finalize the contract.<ref>EDPB, Guidelines on the right to data portability under Regulation 2016/679, WP242 rev.01, pp. 16-18 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref><br />
<br />
==== Where these conditions cumulatively apply ====<br />
The right to data portability only applies if (i) the individual has either consented to the processing or the information is processed for the execution of a contract between the data subject and controller and, in both cases, (ii) data is processed by automated means.<ref>For example, data which is only available on paper and manually processed falls out of the scope data portability.</ref><br />
<br />
===== (i) Processing is based on either consent or contract =====<br />
The right to data portability, as per Article 20(1)(a), is only applicable when the processing of personal data by the controller is based on the data subject's consent in accordance with Article 6(1)(a), consent to the processing of special categories of personal data in accordance with Article 9(2)(a), or a contract in accordance with Article 6(1)(b) to which the data subject is a party. Recital 68 specifically highlights that the right to data portability should not be applicable if the processing is carried out on a legal basis other than the data subject's consent or a contract. Consequently, data obtained by the controller by processing personal data to protect its legitimate interests in accordance with Article 6(1)(f) is not covered by the right under Article 20 GDPR.<ref>However, according to the WP29, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, i.e. when processing is based on the legitimate interests or for the performance of a task carried out in the public interest. See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, p. 8 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref><br />
<br />
===== (ii) Processing is carried out by automated means =====<br />
The right to data portability under Art. 20(1)(b) only applies to processing that is conducted through automated means. This condition is generally met for internet service providers, but not for non-automated processing of personal data, such as data stored on structured index cards or in non-structured files. This limitation alleviates the controller's burden of converting non-machine-readable records into machine-readable data.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 13 (Beck 2020, 3rd edition).</ref><br />
<br />
===(2) Right to have personal data directly transmitted to another controller===<br />
Article 20(2) introduces the right for data subjects to request that their personal data be transmitted directly from the first controller<ref>Controllers that address portability requests ("''sending controllers''") act on behalf of a data subject and are responsible for providing prior information about the right’s existence (e.g. in the privacy notice) and clearly explaining the difference between the right of access and the right to data portability; processing the request without undue delay, within 1 month (up to 3 months); carrying out authentication; setting safeguards to ensure they genuinely act on the data subject’s behalf (e.g. ensure that they transmit the exact type of personal data that the data subject wants to receive); in light of the principles set forth in [https://gdprhub.eu/Article%205%20GDPR Article 5(1) GDPR], ensuring that the data transmitted is accurate and up to date; and, taking all necessary security measures for transmissions. The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. In this respect, "''the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient".'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> to a second one.<ref>Data controllers that receive portability requests ("''receiving controllers''") have an obligation to "''clearly and directly''" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [https://gdprhub.eu/Article%2014%20GDPR Article 14 GDPR]; process the request without undue delay, within 1 month (up to 3 months); ensure that the data they accept is relevant and not excessive for the intended data processing; delete the personal data which are not necessary to achieve the purpose of the new processing as soon as possible. The receiving controllers can decide whether to accept and process data from a portability request.</ref> This request, in line with the principle of facilitation, spares the data subject the burden of receiving the data and then sending it on to the intended controller. The request can be typically fulfilled through automated transmission, such as an application programming interface (API) that allows for data transfer to other systems implementing the same API. Therefore, it suffices if the data subject is given the opportunity to initiate the transfer by selecting a field labeled "''Transfer of data to another provider''" choosing a provider, selecting the data to be transferred, and clicking on a corresponding field to initiate the automated transfer.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 25 (Beck 2020, 3rd edition).</ref> <br />
==== Where technically feasible ====<br />
If the provider has not established an automated data transmission, they may be required to comply with Article 20(2) to the extent that it is "''technically feasible''".<ref>It should be noted that the "''where technically feasible''" safeguard clause only applies to the direct transmission from one controller to another under paragraph 2. Therefore, it does not apply to the scenario outlined in paragraph 1 where the data subject directly requests to receive the data. Such requests shall always be fulfilled, regardless of technical reasons.</ref> Recital 68 states that the controller is not required to adopt or maintain technically compatible data processing systems. Therefore, the technical feasibility of direct data transfer is primarily dependent on the existing technical capabilities of the controller. However, according to Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights, including the right to data portability. As such, the data subject may request reasonable cooperation from the controller, such as adapting data transmission formats, to carry out the intended portability.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 20 GDPR, margin number 27 (Beck 2020, 3rd edition).</ref> <blockquote><u>EDPB</u>: Data controllers are expected to transmit personal data in an interoperable format, although this does not place obligations on other data controllers to support these formats. Direct transmission from one data controller to another could therefore occur when communication between two systems is possible, in a secured way29, and when the receiving system is technically in a position to receive the incoming data. If technical impediments prohibit direct transmission, the data controller shall explain those impediments to the data subjects, as his decision will otherwise be similar in its effect to a refusal to take action on a data subject’s request (Article 12(4)).<ref>WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 6 (available [https://ec.europa.eu/newsroom/article29/items/611233 here]).</ref> </blockquote><br />
<br />
===(3) Other conditions===<br />
The first sentence of Article 20(3) GDPR clarifies that the exercise of the right to data portability does not preclude the exercise of any other rights under the GDPR. Thus, if data subjects want to delete their data from the controller's system (right to erasure under [[Article 17 GDPR]]), the controller cannot justify its denial to erase such data because of the data portability request.<br />
<br />
The second sentence excludes that the right to data portability apply if the processing is necessary for the controller to perform a task that is in the public interest or carried out in the exercise of official authority. This exception corresponds to the legal basis of Article 6(1)(e) GDPR. In such cases, the public administration operating under public law is not required to provide data portability.<br />
===(4) Rights of third parties===<br />
In accordance with Paragraph 4, the right to data portability must not infringe upon the rights and freedoms of others, including both individuals and legal entities. When data is transferred with reference to a third party, such as transaction data from a current account agreement or data from the use of a webmail service, the rights and freedoms of others are generally not affected if the new provider uses the data solely under the control of the data subject and for the same purposes as before.<ref>The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."'' See, WP29, ‘Guidelines on the right to data portability’, 16/EN WP 242 rev.01, 5 April 2017, 11 (available [http://ec.europa.eu/newsroom/document.cfm?doc_id=44099 here]).</ref> However, data transmission may be restricted by trade secrets, business secrets, or copyrights, such as those pertaining to software, if there is a specific risk of harm resulting from the transmission. Controllers cannot refuse to transfer data based solely on the possibility of such legally protected interests being infringed; instead, they must seek ways to transfer the data in a manner that avoids the disclosure of legally protected secrets.<ref>''Dix'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 20 GDPR, margin number 18 (C.H. Beck 2019).</ref><br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_5/2022_-_%27Whatsapp%27&diff=30909
EDPB - Binding Decision 5/2022 - 'Whatsapp'
2023-02-01T14:42:31Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=European Union<br />
|DPA-BG-Color=<br />
|DPAlogo=logoEDPB.png<br />
|DPA_Abbrevation=EDPB<br />
|DPA_With_Country=EDPB<br />
<br />
|Case_Number_Name=Whatsapp Ireland Limited - Decision 5/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=EDPB<br />
|Original_Source_Link_1=https://edpb.europa.eu/system/files/2023-01/edpb_bindingdecision_202205_ie_sa_whatsapp_en.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=19.08.2022<br />
|Date_Decided=05.12.2022<br />
|Date_Published=25.01.2023<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 7 GDPR<br />
|GDPR_Article_Link_4=Article 7 GDPR<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
|GDPR_Article_9=Article 24 GDPR<br />
|GDPR_Article_Link_9=Article 24 GDPR<br />
|GDPR_Article_10=Article 56 GDPR<br />
|GDPR_Article_Link_10=Article 56 GDPR<br />
|GDPR_Article_11=Article 58 GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR<br />
|GDPR_Article_12=Article 60 GDPR<br />
|GDPR_Article_Link_12=Article 60 GDPR<br />
|GDPR_Article_13=Article 65 GDPR<br />
|GDPR_Article_Link_13=Article 65 GDPR<br />
|GDPR_Article_14=Article 77 GDPR<br />
|GDPR_Article_Link_14=Article 77 GDPR<br />
|GDPR_Article_15=Article 79 GDPR<br />
|GDPR_Article_Link_15=Article 79 GDPR<br />
|GDPR_Article_16=Article 83 GDPR<br />
|GDPR_Article_Link_16=Article 83 GDPR<br />
|GDPR_Article_17=<br />
|GDPR_Article_Link_17=<br />
|GDPR_Article_18=<br />
|GDPR_Article_Link_18=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=German Whatsapp user (represented by noyb - European Centre for Digital Rights)<br />
|Party_Link_1=https://noyb.eu/en<br />
|Party_Name_2=Whatsapp Ireland Limited<br />
|Party_Link_2=https://www.whatsapp.com/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=LR<br />
|<br />
}}<br />
<br />
Following a referral under the [[Article 60 GDPR|Article 60 GDPR]] procedure, the EDPB issued a binding decision on a case initiated by ''noyb'' finding Whatsapp IE’s processing of personal data for “service improvements” and “security” to be unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy.<br />
<br />
In accordance with the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data they undertook. [[Article 6 GDPR#1|Article 6(1) GDPR]] detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account.<br />
<br />
A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.<br />
<br />
Firstly, there existed a clear imbalance of power between the controller and the data subject. This was likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly had a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject was left with no other realistic alternatives. <br />
<br />
Secondly, the use of the Whatsapp service was conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. [[Article 7 GDPR#4|Article 7(4) GDPR]], which defines the conditions for consent, specifically states that “''utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract''”. As such, the “consent” upon which the controller seeks to rely was invalid.<br />
<br />
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.<br />
<br />
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.<br />
<br />
The BfDI referred the case to the Irish DPA (DPC) under [[Article 56 GDPR]], and in accordance with the procedure outlined in [[Article 60 GDPR]].<br />
<br />
Responding to the Complainant’s assertions Whatsapp IE submitted, among other points, that it does not rely on consent as the lawful basis for the relevant processing of personal data. According to the company, “''the legitimization of the processing at issue in this inquiry falls under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]'' [necessary for the performance of a contract] ''and therefore an assessment under Article 6(1)(b) only is required''”. (DPC Preliminary Draft Decision, para 3.4)<br />
<br />
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with [[Article 60 GDPR#3|Article 60(3) GDPR]]. Six DPAs (DE, FI, FR, IT, NL, NO) raised objections, in accordance with [[Article 60 GDPR#4|Article 60(4) GDPR]], to the Draft Decision. On 19 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 12 January 2023, published on 19 January 2023.<br />
<br />
=== Holding ===<br />
Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “relevant and reasoned objection” within the meaning of [[Article 4 GDPR#24|Article 4(24) GDPR]]. The EDPB identified five issues in the case at hand, addressing each one in turn before issuing the Binding Decision.<br />
<br />
''Please note: in order to explain the issues addressed in the decision, it is necessary to explain the proposals in the DPC’s Draft Decision, in order to provide the context for the EDPB decision.''<br />
<br />
<br />
<u>Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis</u><br />
<br />
The first issue concerns whether Whatsapp IE can rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “''processing is necessary for the performance of a contract to which the data subject is a party''”. When issuing its Draft Decision, the DPC firstly sought to address the question of scope – identifying which processing practices they are concerned with in this context – before moving to the question of contractual necessity as a lawful basis.<br />
<br />
Summarising the DPC’s position on the question of scope, they asserted that their inquiry must be limited to the processing of personal data for “service improvements” and “security”. In doing so, the DPC elected not to conduct an investigation into the processing of sensitive categories of data, as well as data processed for the purposes of: behavioural advertising; providing metrics to third parties; and marketing.<br />
<br />
Responding to this proposal, the EDPB disagreed with the DPC's conclusions regarding the scope of the inquiry, and directed the DPC to commence a new inquiry into whether Whatsapp processes data in the ways described above (222). The DPC did not conduct this inquiry as, in their view, “''that direction cannot be addressed… in this decision''” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion of the issue of scope, and the EDPB’s directions regarding a further investigation, please see “Issue 3 – On the Further Investigation” below.<br />
<br />
Addressing the second question, whether the data processing is necessary for the purpose of a contract between Whatsapp IE and its users, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “''the ‘core’ functions of a contract must be assessed in order to determine what processing is objectively necessary in order to perform it''” (DPC - 3.27).<br />
<br />
However, the DPC added that “''necessity is to be determined by reference to the particular contract''” (DPC - 3.27) and “''it is not for an authority such as the'' [DPC]'', tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible''” (DPC - 3.45). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “''the actual bargain which has been struck between the parties''” (DPC - 3.30). The DPC stated “''it seemed to me… that Whatsapp’s model and the service being offered is explicitly one that includes improvements to an existing service, and a commitment to upholding certain standards relating to abuse, etc., that is common across all affiliated platforms''” (DPC - 3.42). Accordingly, the Draft Decision “''proposed to conclude... that WhatsApp was, in principle, entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for processing personal data''” (DPC - 3.50).<br />
<br />
In response, when issuing its Binding Decision with regard to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:<blockquote>“''The EDPB agrees with the IE SA and Whatsapp IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Whatsapp IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under [[Article 6 GDPR]] if it is appropriate for the processing at stake''" (100).<br />
<br />
"''The GDPR makes Whatsapp IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Whatsapp IE and its business model''” (101).<br />
<br />
"''The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR''" (102).<br />
<br />
“''...it is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance''” (105).<br />
<br />
"''the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR''" (110).</blockquote>Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for service improvements and security is not essential to the contract between Whatsapp IE and its users. The EDPB observes that Whatsapp is under a duty to consider the possibility of less intrusive ways to pursue the stated purpose, for example, “''rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose''” (109).<br />
<br />
Furthermore, the EDPB points to an imbalance of knowledge surrounding the contract, “''an average user cannot fully grasp what is meant by processing for service improvements and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonable expect it solely based on Whatsapp IE’s Terms of Service”'' (111). As explained by the EDPB, the DPC has already acknowledged that Whatsapp IE infringed its transparency obligations under the GDPR (see “Issue 3” in DPC Decision [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Whatsapp_Ireland_Limited_-_IN-18-5-6 IN-18-5-6]), and this undermines the argument that the processing is lawful on the basis of contractual performance. This is because, “''one of the parties (in this case a data subject)'' [has not been] ''provided with sufficient information to know they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered… These transparency requirements are not only an additional and separate obligation, but also an indispensable and constitutive part of the legal basis''” (117).<br />
<br />
The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Whatsapp IE can process personal data on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]:<blockquote>“...''there is a risk that the Draft Decision’s failure to establish Whatsapp IE's infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], pursuant to the interpretation by the'' [DPC], ''nullifies this provision and makes theoretically lawful any collection and reuse of personal data in connection with the performance of a contract with a data subject''" (119).<br />
<br />
“''This precedent could encourage other economic operators to use the contractual performance legal basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contract to collect, retain, and process as much personal data from their users as possible and advance their economic interests at the expense of the safeguards for data subjects''” (120).</blockquote>In light of all of the above, the EDPB directed the following:<blockquote>“''processing for the purposes of service improvements and security features performed by Whatsapp IE are objectively not necessary for the performance of Whatsapp IE's alleged contract with its users and are not an essential or core element of it''" (121).<br />
<br />
"''Whatsapp IE has inappropriately relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the complainant's personal data for the purposes of service improvements and security in the context of its Terms of Service and therefore lacks a legal basis to process the data. The EDPB was not required to examine whether data processing for such purposes could be based on other legal bases because the controller relied solely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Whatsapp IE has consequently infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by unlawfully processing personal data''” (122).</blockquote>Accordingly, the EDPB instructed the DPC to alter “Finding 2” of its Draft Decision to include a finding that Whatsapp IE was not entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the Complainant’s personal data in this context, and to find an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] based on the shortcomings the EDPB has identified (122).<br />
<br />
<br />
<u>Issue 2 – On the Potential Infringement of the Principles of Fairness, Purpose Limitation and Data Minimisation</u><br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised two objections to the DPC’s Draft Decision. The Italian DPA asserted that the Draft Decision should be amended to include a separate finding of an infringement of the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] principle of fairness, and infringements of the Article 5(1)(b) and (c) GDPR principles of purpose limitation and data minimisation.<br />
<br />
''Potential infringement of principles of purpose limitation and data minimisation:''<br />
<br />
The Italian DPA explained that the fact that Whatsapp IE’s multifarious processing practices involving personal data are grounded in [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] entails an infringement of the principles of purpose limitation and data minimisation. This is because the purposes must have been specified and communicated to data subjects. In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned.<br />
<br />
In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “relevant” as it includes justifications concerning why and how issuing a decision with the changes proposed in the objection is needed and how the change could lead to a different conclusion. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “''substantial and plausible''” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “''not reasoned”'' so as to satisfy [[Article 4 GDPR#24|Article 4(24) GDPR]].<br />
<br />
''Potential infringement of the principle of fairness:''<br />
<br />
The objection raised by the Italian DPA sought an additional finding of an infringement of the principle of fairness in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]. In its Draft Decision, the DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Whatsapp was not afforded the opportunity to be heard in response to a particularised allegation of wrongdoing” (DPC - 5.1). The matter was referred to the EDPB, which determined the objection raised by the Italian DPA to be both relevant and reasoned in accordance with [[Article 4 GDPR#24|Article 4(24) GDPR]], and stated as follows:<blockquote>“''Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject''” (143).<br />
<br />
"..''.the principle of fairness has an independent meaning and… an assessment of Whatsapp IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Whatsapp IE’s compliance with the principle of fairness too''" (147).<br />
<br />
"''the concept of fairness stems from the EU Charter… [it] underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights''” (148).<br />
<br />
“''Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjectsare protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data… Therefore, the EDPB disagrees with the [DPC]’s finding that assessing Whatsapp IE’s compliance with the principle of fairness ‘would therefore… represent a significant departure from the scope of the inquiry.’ In addition, it is important to note that Whatsapp IE has been heard on the objections and therefore submitted written submissions on this matter''” (150).<br />
<br />
“''Whatsapp has presented its service to users in a misleading manner… The combination of factors, such as the unbalanced relationship between Whatsapp IE and its users, combined with the ‘take it or leave it’ situation that they are facing… systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights''” (154, 156).</blockquote>Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Whatsapp IE, and to “''adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement''” (157).<br />
<br />
<br />
<u>Issue 3 – On the Further Investigation</u><br />
<br />
As discussed in “Issue 1” above, the DPC reached certain conclusions on the scope of their inquiry, limiting their analysis to personal data processing for the purposes of “service improvements” and “security”. In their draft Decision, the DPC explained that that their analysis will be based only on the Whatsapp Terms of Service, and not the Privacy Policy. In their view, the Privacy Policy is essentially an explanatory document for the purposes of transparency, and not part incorporated within the terms of service (DPC 3.4 – 3.5). The DPC then takes issue with the generality, or vagueness, of the complaint which – in their view – does not identify “''specific processing operations by reference to an identifiable body of data with any clarity of precision''” (DPC - 3.6). Furthermore, according to the DPC, the complainant was not entitled to request that the DPC “''conduct an assessment of all processing operations carried out by Whatsapp''” (DPC - 3.6). After stating that “''the Complaint does, however, focus on a number of particular processing activities and has a specific focus on data processed to facilitate improvements to services and advertising''” (DPC - 3.7), the DPC explains that their Draft Decision proposed an assessment of whether Whatsapp IE can rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for data processing for service improvements, providing metrics to third parties (such as companies within the same group of companies), and advertising. However, on the question of advertising, the DPC states that “''no evidence has been presented by the Complainant that Whatsapp processes personal data for the purpose of advertising''” (DPC - 3.8), and therefore data processing for advertising is not relevant to this inquiry. With regards to “''providing metrics to third parties''”, the DPC states later in the decision that “''any sharing with affiliated companies formed part of the general ‘improvements’ that are carried out pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]''” (DPC - 3.33). Therefore, the DPC took the view that providing metrics to third parties forms part of service improvements as “''any clear delineation between these two forms of processing was artificial''” (DPC - 3.33). As a result, the DPC restricted the scope of their inquiry to “''regular improvements and maintaining standards of security''”.<br />
<br />
During the [[Article 60 GDPR|Article 60 GDPR]] consultation period, 3 DPAs (FI, FR, IT) raised objections to the conclusions reached by the DPC in the Draft Decision. The objections requested that the DPC further investigate matters of behavioural advertising, special categories of personal data, the provision of metrics to third parties, including companies belonging to the same group, and marketing. (168 – see also 169 – 174). In response, the DPC stated that it does not propose to “follow” the objections raised, and the matter was referred to the EDPB.<br />
<br />
Issuing its Binding Decision, the EDPB disagreed with the DPC’s assessment of scope, and found the objections raised both relevant and reasoned in accordance with [[Article 4 GDPR#24|Article 4(24) GDPR]]. Regarding specifically the question of special categories of personal data, the EDPB notes that the GDPR and case law pay close attention to the processing of such data, and that the complaint expressly requests the DPC to investigate Whatsapp IE’s processing operations in this area (215). The EDPB outlines the risk of the DPC’s failure to address the issue of special categories of personal data including: the use of this data to build intimate profiles of users; the failure to recognise it as a special category of personal data; ignoring the role of consent in the processing; and setting a precedent of ambiguity and transparency which could be followed by other controllers (see 217). They also assert that the DPC “''did not handle the complaint with all due diligence''” and that the lack of any further investigation into processing for behavioural advertising, of special categories of personal data, provision of metrics to third parties, exchange with affiliated companies, and processing for the purposes of marketing, was an omission (218). Taking into account the limited scope of the inquiry and lack of assessment by the DPC, the EDPB decided that the DPC “''shall carry out an investigation into Whatsapp IE’s processing operations in its service to determine if it processes special categories of data''” and to investigate the processing for all of the above purposes in order to determine if Whatsapp IE complied with its obligations under the GDPR. The EDPB also instructs the DPC to issue a new Draft Decision, based on the results of that investigation and the findings (222).<br />
<br />
It is worthy to note, at this stage, that the DPC did not conduct this further investigation as, in their view, “''that direction cannot be addressed… in this decision''” and proceeded in their analysis, continuing to exclude questions of data processed for advertising. For further discussion, please see [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Whatsapp_Ireland_Limited_-_IN-18-5-6 DPC (Ireland) – Whatsapp Ireland Limited – IN-8-5-6] (discussion of “Issue 2”).<br />
<br />
<br />
<u>Issue 4 – On Corrective Measures Other than Additional Fines</u><br />
<br />
In its Draft Decision, the DPC did not find any infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and so was not in a position to consider the application of its corrective powers as provided for in [[Article 59 GDPR#2|Article 59(2) GDPR]]. The DPC did consider that Whatsapp IE had infringed its transparency obligations under the GDPR, however, they had dealt with this issue in a previous own-volition inquiry and imposed an administrative fine and order to bring processing into compliance.<br />
<br />
A number of objections were raised to the lack of corrective measures in the Draft Decision to address the infringement of Article 6(1) GDPR. Most notably, the Finnish DPA stated that the DPC should use its corrective powers to at least order Whatsapp IE to bring its processing operations into compliance with [[Article 6 GDPR#1|Article 6(1) GDPR]]. Also, the DPC should consider the imposition of an administrative fine.<br />
<br />
After reviewing the merits of the objection, the EDPB instructed the DPC “''to include in its final decision an order for WhatsApp IE to bring its processing of personal data for the purposes of service improvement and security features in the context of its Terms of Service into compliance with [[Article 6 GDPR#1|Article 6(1) GDPR]]''” (274).<br />
<br />
<br />
<u>Issue 5 – On the imposition of the administrative fine</u><br />
<br />
During the [[Article 60 GDPR]] consultation period, four DPAs (FR, NO, DE, IT) objected to the failure of the DPC to take action with respect to one or more specific infringements and asked the DPC to impose an administrative fine. After considering the objections in light of [[Article 4 GDPR#24|Article 4(24) GDPR]] and the factors outlined in [[Article 83 GDPR#2|Article 83(2) GDPR]] the EDPB instructed the DPC to impose an administrative fine for the infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] (314) and, in doing so, to take into account the infringement of the principle of fairness in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] (320).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
BindingDecision5/2022onthedisputesubmittedby the<br />
Irish SAregardingWhatsAppIrelandLimited(Art.65GDPR)<br />
<br />
<br />
<br />
<br />
<br />
Adopted on 5December 2022<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
AdoptedTABLEOFCONTENTS<br />
<br />
<br />
1 Summaryofthe dispute...................................................................................................5<br />
<br />
2 The Right togoodadministration......................................................................................8<br />
<br />
3 Conditionsfor adopting a binding decision .........................................................................9<br />
3.1 Objection(s)expressedby CSA(s)inrelationtoa draft decision.......................................9<br />
<br />
3.2 The LSA does not follow the relevantandreasoned objections totheDraftDecision or isof<br />
the opinionthat the objectionsare not relevant or reasoned..................................................10<br />
<br />
3.3 Admissibilityofthe case..........................................................................................10<br />
<br />
3.4 Structure ofthe binding decision..............................................................................11<br />
4 Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis .....11<br />
<br />
4.1 Analysisbythe LSA inthe Draft Decision....................................................................11<br />
<br />
4.2 Summaryofthe objectionsraisedbythe CSAs............................................................14<br />
<br />
4.3 Positionofthe LSA onthe objections ........................................................................19<br />
4.4 Analysisofthe EDPB...............................................................................................21<br />
<br />
4.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................21<br />
<br />
4.4.2 Assessment onthe merits.................................................................................24<br />
5 Onthe potentialadditionalinfringement of theprinciples of fairness, purpose limitationand<br />
<br />
data minimisation................................................................................................................32<br />
<br />
5.1 Analysisbythe LSA inthe Draft Decision....................................................................32<br />
5.2 Summaryofthe objectionsraisedbythe CSAs............................................................33<br />
<br />
5.3 Positionofthe LSA onthe objections ........................................................................33<br />
<br />
5.4 Analysisofthe EDPB...............................................................................................34<br />
<br />
5.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................34<br />
5.4.2 Assessment ofthe merits.................................................................................35<br />
<br />
6 Onthe further investigation...........................................................................................39<br />
<br />
6.1.1 Analysisbythe LSA inthe Draft Decision.............................................................39<br />
6.1.2 Summaryofthe objectionsraisedbythe CSAs.....................................................41<br />
<br />
6.1.3 Positionofthe LSA onthe objections .................................................................43<br />
<br />
6.1.4 Analysisofthe EDPB........................................................................................44<br />
<br />
7 Oncorrective measuresother thanadministrative fines.....................................................51<br />
7.1 Analysisbythe IE SA inthe Draft Decision..................................................................51<br />
<br />
7.2 Summaryofthe objectionsraisedbythe CSAs............................................................51<br />
<br />
7.3 Positionofthe IE SA onthe objections ......................................................................52<br />
<br />
7.4 Analysisofthe EDPB...............................................................................................52<br />
7.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................52<br />
<br />
<br />
<br />
<br />
Adopted 2 7.4.2 Assessment onthe merits.................................................................................54<br />
8 Onthe impositionofanadministrative fine ......................................................................59<br />
<br />
8.1 Analysisbythe LSA inthe Draft Decision....................................................................59<br />
<br />
8.2 Summaryofthe objectionsraisedbythe CSAs............................................................59<br />
<br />
8.3 Positionofthe LSA onthe objections ........................................................................60<br />
<br />
8.4 Analysisofthe EDPB...............................................................................................60<br />
8.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................60<br />
<br />
8.4.2 Assessment onthe merits.................................................................................62<br />
<br />
9 Binding Decision...........................................................................................................66<br />
<br />
10 Finalremarks............................................................................................................68<br />
<br />
<br />
<br />
<br />
TheEuropeanDataProtectionBoard<br />
<br />
<br />
<br />
Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European<br />
Parliamentandof theCouncil of 27 April2016 on theprotectionof naturalpersons withregardtothe<br />
<br />
processing of personaldataandonthe freemovement of suchdata,andrepealing Directive95/46/EC<br />
(hereinafter“GDPR”) 1,<br />
<br />
HavingregardtotheEEAAgreementandinparticulartoAnnexXIandProtocol37 thereof,asamended<br />
2<br />
by theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018 ,<br />
3<br />
HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) ,<br />
<br />
Whereas:<br />
<br />
(1) The main role of the European Data Protection Board (hereinafter the “EDPB”) is to ensure the<br />
consistent applicationofthe GDPRthroughout the EEA.Tothis effect,it follows from Article60 GDPR<br />
<br />
that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory<br />
authoritiesconcerned(hereinafter“CSAs”)inanendeavour toreachconsensus, thatthe LSA andCSAs<br />
shall exchange all relevant information with each other, and that the LSA shall, without delay,<br />
<br />
communicate the relevant information on the matter tothe other CSAs. The LSA shall without delay<br />
submit adraft decision tothe other CSAs for their opinion and takedue account oftheir views.<br />
<br />
(2)Where anyofthe CSAs expressed a reasonedandrelevantobjection (“RRO”)on thedraft decision<br />
inaccordancewithArticle4(24)andArticle 60(4)GDPRandthe LSA does not intendtofollow the RRO<br />
<br />
or considers that the objection is not reasoned and relevant, the LSA shall submit this matter tothe<br />
consistency mechanism referredtoinArticle 63 GDPR.<br />
<br />
(3)Pursuant toArticle65(1)(a)GDPR,theEDPBshallissue abinding decisionconcerningallthematters<br />
whichare thesubject of theRROs,in particularwhetherthere isaninfringement of theGDPR.<br />
<br />
<br />
<br />
1OJL119,4.5.2016,p.1.<br />
2References to “MemberStates”madethroughout this decision should beunderstood as references to “EEA<br />
MemberStates”.<br />
3EDPBRoP,adoptedon25May2018,aslastmodifiedandadoptedon6April2022.<br />
<br />
<br />
Adopted 3(4) The binding decision ofthe EDPBshall be adopted bya two-thirds majorityofthe members ofthe<br />
<br />
EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB RoP, within one<br />
monthafterthe Chairandthe competentsupervisory authorityhave decidedthatthefile is complete.<br />
The deadline maybe extendedby a further month, taking into account the complexity ofthe subject<br />
matter upon decision of the Chair on own initiative or at the request of at least one third of the<br />
<br />
membersof theEDPB.<br />
<br />
(5)InaccordancewithArticle 65(3)GDPR,if,inspite of suchanextension, theEDPBhasnot beenable<br />
to adopt a decision within the timeframe, it shall do so within two weeksfollowing the expiration of<br />
the extensionby a simple majorityof itsmembers.<br />
<br />
(6) Inaccordance withArticle11(6) EDPBRoP,only the English textof the decision is authenticasit is<br />
<br />
the languageofthe EDPBadoptionprocedure.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Adopted 4 HAS ADOPTED THE FOLLOWING BINDING DECISION<br />
<br />
<br />
<br />
1 SUMMARYOF THE DISPUTE<br />
<br />
1. This document contains a binding decision adopted by the EDPB in accordance with<br />
<br />
Article65(1)(a) GDPR.Thedecision concerns thedispute arisenfollowing a draftdecision (hereinafter<br />
“DraftDecision”)issuedby theIrishsupervisory authority(“DataProtectionCommission", hereinafter<br />
<br />
the “IESA”,alsoreferredtointhisdocument asthe LSA)andthe subsequent objections expressedby<br />
six CSAs,namely the GermanFederal Commissioner for DataProtectionand Freedom of Information<br />
(“Der Bundesbeauftragter für den Datenschutz und die Informationsfreiheit”) hereinafter the “the<br />
<br />
German Federal SA” or the “DE SA”, the Finnish supervisory authority (“Tietosuojavaltuutetun<br />
toimisto”), hereinafter the “FI SA”, the French supervisory authority (“Commission Nationale de<br />
l'Informatique et des Libertés”), hereinafter the “FR SA”, the Italiansupervisory authority (“Garante<br />
<br />
per la protezione dei dati personali”), hereinafter the “IT SA”, the supervisory authority of the<br />
Netherlands(“AutoriteitPersoonsgegevens”),hereinafterthe“NL SA” andthe Norwegiansupervisory<br />
authority(“Datatilsynet”),hereinafterthe“NOSA”.<br />
<br />
<br />
2. The Draft Decision relates to a “complaint-based inquiry”, which was commenced by the IE SA,<br />
regardingacomplaint originally submittedtothe Hamburgsupervisory authority(“DerHamburgische<br />
Beauftragte für Datenschutz und Informationsfreiheit”), hereinafter “the DE HH SA“. The case was<br />
<br />
subsequently referred to the DE SA, being the relevant supervisory authority, to decide whether<br />
WhatsApp Ireland Limited (hereinafter, “WhatsApp IE”), an online instant messaging platform,<br />
complies withitsobligations under the GDPR.<br />
<br />
3. The complaint was lodged on 25 May2018 by a data subject who requested the non-profit noyb –<br />
<br />
“EuropeanCenter for DigitalRights” (hereinafter “NOYB”)torepresent her under Article80(1) GDPR<br />
(both hereinafter referredto as the “Complainant”). It concerned the lawfulness of WhatsApp IE’s<br />
<br />
processing ofpersonal data(hereinafter“WhatsAppservices”),specificallydata processing onfoot of<br />
the Complainant’s acceptance ofits Termsof Service (and purportedly her acceptance of its Privacy<br />
Policy), andthe transparencyof information provided by WhatsApp IEtothe Complainant about that<br />
<br />
processing. The Complainant alleged a violation of the right to data protection and especially a<br />
violationof“Articles4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR” 4,byarguingthat<br />
the controller relied on a “forced consent”5. The complaint requested to investigate andto impose<br />
7<br />
correctivemeasures .“Inthealternative,shouldtheSupervisoryAuthoritynotinterprettheseelements<br />
asconsent”,theComplainanttakestheposition thatthecontrollerhasnolegalbasisfortheprocessing<br />
operations “which are not a core element ofthe instant-messaging service and /or in the interest of<br />
<br />
the user (such as advertisement, sponsored content, sharing of information within a group of<br />
<br />
<br />
4<br />
5Complaint,paragraph2.2.5.<br />
Complaint,paragraphs1.3and2.2.5.<br />
6Within its request to investigate, theComplainant requested that a full investigationbemadeto determine<br />
“whichprocessingoperationsthecontrollerengagesin,inrelationtothepersonaldataofthedatasubject”,“for<br />
which purpose they are performed”, “on which legal basis foreach specificprocessingoperationthe controller<br />
relies on”,andtoacquire“acopyofanyrecordsofprocessingactivities”.TheComplainantalsorequested“that<br />
theresults ofthisinvestigation[be]madeavailableto[her]”.Complaint,paragraph3.1.<br />
7<br />
Morespecifically, thecomplaint requested in paragraph3.2 that thecompetent SA“prohibits all processing<br />
operations that are based on aninvalid consent of the data subject”, and inparagraph3.3 that an“effective,<br />
proportionateanddissuasivefine”beimposed.<br />
<br />
<br />
<br />
Adopted 5 companies analysis and improvement of the controller’s products etc.)”, “since these elements are<br />
<br />
clearlynot a relevantcontractualobligationsand no otheroption underArticle6 oftheGDPRseemsto<br />
apply inthissituation”.<br />
<br />
4. Uponreceiptofthecomplaint on31May2018,the IESAqualified theactivitiesfallingwithinthescope<br />
ofthe aforementionedcomplaintascross-border processing pursuant Article4(23)GDPR.Asthemain<br />
<br />
establishment ofWhatsApp IE (asdefined in Article4(16) GDPR)wasfound tobe in Ireland,the IE SA<br />
was identified as being the LSA, within the meaning of the GDPR, in respect of the cross-border<br />
processing carriedout by thatcompany .<br />
<br />
5. The following table presents a summary timeline of the events part of the procedure leading to the<br />
<br />
submission of the mattertothe consistency mechanism:<br />
<br />
25 May2018 The complaint waslodgedwiththe DEHHSA.<br />
<br />
The DE-HH SA passed the complaint, for reasons of competence, to<br />
the DE SA. On 31 May2018, the complaint was passed by the DE SA<br />
tothe IESA.<br />
<br />
20 August 2018 The IE SA commenced the inquiry (hereinafter the “inquiry”) and<br />
requestedinformation from WhatsAppIE.<br />
<br />
Itsscope andlegalbasisweresetoutinthe NoticeofCommencement<br />
of Inquiry that was sent to the Complainant and WhatsApp IE by<br />
letterson20 August2018.<br />
<br />
On 11 March 2019, WhatsApp IE provided replies to preliminary<br />
<br />
queries by the IE SA. Procedural issues, including allegation of bias<br />
were raised by the Complainant by correspondence on 3 December<br />
2018, and subsequent lettersfrom 29 February 2019, 19 April 2019<br />
<br />
and 24 February 2020, as well as a phone call on 1 April 2019, that<br />
wereaddressed by theIE SA.<br />
<br />
20 May2020 The IE SA prepared a Draft Inquiry Report against WhatsApp IE<br />
regardingitsprocessing activitieswithinthe scope of theinquiry. The<br />
IESA invited the Complainant and WhatsAppIE tomake submissions<br />
inrelationtosuch draftreport.<br />
<br />
22 June 2020 WhatsApp IEprovided itssubmissions in relationtothe DraftInquiry<br />
Report.<br />
<br />
23 September 2020 The Complainant’s submissions dated 4 September 2020 were<br />
provided tothe IESA by the DESA.<br />
<br />
18 January2021 The Complainant and WhatsApp IE, as well as the IE SA’s decision<br />
<br />
maker,were furnished witha copy ofthe IESA’sFinal InquiryReport,<br />
outlining the Investigator’s views, as to whether WhatsApp IE<br />
complied withitsobligationunder theGDPR.<br />
6 and7 April 2021 The IESA commencedthedecision-making stage.<br />
<br />
23 December2021 The IE SA issued a preliminary draft decision (hereinafter “the<br />
<br />
Preliminary Draft Decision”) against WhatsApp IE, regarding its<br />
processing activitieswithin thescope of theinquiry.<br />
<br />
<br />
8Complaint,paragraph1.3.<br />
9ScheduletoDraftDecision,paragraphs2.11to2.17(CompetenceoftheCommission)(p.10-12).<br />
<br />
<br />
Adopted 6 Itwas communicatedon the same dayto the Complainant to enable<br />
them to make observations. The IE SA further attempted to<br />
<br />
communicate the Preliminary Draft Decision to WhatsApp IE on this<br />
same date, to enable it to exercise its right to be heard. Having<br />
subsequently discovered that an IT systems’ failure prevented the<br />
<br />
Preliminary Draft Decision from reaching WhatsApp IE, the IE SA<br />
shared againthe Preliminary Draft DecisionwithWhatsApp IE on 20<br />
<br />
January2022.<br />
December 2021 – Further exchangesof correspondence took place betweenthe IE SA<br />
<br />
February2022 and the Complainant, addressing translationissues, the scope of the<br />
complaint, as well as allegationsthat the complete documents had<br />
<br />
not beenprovided.<br />
17 February2022 WhatsApp IEprovided submissions on the PreliminaryDraftDecision<br />
<br />
tothe IESA.<br />
25 February2022 The IE SA communicated with Complainant’s’ legal representatives,<br />
<br />
confirming thatifnofurthercorrespondence wasreceivedby1March<br />
2022, theIE SA would proceed onthe basis that theComplainant did<br />
not wish tomake submissions. Nosubmissions werereceived.<br />
<br />
1 April2022 The IE SA sharedits Draft Decisionwiththe CSAs inaccordance with<br />
Article60(3) GDPR.<br />
<br />
Several CSAs (DE SA, FI SA, FR SA, IT SA, NL SA, and NO SA) raised<br />
objections in accordancewithArticle60(4)GDPR.<br />
<br />
1 July 2022 The IE SA issued a Composite Response setting out its replies to the<br />
objections raised and shared it with the CSAs (hereinafter,<br />
<br />
“CompositeResponse”).<br />
The IE SA requested that the CSAs consider the responses and<br />
proposals outlined in the Composite Response and confirm whether<br />
<br />
theyaddressed theconcerns underlying the objections raised.<br />
1 to11 July 2022 In light of the proposals in the Composite Response, further<br />
exchanges took place between the IE SA and the CSAs. During the<br />
10 11<br />
exchanges, severalCSAs (among which the NL SA , the DE SA , the<br />
FI SA12and the NO SA ) confirmed tothe IE SA that itscompromise<br />
<br />
proposals were not sufficient and they intended to maintain their<br />
objections.<br />
<br />
On8July 2022,WhatsAppIEwasinformedofthe upcoming triggering<br />
ofthe Article65 GDPRprocedure,andwasinvitedtoexerciseitsright<br />
to be heardin respect of all the materialthat the IE SA proposed to<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
10ResponseofNLSAtoIESACompositeResponseMemorandumdated7July2022.<br />
11<br />
12ResponseofDESAto IESACompositeResponseMemorandumdated8July2022.<br />
ResponseofFI SAtoIESACompositeResponseMemorandumdated8July2022.<br />
13ResponseofNOSAtoIESACompositeResponseMemorandumdated11July2022.<br />
<br />
<br />
<br />
Adopted 7 refer tothe EDPB andon 17 August 2022 WhatsApp IEprovided its<br />
<br />
submissions (hereinafterthe “WhatsAppIEArticle65 Submissions”).<br />
19 August 2022 The IE SA referredthe matterto the EDPBin accordancewithArticle<br />
<br />
60(4)GDPR,therebyinitiatingthedisputeresolutionprocedureunder<br />
Article65(1)(a) GDPR.<br />
<br />
<br />
<br />
6. Following the submission by the LSA ofthis mattertothe EDPBinaccordancewithArticle 60(4)GDPR<br />
in the Internal Market Information system (hereinafter, “IMI”) 15 on 19 August 2022, the EDPB<br />
<br />
Secretariatassessedthecompleteness ofthe file on behalfofthe Chair inline withArticle 11(2)ofthe<br />
EDPBRoP.<br />
<br />
7. The EDPBSecretariatcontactedtheIESAon 23September 2022,asking for clarificationsin relationto<br />
some documents not provided whilst mentioned in Article 11.7 of the EDPB RoP, but mentioned in<br />
<br />
other documents. Onthe samedate,the IE SA providedthe informationrequestedandconfirmedthe<br />
completeness ofthe file.<br />
<br />
8. A matter of particular importance that was scrutinized by the EDPB Secretariat wasthe right to be<br />
heard, as required by Article 41(2)(a) of the EU Charter of Fundamental Rights(hereinafter the “EU<br />
<br />
Charter”).Furtherdetailson thisare provided inSection 2 ofthis Binding Decision.<br />
<br />
9. On 7 October 2022, after the Chair confirmed the completeness of the file, the EDPB Secretariat<br />
circulatedthe file totheEDPBmembers.<br />
<br />
10. The Chair decided,in compliancewithArticle65(3)GDPRinconjunction withArticle11(4)of theEDPB<br />
<br />
RoP, toextendthe default timeline for adoption of one month by a further month on account of the<br />
complexityof the subject-matter.<br />
<br />
<br />
<br />
2 THE RIGHT TOGOOD ADMINISTRATION<br />
<br />
11. The EDPB is subject to EU Charter , in particular Article 41 (the right to good administration). This is<br />
alsoreflectedinArticle11(1)EDPBRoP.FurtherdetailswereprovidedintheEDPBGuidelinesonArticle<br />
16<br />
65(1)(a)GDPR .<br />
<br />
12. The EDPB’sbindingdecision “shall bereasonedand addressed tothelead supervisoryauthorityand all<br />
the supervisory authoritiesconcerned and binding on them” (Article 65(2) GDPR). It is not aiming to<br />
<br />
address directly any third party. However, asa precautionary measure to address the possible need<br />
for the EDPB to offer the right to be heard at the EDPB level to WhatsApp IE, the EDPB assessed if<br />
WhatsAppIE wasofferedthe opportunitytoexercise itsright tobe heardin relationtothe procedure<br />
<br />
led by the LSA and the subject-matter of the dispute to be resolved by the EDPB. In particular, the<br />
EDPBassessed if allthe documents containing the mattersof factsandlaw received andused by the<br />
EDPBtotakeitsdecision inthis procedure have alreadybeenshared previously withWhatsApp IE.<br />
<br />
<br />
<br />
14The objections, the CompositeResponse, including the IE SA’s assessment of the relevant and reasoned<br />
objections,aswellastherepliesoftheCSAs.<br />
15<br />
TheInternalMarketInformation(IMI)istheinformationandcommunicationsystemmentionedinArticle17<br />
EDPBRoP.<br />
16SeeEDPBGuidelines3/2021ontheapplicationofArticle65(1)(a)GDPR,adoptedon13April2021(versionfor<br />
publicconsultation)(hereinafter,“GuidelinesonArticle65(1)(a),paragraphs94-108.<br />
<br />
<br />
<br />
Adopted 813. The EDPB notes that WhatsApp IE has received the opportunity to exercise its right to be heard<br />
regardingallthe documents containing the mattersoffactsandof law considered by the EDPBinthe<br />
contextofthisdecisionandprovideditswrittenobservations 17,whichhave beensharedwiththeEDPB<br />
18<br />
by theLSA .<br />
<br />
14. Considering that WhatsApp IE hasbeen alreadyheard by the IE SA on all mattersoffacts andof law<br />
addressed by the EDPB in its binding decision, the EDPB is satisfied that Article 41 of the EU Charter<br />
hasbeen respected.<br />
<br />
15. TheEDPBconsiders thattheComplainant isnot likelytobe adverselyaffectedbythisbinding decision,<br />
<br />
andconsequently does not meetthe conditions tobe granteda right tobe heard bythe EDPBin line<br />
withArticle 41 of the EU Charter,applicable case law,andArticle 11 of the EDPB RoP.This is without<br />
prejudice to any right to be heard or other related rights the Complainant may have before the<br />
<br />
competent nationalsupervisory authority(/-ies).<br />
<br />
<br />
3 CONDITIONSFOR ADOPTING A BINDINGDECISION<br />
<br />
<br />
16. The generalconditions for the adoptionof abinding decision by theEDPBareset forthinArticle 60(4)<br />
andArticle 65(1)(a)GDPR 1.<br />
<br />
<br />
3.1 Objection(s) expressed by CSA(s) in relationto a draft decision<br />
<br />
17. The EDPBnotes thatseveralCSAs raisedobjections to theDraftDecision via IMI.Theobjections were<br />
raisedpursuant toArticle 60(4)GDPR.<br />
<br />
18. More specifically, objections were raisedbyCSAs in relationtothe following matters:<br />
<br />
• whetherthe LSA should have found aninfringement for lackof appropriatelegalbasis;<br />
<br />
<br />
• the potentialadditionalinfringement ofthe principles offairness, purpose limitationanddata<br />
minimisation;<br />
<br />
• on possible further investigation;<br />
<br />
• correctivemeasuresother thanfines;<br />
<br />
• the imposition of anadministrativefine.<br />
<br />
19. Eachof the objections wassubmittedwithinthe deadline provided byArticle 60(4)GDPR.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1WhatsAppIE’sSubmissionsinrelationtotheDraftInquiryReport,dated22June2020.WhatsAppIE’sResponse<br />
to Preliminary Draft Decision, dated 17February 2022.WhatsAppIE Article65 Submissions, dated 717August<br />
2022.<br />
18IN-18-5-6Memo for Secretariat (Referral of objections to theEDPB pursuant to Article60(4) and65(1)(a)<br />
<br />
19PR),19August2022.<br />
According to Article65(1)(a) GDPR, theEDPB will issuea binding decisionwhen a supervisory authority has<br />
raisedarelevantandreasonedobjectiontoadraftdecisionoftheLSAandtheLSAhasnotfollowedtheobjection<br />
ortheLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned.<br />
<br />
<br />
<br />
Adopted 9 3.2 TheLSAdoes not follow therelevantandreasoned objections to the DraftDecision<br />
<br />
or isof the opinion that the objections arenot relevant or reasoned<br />
<br />
20. On 1 July 2022,the IESA provided to the CSAs an analysis of the objections raised by the CSAs in the<br />
Composite Response.<br />
<br />
21. The IE SA concluded that it would not follow the objections, andin addition, underlined that some of<br />
<br />
them arenot inits view “relevant”and/or “reasoned”; withinthe meaning of Article4(24) GDPRand,<br />
otherwise,for the reasonsset out in the Composite Response and below 20.<br />
<br />
<br />
3.3 Admissibility of the case<br />
<br />
22. The caseatissue fulfils, primafacie,alltheelementslistedbyArticle65(1)(a)GDPR,since severalCSAs<br />
raisedobjectionstoadraftdecision oftheLSA withinthedeadline provided byArticle60(4)GDPR,and<br />
<br />
the LSA has not followed objections or rejected them, for being in its views, as not relevant or<br />
reasoned.<br />
<br />
<br />
23. The EDPB takesnote of WhatsApp IE’sposition that the EDPB should suspend the current Article 65<br />
GDPRdispute resolution due topending preliminaryruling proceedings before the Court of Justice of<br />
the EU (hereinafter, “CJEU”) 21. WhatsAppIE refersin particular tocases C-252/21 22 and C-446/21 .3<br />
<br />
Following itsassessment, theEDPBdecidestocontinue itsproceedingsonthisArticle65 GDPRdispute<br />
resolution, as there is no explicit legalbasis for a stay of the dispute resolution procedure in EU law,<br />
24<br />
nor are existing CJEU rulings on the matterconclusive for the situation of the EDPB .Also, the EDPB<br />
takesintoconsiderationthe datasubjects’right tohave their complaintshandledwithina ‘reasonable<br />
period’ (Article 57(1)(f) GDPR),andto have their case handled withina reasonable time by EU bodies<br />
<br />
(Article41oftheEUCharter).Moreover,ultimatelythereareremediesavailabletotheaffectedparties<br />
in case of a discrepancy betweenthe EDPB binding decision and CJEU rulings in the aforementioned<br />
25<br />
cases .<br />
<br />
24. Considering the above, in particularthatthe conditions of Article 65(1)(a) GDPRare met,the EDPBis<br />
competent to adopt a binding decision, which shall concernall the matterswhich are the subject of<br />
<br />
<br />
<br />
<br />
<br />
<br />
20<br />
21CompositeResponse,paragraphs36,74,78and80.<br />
WhatsAppIE'sArticle65Submissions,paragraph2.11.<br />
22Requestfora preliminaryrulingof22April2021,MetaPlatformsandOthers,C-252/21.<br />
23Requestfora preliminaryrulingof20July2021,Schrems,C-446/21.<br />
24Judgment of theCJEU of 28 February1991, Delimitis, C-234/89, EU:C:1991:91;Judgment of theCJEU of 14<br />
December2000,Masterfoods,C-344/98,EU:C:2000:689.Thesecasesconcernedproceedingsbeforethenational<br />
<br />
courts,wherethepartiesfacedtheriskofbeingconfrontedwithaconflictingdecisionofthenationaljudgethat<br />
couldbeseenasdefactonullifyingtheCommissiondecision–a powerwhichisretainedbytheCJEU.Thecurrent<br />
disputeresolution procedureconcerns theadoption of anadministrativedecision, which canbesubject to full<br />
judicialreview.<br />
25In caseanaction forannulment is brought against theEDPB decision(s) andfoundadmissible, theGeneral<br />
<br />
Court/CJEUhastheopportunitytoinvalidatethedecisionoftheEDPB.Inaddition,andiftheGeneralCourt/CJEU<br />
were to deliver any judgment in the time between the adoptionof the EDPB’s Article65 decisionand the<br />
adoptionoftheIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakes<br />
followingtheEDPB'sbindingdecision-iftheCJEU’srulingsgivescausetodoso-inaccordancewiththeprinciple<br />
of cooperationas elaborated by the CJEU in its judgment of 12 January2004, Kühne&Heitz NV, C-453/00,<br />
<br />
EU:C:2004:17).<br />
<br />
<br />
<br />
Adopted 10 the relevantandreasonedobjection(s), (i.e.whetherthereis aninfringement ofthe GDPRor whether<br />
the envisagedactioninrelationtothe controller or processor complieswiththe GDPR ). 26<br />
<br />
<br />
25. TheEDPBrecallsthatitscurrentbinding decision iswithoutanyprejudice toanyassessments theEDPB<br />
may be called upon tomake in other cases, including with the same parties, taking into account the<br />
contentsof therelevant draftdecision and theobjections raised bythe CSA(s).<br />
<br />
<br />
3.4 Structure of the binding decision<br />
<br />
26. For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether<br />
<br />
they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24)<br />
GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection 27.<br />
<br />
27. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the<br />
<br />
EDPBdoes not take anyposition onthe merit of anysubstantialissues raisedby thatobjection in this<br />
specific case.TheEDPBwillanalyse themeritsofthesubstantialissues raisedbyallobjectionsit deems<br />
tobe relevant andreasoned 28.<br />
<br />
<br />
<br />
4 ON WHETHER THE LSA SHOULD HAVE FOUND AN INFRINGEMENT<br />
<br />
FOR LACK OF APPROPRIATE LEGAL BASIS<br />
<br />
<br />
4.1 Analysis by the LSA inthe DraftDecision<br />
<br />
28. The IESA concludes that theGDPR,thecase law andtheEDPB Guidelinesrelevant for the case donot<br />
<br />
preclude WhatsApp IEfrom relying on Article6(1)(b) GDPRasa legalbasis for the processing of users’<br />
data necessary for the provision of its service, including through the improvement of the existing<br />
service andthe maintenanceofsecurity standards 29.Finding 2 of the DraftDecisionreads “Ifind the<br />
<br />
Complainant’scaseisnotmade outthattheGDPRdoesnotpermitthereliancebyWhatsApp on6(1)(b)<br />
GDPRinthe context ofitsoffering ofTermsofService.” Inaddition, the IE SA considersthe Guidelines<br />
31<br />
of the EDPB on processing for online services based on Article 6(1)(b) GDPR as being “not strictly<br />
binding, nonetheless instructive in considering thisissue”32.<br />
<br />
29. The IE SA understands the Complainant’s allegationsas : firstly, the Complainant wasgiven a binary<br />
<br />
choice: i.e. to either accept the Terms of Service and the associated Privacy Policy by selecting the<br />
<br />
<br />
26<br />
Article65(1)(a) in fine GDPR. SomeCSAs raised comments and not perse objections, which were, therefore,<br />
nottakenintoaccountbytheEDPB.<br />
27EDPB Guidelines 9/2020on theconcept of relevant andreasoned objection, version 2 adopted on 9 March<br />
2021(hereinafter“GuidelinesonRRO”).Theywereadoptedon9March2021,afterthecommencementofthe<br />
inquirybytheIESArelatingtothisparticularcase.<br />
2SeeEDPBGuidelinesonArticle65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjection<br />
<br />
raised,whethertheobjectionmeetstherequirementsofArticle4(24)GDPRand,ifso,addressthemeritsofthe<br />
objectioninthebindingdecision”).<br />
29DraftDecision,paragraphs4.49and4.50.<br />
30DraftDecision,Finding2,p.32.<br />
31EDPB Guidelines2/2019ontheprocessingofpersonaldata underArticle6(1)(b)GDPRinthecontextofthe<br />
<br />
provision of onlineservices to data subjects, version 2, adopted on 8 October 2019 (hereinafter “Guidelines<br />
2/2019onArticle6(1)(b)GDPR”).<br />
32DraftDecision,paragraph4.22.<br />
33<br />
DraftDecision,paragraph2.19.<br />
<br />
<br />
<br />
Adopted 11 “accept”button, or cease using the service ; secondthat there wasa lackofclarityonwhichspecific<br />
35<br />
legal basis WhatsApp IE relies on for each processing operation ;and the Complainant’s concern on<br />
WhatsApp IE’srelianceon Article6(1)(b) GDPRtodeliver itsTermsof Service 36.<br />
<br />
30. While the IESA acknowledgesthattheEDPBconsidersin itsGuidelines2/2019 onArticle 6(1)(b)GDPR<br />
<br />
that, as a general rule, processing for the provision of new services, is not necessary for the<br />
performance ofa contractfor online service under Article6(1)(b) GDPR,inthis particularcase,having<br />
<br />
regardtothe specific termsof thecontractandthenatureofthe service providedandagreeduponby<br />
the parties,theIESA concludesthatWhatsApp IEmayinprinciple relyonArticle6(1)(b) GDPRaslegal<br />
basis of the processing of users’ data necessary for the provision of its service, including throughthe<br />
<br />
improvement of the existing service and the maintenance of securitystandards 3. In addition, the IE<br />
SA considers that“issues ofinterpretationandvalidityof nationalcontractlaware notdirectlywithin”<br />
<br />
their competence 3.<br />
<br />
31. The IE SA disagrees with what it describes as a “veryrestrictive view on when processing should be<br />
<br />
deemedto be “necessary” for the performance ofa contract” proposed by the Complainant and the<br />
EDPB 39. The IE SA concludes that “core functions” cannot, however, be considered in isolation from<br />
the meaning of “performance”, the meaning of “necessity” as set out in the Draft Decision, and the<br />
40<br />
content ofthe specific contractinquestion . The IESA considers thatArticle6(1)(b) GDPRcannot be<br />
interpreted as requiring that it is impossible to perform the contract without the data processing<br />
41<br />
operationsin question .<br />
<br />
32. The IE SA finds it important tohave regardnot just to the concept of whatis “necessary”, but also to<br />
the concept of “performance” of the contract. According tothe IE SA, a contract is performed when<br />
<br />
each party discharges their contractualobligations as has been agreedby reference to the bargain<br />
struckbetweenthe parties.While theIESA agreesthatthemereinclusion of atermina contractdoes<br />
<br />
not necessarily meanthatit is necessarytoperform theparticularcontract,itstresses out thatregard<br />
must be hadfor what is necessaryfor the performance of the specific contractfreelyenteredintoby<br />
42<br />
the parties .<br />
<br />
33. Therefore,the IE SA notesthat,the inclusion of a term,which does not relatetothe core function of<br />
the contractcouldnot be considered necessaryfor itsperformance . 43<br />
<br />
<br />
34. For thepurposes ofidentifying the“core”functions ofthe contractbetweenWhatsAppIEanditsusers,<br />
the IE SA points out that the Complainant does not specify withany greatprecision the extentof the<br />
processing (or indeed the processing operation(s)) thatthe Complainant believes tonot be necessary<br />
<br />
to perform the Terms of Service). The Complainant has however made some specific submissions<br />
arguing processing for service improvement, security, “exchange of data with affiliated companies”<br />
<br />
and that the processing of special categoriesof personal data is not necessary in order to fulfil the<br />
<br />
<br />
<br />
34DraftDecision,paragraph2.8.<br />
35<br />
DraftDecision,paragraph2.9.<br />
36DraftDecision,paragraphs2.9and4.9.<br />
37DraftDecision,paragraph4.49.<br />
38DraftDecision,paragraphs3.13,4.11,4.22,4.39and4.44.<br />
39<br />
40DraftDecision,paragraph4.39and4.41.<br />
DraftDecision,paragraph4.29.<br />
41DraftDecision,paragraphs4.47,4.49and4.50.<br />
42DraftDecision,paragraph4.23.<br />
43DraftDecision,paragraph4.30.<br />
<br />
<br />
<br />
<br />
Adopted 12 “corefunction” of amessagingandcallingservice suchasthe WhatsAppservices.Asa result,theDraft<br />
44<br />
Decisionfocuses onthese processing operations .<br />
45<br />
35. Although according to Guidelines 2/2019 on Article 6(1)(b) GDPR , processing cannot be rendered<br />
lawful by Article 6(1)(b) GDPR “simply because processing is necessary for the controller’s wider<br />
<br />
business model”, the IE SA considers that having regardtothe specific termsof the contract andthe<br />
nature of the service provided and agreedupon by the parties, WhatsApp IEmay in principle relyon<br />
<br />
Article 6(1)(b) GDPRas a legalbasis of the processing of users’ datanecessary for the provision of its<br />
service, including services for improvements andsecurityfeatures,insofar asthis forms acore partof<br />
the service offeredtoandacceptedbyusers 46.<br />
<br />
<br />
36. Moreover, as described by the IE SA, a distinguishing feature of the WhatsApp IE’sservice is that it<br />
regularlymonitorsitsserviceinordertoensureit functionswell(asdistinct from theEDPB’sreluctance<br />
<br />
expressedinitsGuidelines2/2019 onArticle6(1)(b) GDPRwithusing datatobringabout new services)<br />
andmaintainscertainsecurity andabuse standards. Therefore,the IESA concludes thatthe provision<br />
<br />
of thisform of service is partof thesubstance andfundamentalobject of thecontract.<br />
<br />
37. The IE SA considers thatthis information is both clearlyset out and publicly available, hence it would<br />
be difficult to argue that this is not part of the mutual expectations of a prospective user and of<br />
<br />
WhatsApp IE. Moreover, the IE SA states that the service is advertised as being one that has these<br />
features, and so any reasonable user would expect and understand that this was part of the<br />
47<br />
agreement,evenifusers would prefer the marketwouldoffer them betteralternativechoices .<br />
<br />
38. Basedonthe foregoing, the IESA reachesthe conclusion thatnothing inGuidelines 2/2019 on Article<br />
6(1)(b) GDPR prevents WhatsApp IE, in principle, from relying on Article 6(1)(b) GDPR for these<br />
48<br />
purposes .<br />
<br />
39. The IESA thusconcludes thatWhatsAppIEmayinprinciple relyonArticle6(1)(b) GDPRasalegalbasis<br />
ofthe processing ofusers’ datanecessaryon foot of theacceptanceofthe Termsof Service,including<br />
49<br />
for regularimprovements andmaintaining standardsofsecurity .<br />
<br />
40. The IE SA clarifies that, having regard to the scope of the complaint and its inquiry, the above<br />
<br />
conclusion cannot be construed as an indication that allprocessing operations carriedout on users’<br />
personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR 5.<br />
<br />
41. The IE SA also notes that other provisions of the GDPR, suchas those on transparency, act tostrictly<br />
<br />
regulatethe manner in whichthe WhatsApp IEservices are to be delivered and the information that<br />
should be giventousers, anddecides toaddressit separatelyin itsDraftDecision 51.<br />
<br />
42. Inaseparatefinding ofitsDraftDecision ,the IESA reiteratesthatina previousinquiryon WhatsApp<br />
<br />
IE,aninfringement of the GDPRwas found asto itscompliance withArticle 12(1)and Article 13(1)(c)<br />
<br />
<br />
<br />
44<br />
DraftDecision,paragraph4.32.<br />
45Guidelines2/2019onArticle6(1)(b)GDPR,paragraph36.<br />
46DraftDecision,paragraph4.41.<br />
47DraftDecision,paragraph4.42.<br />
48<br />
49DraftDecision,paragraph4.42.<br />
DraftDecision,paragraphs4.47and4.49.<br />
50DraftDecision,paragraph4.50.<br />
51DraftDecision,paragraph4.47.<br />
52DraftDecision,p.37,Finding3.<br />
<br />
<br />
<br />
<br />
Adopted 13 GDPR for processing on foot of Article 6(1)(b) GDPR . The IE recalls the general requirement of<br />
transparencyunder Article5(a)GDPR 54,anditspreviousdecisionandtheassociatedfindings, including<br />
55<br />
the imposition of a fine andanorder toWhatsApp IEtobring itsPrivacyPolicy intocompliance .<br />
<br />
4.2 Summary of the objections raised by the CSAs<br />
<br />
<br />
43. The DESA,FI SA, FRSA, NLSA andNOSA objecttoFinding2 oftheDraft Decisionandthe assessment<br />
leading up to it. They consider that the IE SA should have found an infringement of Article 6(1)<br />
GDPR 56,inline withtheEDPB’sinterpretationof thisprovision . 57<br />
<br />
<br />
44. Inthe DESA’sview,contrarytotheIESA’ssubmissions intheDraftDecision,WhatsAppIEcannotrely<br />
on Article 6(1)(b) GDPR or any other legalbases ofArticle 6(1) GDPR for the processingofa user’s<br />
data. According to the DE SA, this constitutes a breach of the principle of lawfulness under Article<br />
<br />
5(1)(a) and Article 6(1) GDPR. The DE SA is of the opinion also that the IE SA failed to impose an<br />
appropriate correctivemeasure in order toremedy these infringements. The DESA puts forwardthe<br />
<br />
following argumentsin support of the above allegations.<br />
<br />
45. First, the DE SA does not share the understanding of the IE SA regarding the binding nature ofthe<br />
Guidelines2/2019onArticle 6(1)(b) GDPR.TheDESA agreesthatguidelinesare not legallybinding in<br />
<br />
the same way as legalprovisions are. It recalls however that they are instrumental for establishing<br />
uniform application of EU law according toArticle 70(1)(e) GDPR,aswellas for ensuring a consistent<br />
and highlevel of protectionfor naturalpersons in the light of recital10 GDPR.The DESA claims that<br />
<br />
therelevantandbinding natureofguidelinesfor allsupervisory authoritiesassuchcannotbe disputed.<br />
<br />
46. Second, the DE SA disputes theIE SA’sallegationsthat,onthe one hand, theGDPR doesnotprohibit<br />
<br />
WhatsApp IE to rely onArticle 6(1)(b)GDPR in connection with itsoffer of Terms of Service and, on<br />
the other hand, that the LSA is not competent to assess the validity ofcontracts, respectivelythe<br />
validity ofthe Termsof Service or individual clauses. Inthisregard,theDE SA notes thatthe IESA has<br />
<br />
full competenceaccording toArticle57(1)(a) GDPRtoassess the validity ofcontracts.<br />
<br />
47. Moreover,asstatedinthe Guidelines 2/2019 onArticle6(1)(b) GDPR,avalidcontractisa prerequisite<br />
for controllers to base their processing operations on Article 6(1)(b) GDPR. Onthat background, the<br />
<br />
DESA points out thatinordertomonitor the applicationofArticle6(1)(b) GDPR,asrequiredby Article<br />
57(1)(a)GDPR,theIEAmustalso verify thevalidityofthe contractWhatsAppIEisrelying upon. The<br />
<br />
DESA addsthataccording toArticle5(2)GDPR,WhatsAppIEmust alsoprove that sucha contracthas<br />
come intoexistence,meaningthatanofferandcorrespondingacceptanceofacontractisdeclaredby<br />
the parties. Inother words, it must be apparent tothe contractualpartner that theyare not giving a<br />
<br />
(revocable) consent, but are concluding a contract. If this is not the case, the DE SA considers, as<br />
opposed tothe IE SA 58,thatWhatsApp IEcannot relyonthe right tochoose its ownlegalbasis.<br />
<br />
<br />
<br />
<br />
53IE SA’s decision of 20 August 2021 in inquiryreferenceIN-18-12-2(hereinafter“the IE SA’s Decision on<br />
WhatsApp IE’s Transparency”), adopted following EDPB Binding decision1/2021on thedisputearisen onthe<br />
draft decision of the IE SA regarding WhatsApp IE under Article65(1)(a) GDPR (hereinafter “EDPB Binding<br />
Decision1/2021”).<br />
54<br />
DraftDecision,paragraph5.8.<br />
55DraftDecision,paragraph5.9.<br />
56DESA’s Objection,pp.1-8;FI SA’s Objection,pp.2-8;NLSA’s Objection,pp.3-7;NOSA‘s Objection,pp.1-5,<br />
FRSA’s Objection,p.9.<br />
57Guidelines2/2019onArticle6(1)(b)GDPR.<br />
58<br />
DraftDecision,Issue3.<br />
<br />
<br />
<br />
Adopted 1448. Third, theDE SA objectstothe IESA’sfinding 59 thatthenecessityoftheprocessingisdeterminednot<br />
by what is necessary to fulfil the objectives of “a social network“ in a general sense, but what is<br />
<br />
necessarytofulfil thecore functionsoftheparticularcontractbetweenWhatsAppIEanditsusers.<br />
Those core functions do not encompass the improvements to an existing service and maintaining<br />
<br />
certain security and abuse standards. The DE SA stresses out that first WhatsApp IE is not a social<br />
networkbut a messaging service and thatfrom the perspective of anaveragedatasubject, it is not a<br />
distinguishing characteristic of the WhatsApp IE services to improve their service constantly or<br />
<br />
maintain certain security standards. Therefore, according to Guidelines 2/2019 on Article 6(1)(b)<br />
GDPR 60, such processing cannot be rendered lawful by Article 6(1)(b) GDPR simply because the<br />
<br />
processing is necessary for the controller’s wider business model. Only the data processing that are<br />
actually necessary for the corresponding contractualpurpose – the operation of the WhatsApp IE<br />
Services–canbe justifiedonthebasis ofArticle6(1)(b)GDPR.Inaddition,pursuanttoArticle 32GDPR,<br />
<br />
WhatsAppIEhastheobligationtoimplementdatasecuritymeasuresregardlessofthecontentofthe<br />
contract,sothose measures arenot tobe considered asanessentialelement ofthe contract.<br />
<br />
49. The DE SA reiteratesthat Guidelines 2/2019 on Article 6(1)(b) GDPR explicitly limit the controller’s<br />
<br />
possibility to expand the categories of personaldata or types of processing operations that are<br />
necessary for the performance of the contract. Based on this, the DE SA concludes that the<br />
<br />
interpretationof Article 6(1)(b) GDPR givenin the DraftDecision would allow for bypassingthedata<br />
protectionprinciples,inparticulartherequirementsforavalidconsent,usingtheTermsofServices.<br />
<br />
50. Finally, withregardtothe allegationinthe DraftDecisionthat theComplainantdidnotspecify“with<br />
61<br />
any great precision” which processingoperationsshe believes to be unlawful , the DE SA argues,<br />
referring to Article 77 GDPR, that the Complainant has no obligation todo so. The DE SA takes into<br />
<br />
account also that the only source of information about WhatsApp IE’s processing operations is the<br />
publicly available documents that are non-transparent 62. In the DE SA’s view, it is the duty of<br />
WhatsApp IE to prove compliance in accordance with Article 5(2) GDPR. As a whole, the DE SA<br />
<br />
concludes that the processing described or indicated in the Terms of Service cannot be (fully) based<br />
onArticle 6(1)(b)GDPR.Moreover,theDESA considers thatthereisno othervalid legalbasisevident.<br />
<br />
51. The FI SAobjects tothe IE SA’sfinding 63 thatWhatsApp IE canrelyon Article 6(1)(b) GDPRfor allthe<br />
<br />
processing operations set out in the Terms of Service, such as service improvements and security<br />
purposes.Whenitcomestothe serviceimprovementsandsecuritypurposesofprocessing, the FI SA<br />
64<br />
refersattheoutsettoGuidelines2/2019 onArticle6(1)(b) GDPR inordertojustifyitsallegationthat<br />
the processing of data for those purposes is not necessary for performing the key aspects of the<br />
contractandfor this reasonit cannotbe basedon Article6(1)(b) GDPR.<br />
<br />
<br />
52. The FI SA contests the LSA’s statement that the legal concept of“core” processingfalls out of the<br />
interpretationofGDPR 6.Inthisrespectthe FI SA finds thatthe rationalebehind Article6(1)(b) GDPR<br />
is that it provides a legalbasis for situations where processing of personal data willlogically need to<br />
<br />
takeplace only inthe course of the provisions ofa contractualservice.Furthermore,in relationtothe<br />
IE SA’sallegationthat thenecessityofprocessingistobe determinedbyreferencetothe particular<br />
<br />
<br />
59DraftDecision,paragraph4.29.<br />
60<br />
Guidelines2/2019onArticle6(1)(b)GDPR,paragraph37.<br />
61DraftDecision,paragraph4.32.<br />
62DraftDecision,Issue3.<br />
63DraftDecision,Finding2,p.32.<br />
64Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25.<br />
65<br />
DraftDecision,paragraph4.11.<br />
<br />
<br />
<br />
Adopted 15 contract,theFISAhighlightsthatthecontroller cannot include inthe contracteverythingtheywishto<br />
be legitimizedunderArticle6(1)(b)GDPR,withouthavingfor exampletoensure thatthedatasubject’s<br />
consent was obtained or to carry out balancing tests between their legitimate interests and the<br />
<br />
interestsofthe datasubjects.<br />
<br />
53. Inaddition, referringtoGuidelines 2/2019 on Article6(1)(b) GDPR 66,theFI SA reachesthe conclusion<br />
that neither WhatsApp IE, nor the IE SA in its Draft Decision have properly and objectively reasoned<br />
<br />
how theprocessing ofpersonaldatawasnecessaryalsofromtheuser´sperspectiveandnotonlyfrom<br />
thecontroller’sside. TheFISA conteststheIESA’sstatementsthat,ingeneral,areasonableuserwould<br />
be well-informed about the processing coveredby the contract 67, andthat in the specific case the<br />
<br />
user is informed about the processing of personal data for service improvements and security<br />
purposes, therefore this processing is part of the mutual expectations of a prospective user and<br />
WhatsApp IE 68.Inaddition, while the FI SA admits thatservice improvements andsecuritymight be a<br />
<br />
valid part of the WhatsApp IE services, it is of the opinion that processing for those purposes is not<br />
necessaryfor providing such services, astheWhatsAppIEservicescouldbedeliveredintheabsence<br />
ofprocessingofsuch personaldata.Inaddition, theFI SA maintainsthatthe saidprocessing activities<br />
<br />
are notnecessaryfortheperformanceofthecontract.<br />
<br />
54. Next, while the FI SA agreesthatthere is nohierarchybetweenlegalbases, it points out thatit is the<br />
responsibility of the controller toassess which legal basis is appropriate for the specific processing.<br />
69<br />
WhenitcomestotheIESA’sargumentthatEDPBguidelinesarenotstrictlybinding theFISArecalls<br />
that the GDPR itself refers to the EDPB guidelines in its Article 70(1)(e) and therefore stresses the<br />
importanceof the commonposition of supervisory authorities.The FI SA alsohighlights thattheEDPB<br />
<br />
shall ensure the consistent applicationof the GDPRas laiddown in Article 70(1)GDPR andenshrined<br />
inrecital10 GDPR.<br />
<br />
55. The FR SAobjects tothe conclusions in Part4 of theDraftDecision, inparticular points4.47 and4.49,<br />
<br />
that WhatsApp IE has not failed to fulfil its obligations under Article 6 GDPR, and, in addition, that<br />
WhatsApp IEis not required torelyon the legalbasis of consent (Article 6(1)(a)GDPR).At the outset,<br />
the FR SA finds questionable the position adoptedby the IE SA on WhatsApp IE’sreliance on Article<br />
<br />
6(1)(b)GDPRforprocessing operationsrelatedtoservice improvements.The FRSA notesinthisregard<br />
that the Draft Decision does not define what service improvement processing covers and does not<br />
provide enoughelementsonthe categoriesofdatausedforservice improvement purpose,whichdoes<br />
<br />
not allow topronounce on the applicable legalbasis for the processing inquestion. Therefore,the FR<br />
SA requests that the IE SA completes its Draft Decision on this point, by providing more specific<br />
information and evidence. According tothe FR SA, the main reason ofthe users’ registrationto the<br />
<br />
WhatsAppservicesisnottheuseoftheirdatatoimprovethemessagingservice.IntheFRSA’sview,<br />
the factthat WhatsAppIE'sprocessing operationsfor service improvement purpose arebased onthe<br />
<br />
legalbasis of the contract,andthatit is acceptedbya simple validationof theTermsof Service,is not<br />
compliant withthe applicable provisions.<br />
<br />
56. The FR SA considers that only thelegalbasesof legitimateinterestandconsent canbe considered for<br />
processing operations relatedto service improvement purpose among those listed in Article6 GDPR.<br />
<br />
Nevertheless, the FR SA submits that at first analysis, neither the conditions for the application of<br />
consent, nor theconditions for theapplicationof legitimateinterestseemtobe metandWhatsApp IE<br />
<br />
<br />
66<br />
Guidelines2/2019on6(1)(b)GDPR,paragraphs32,48and49.<br />
67DraftDecision,paragraph4.36.<br />
68DraftDecision,paragraph4.42.<br />
69DraftDecision,paragraph4.22.<br />
<br />
<br />
Adopted 16 could not use it for the implementation of the processing operations in connection with service<br />
<br />
improvements. Inconclusion, since theIESA doesnot define whatiscoveredbythe processing ofdata<br />
for service improvement purpose and theconditions ofimplementation,it is not easyfor the FR SA to<br />
have a firm position on this point andso, onthe legalbasis thatapplies for the processing. The FR SA<br />
<br />
suggeststhattheIE SA should provide more specific evidence initsDraftDecisionregardingthisissue,<br />
inordertoassessiftheprocessing can,or cannot,bebasedonthelegalbasisofthelegitimateinterest.<br />
<br />
The FR SA statesthat inreaching the conclusion for lackof breachof Article 6(1) GDPRthe LSA erred<br />
inits assessment of the factsof the case.<br />
<br />
57. The NLSAfirst observes thatthe IE SA failedtoinclude sufficient analysis, evidence andresearchinits<br />
<br />
Draft Decision on what the purposes of processing selected are, and how data are used, making it<br />
difficult to apply Article 6 GDPR70. The NL SA then questions the validity of the contract between<br />
<br />
WhatsApp IE and users, and the NL SA argues that, as a result, grounding the processing on Article<br />
6(1)(b) would be impossible . The NL SA presents the following arguments. First, in the NL SA’s<br />
72<br />
opinion, theTermsofServiceandthePrivacyPolicyare lengthyandunclear .Next,theNLSA notes<br />
thatas a generalrule, bothpartiesmust be awareof the substance of a contract,inorder towillingly<br />
<br />
enter into it, and considers that ”the established serious lack of transparency on behalf of the<br />
controller,thereforeleadstoareasonabledoubt whetherdatasubjectshaveindeedbeenable toenter<br />
73<br />
into a contractwiththecontrollerbothwillingly and sufficiently informed” .TheNL SA compounds its<br />
doubts on the validity of the contract by arguing that WhatsApp IE presents a completely one-sided<br />
dealwhereby an individual data subject has no influence on anyof the terms 74. The NL SA therefore<br />
<br />
considers that WhatsApp IE’s statement that it relies on Article 6(1)(b) GDPR for the WhatsApp<br />
services, in combination withdocuments withgeneraldescriptions of the services provided, and the<br />
<br />
IESA’sreference tothe controller’sright tochoose itsownlegalbasistoprocess data,are insufficient<br />
toacceptthatthe performanceof acontractcanbe used asalegalbasis. Last,due toalack ofinsight<br />
<br />
in the processing operations and the potentialprocessing of children’s personaldata or special<br />
categories of personaldata, the NL SA has serious doubts on the validity of such a contract when<br />
75<br />
children areinvolved .<br />
<br />
58. Furtherto theforegoing,theNL SA also raises anobjection withregardto the IESA’s approachin its<br />
DraftDecision’sFinding 2.The NLSA deemsthe approachtakentobecontradictory,giventhefactthe<br />
<br />
IEAdoes not wish toenterinto analysis ofcontractlaw,while atthe same timecertainconceptsfrom<br />
contract law are presented, such as “performance” of a contract 76. The NL SA argues there is a<br />
<br />
contradictionintheidea thataclearcontractispresent,whiletherearesignificant transparencyissues<br />
atthesame time.TheNL SA notesthatwithoutenteringintothespecifics ofcontractlaw,regardmust<br />
be had tothe generalrule that both partiesmust be aware ofthe substance of a contract aswell as<br />
<br />
the obligations of both partiesto the contract, inorder to willingly enter into such contract7. Inthe<br />
NL SA’s view, the established serious lack of transparency on behalf of the controller gives rise to<br />
78<br />
reasonable doubt inthis regard .<br />
<br />
<br />
70<br />
NLSA’s Objection,paragraph5.<br />
71NLSA’s Objection,paragraph10.<br />
72NLSA’s Objection,paragraph8.<br />
73NLSA’s Objection,paragraph12.<br />
74<br />
75NLSA’s Objection,paragraph10.<br />
NLSA’s Objection,paragraph10.<br />
76NLSA’s Objection,paragraph11.<br />
77NLSA’s Objection,paragraph12.<br />
78DraftDecision,p.31.<br />
<br />
<br />
<br />
<br />
Adopted 1759. Adding to that, the NL SA also notes that a relevant step is to assess whether the concrete data<br />
processing activities that are based on the contract, are actually necessary for performing the key<br />
aspectsofthe agreement 79. TheNLSAarguesthattheIESA hasnot interpretedtheterm“necessary”<br />
<br />
in Article 6(1)(b) GDPR in line with the EDPB guidance, such as Guideline 2/2019 on Article 6(1)(b)<br />
GDPR, on this provision 80. The NL SA adds that the IE SA also did not include any substantive<br />
<br />
investigationinto what datasubjects have understood to be the core of the service theyhave signed<br />
up to and whether they meant to give their consent for the processing of personal data or whether<br />
they intended toconclude an agreement withthe controller 81. Inthe NL SA’sview, the IE SA did not<br />
<br />
conduct a proper assessment on whether allprocessing operations could be based on a contractand<br />
if not, what other legalbasis could be applicable82. The NL SA disagreeswith the IE SA´s finding that<br />
<br />
the criterionof necessitylaiddown inArticle 6(1)(b) GDPRisindirectlyimpactedbydomestic contract<br />
law,since thiscriterionhasanindependent meaningin case lawandin different EDPBguidelines 8.<br />
<br />
60. The NOSAcontestsinessence the IESA’sfinding thatWhatsAppIEcanrelyonArticle 6(1)(b)GDPRas<br />
alegalbasisfor processing inthecontextofserviceimprovementsandsecurityfeaturesandproposes<br />
<br />
imposing respective corrective measures. The NO SA questions whether the processing ofpersonal<br />
datafor the purposesofserviceimprovementsandsecurityfeaturesisgenuinelynecessaryforthe<br />
performance of the contract in question. According to the NO SA, the Draft Decision enables<br />
<br />
controllers to artificially expand what can fall under Article 6(1)(b) GDPR. In support of the above<br />
objection, the NOSA advancesthe following arguments.<br />
<br />
61. First, the NOSA disagrees withthe IE SA’sposition that any processing ofpersonaldata includedin<br />
<br />
contractualtermswouldautomaticallybelawfulifframedin a particularmanner.Inthat context,in<br />
theNOSA’sview,it isnot the legislationwhichsetsthe boundariesfor lawfulness under Article5(1)(a)<br />
<br />
GDPR, but instead the individual contract, which makes the IE SA’s interpretationof Article 6(1)(b)<br />
GDPR incompatible withArticle 8 of the EU Charter. Second, the NO SA suggests that Article 6(1)(b)<br />
GDPR should be interpreted in light of its wording, purpose and context. The NO SA considers that<br />
<br />
therewould alwaysneedtobe anin concretoassessment ofwhat isnecessaryfor the performance of<br />
the particularcontractoverall, on a case-by-case basis. The NOSA is of the opinion that the rationale<br />
behind the first alternative of Article 6(1)(b) GDPR is to provide a legal basis for situations where<br />
<br />
processing of personal data will logically need to take place in the course of the provision of a<br />
contractualservice.Inthis sense, the NOSA claimsthat processingofpersonaldataforthepurposes<br />
<br />
of service improvements and security features as described in the Draft Decision is not a logical<br />
preconditionforthemessagingservicethatWhatsAppIEentails.Third,theNOSA believesthattheI<br />
E SA’s interpretation ofArticle 6(1)(b) GDPR has the effect of undermining or circumventing the<br />
<br />
otherlegalbasesofArticle 6(1) GDPR.<br />
<br />
62. Withsuch interpretation,the NOSA finds it hardtoforesee whenconsent under Article 6(1)(a)GDPR<br />
would be reliedupon asa legalbasis. The same appliestosituations invoking Article 9 GDPR. TheNO<br />
<br />
SAsuggeststhattherewouldbenouseofthelegalbasisunderArticle6(1)(a)and(f)GDPR,because<br />
for the controller is much more convenient to rely on Article 6(1)(b) GDPR. Fourth, according to the<br />
NO SA, Article 7(4) GDPR entails that, if processing ofpersonaldata is in fact necessary for the<br />
<br />
performanceofa contract,thenaconsentcanbeconsideredfreelygivenevenifthedatasubjectis<br />
excluded from a service should they decline to give consent. The NO SA considers that under the<br />
<br />
<br />
79NLSA’s Objection,paragraph13.<br />
80<br />
81NLSA’s Objection,paragraph16.<br />
NLSA’s Objection,paragraph13.<br />
82NLSA’s Objection,paragraph33.<br />
83NLSA’s Objection,paragraph16.<br />
<br />
<br />
Adopted 18 interpretationput forwardbythe IE SA, generallyalmost allprocessing ofpersonaldata bynon-public<br />
entitiescould be framed asbeing necessaryfor the performance of a contract,alsoin the contextof<br />
Article 7(4) GDPR. The NO SA alleges that this would render Article 7(4) GDPR meaningless and<br />
<br />
withouteffect in practice,asit wouldneverbeinvoked. Thiswould, inthe NOSA’sview, render the<br />
take-it-or-leave-itconsents permissible.<br />
<br />
63. The NOSA submits thatthislower standardfor validconsent wouldinparticularbe problematic when<br />
consent serves asa basis for processing ofspecial categoryofpersonal datapursuant toArticle9(2)(a)<br />
<br />
GDPR,orasa Chapter V GDPRexemptionpursuant toArticle 49(1)(a)GDPR.<br />
<br />
64. Moreover, the NO SA advances the argument that data subjects may be de facto dependent on<br />
certain services and in lack of realistic alternatives to them, in particular due to network effects,<br />
therefore they will generallyhave little opportunity to negotiate standardised terms of service. This<br />
<br />
createsa take-it-or-leave-itsituation andanuneven playing field. The NO SA comesto theconclusion<br />
thatif rejectingthe contractualtermsis necessary inorder toprotectoneself from harm,so that one<br />
is subsequently excludedfrom the service, participatingindiscussions, corresponding withothersand<br />
<br />
receiving information becomes significantly more difficult. As a result, this interpretation could also<br />
adverselyaffectdatasubjects’freedomofexpressionandinformation.<br />
<br />
<br />
4.3 Position of the LSA on the objections<br />
<br />
65. The IESA considers thatthe objectionsabove are not relevant and/or not reasonedfor the purpose of<br />
Article60(4) GDPRanddecidesnot tofollow them 84.<br />
<br />
66. With regardtothe objections of the DE SA, FI SA, FR SA, NL SA andNO SA concerning WhatsApp IE’s<br />
<br />
possible reliance onArticle6(1)(b) GDPRasthe applicable basisfor personaldataprocessing, the IESA<br />
is ofthe opinion thatanassessment of the corefunctions ofthe contractinrequired.<br />
<br />
67. The IE SA acknowledges that there are different views on how the “core” elements of the Terms of<br />
Service areassessed,however itconsiders thatitdoesnotadopt amerelyformalapproachwithregard<br />
<br />
to Article 6(1)(b) GDPR that reliesonly on the textualcontent of the Termsof Service. Moreover, it<br />
considers thatanassessment of the core functions of the contract(not merely onthe writtenterms)<br />
is required,pursuant toArticle6(1)(b) GDPRandthe requirementfor thenecessity test 8.<br />
<br />
68. The IE SA considers that WhatsApp IE has not sought to make the WhatsApp services contingent on<br />
<br />
the Complainant’s consent to the Termsof Service. Moreover, it does not consider that the test for<br />
contractual necessity under Article 6(1)(b) GDPR would be reduced to an assessment of written<br />
contractualterms, without reference tothe fundamentalpurpose of the contract.The DraftDecision<br />
<br />
does not take the view that all written contractualterms are necessary for the performance of a<br />
contract,thusthe risks describedin thisregardarenot relevant 8.<br />
<br />
69. TheIESA notesthatArticle6(1)(b)GDPRlegitimisesprocessing whichisnecessaryfor theperformance<br />
<br />
of a contract (i.e. an agreement which serves the mutual interests of the parties). In addition, it is<br />
considered that a reasonable user would have had sufficient understanding thatthe service included<br />
the use of metricsfor improvement.Accordingly, theIE SA disagreeswiththeinterpretationof “core”<br />
<br />
contractual purposes, as suggested by the CSAs, and considers that the Terms of Service properly<br />
<br />
<br />
84<br />
CompositeResponse,paragraphs44,45,46,48,49,72and73.<br />
85CompositeResponse,paragraphs47-48.<br />
86CompositeResponse,paragraph50.<br />
<br />
<br />
<br />
Adopted 19 reflectsthe agreemententeredintobythe Complainant,nor does therestrictiveinterpretationreflect<br />
the purpose ofArticle 6(1)(b) GDPR .87<br />
<br />
70. The IE SA statesthatthe guidelines arenot binding on supervisory authorities, however, theyshould<br />
<br />
be takeninto account.However,the IE SA’sposition is thatthe EDPBhas not been provided withthe<br />
legal power to mandate that certain categories of processing must be based on consent, to the<br />
exclusion of any other legal bases for processing. The IE SA’s view is that such a power is properly<br />
<br />
exercised from time to time by the EU legislator, in the form of specific legislative measures. In<br />
particular,itisnotedthatGuidelines2/2019 onArticle6(1)(b) GDPRcontainverygeneralobservations<br />
tothe effect thatpersonal data should not be used “generally”for service improvement pursuant to<br />
<br />
Article 6(1)(b) GDPR. The IE SA considers that under these guidelines, processing for service<br />
improvement is not prohibited, pursuant toArticle 6 (1)(b) GDPR,so long asit falls within the core or<br />
88<br />
essentialaspectsof the service .<br />
<br />
71. The IE SA recallsin this regardthat the Draft Decision also assesses the core functions of WhatsApp<br />
IE’sTermsof Service 89.TheDraftDecisionnotesthatanyapplicationofthe principle of necessitymust<br />
<br />
be specific to the agreement entered into between the parties. The Draft Decision states that<br />
processing should be regardedasnecessaryfor theperformance ofa contractbetweenthe controller<br />
and the datasubject if it is necessary toperform the clearlyunderstood objectives of a contract.The<br />
<br />
Draft Decision also statesthat in order to understand the mutual understanding of a contract, it is<br />
necessary to have regard to the specific content of the agreement itself. Having conducted an<br />
assessment of thecore or fundamentalaspectsof WhatsAppIE’sTermsof Service, the DraftDecision<br />
<br />
concludes that the nature of the service being offered on this occasion specifically included regular<br />
service improvement including dealing withabuse,asanaspectof theagreementbetweenWhatsApp<br />
<br />
IEandits users.<br />
<br />
72. The IE SA clarifies that in reaching the above conclusion, it had regardto the expectations of users<br />
basedonthe specificcontentoftheTermsofService.TheIE concludesonthisbasisthattheprocessing<br />
should be regardedasnecessary for the performance of WhatsApp IE’sTermsof Service. Moreover,<br />
<br />
the IESA adopts theposition thatthemutualexpectationsofthe partiesastothe performance ofthe<br />
contract should consider the expectationsand interestsof both parties, as reflectedin the contract<br />
90<br />
itself .<br />
<br />
73. The IE SA considers that the EU legislator did not limit the provision of Article 6(1)(b) GDPR only to<br />
processing which is strictlynecessaryfor the delivery of goods andservices toa data subject, nor are<br />
the contractualinterestsofthe controller disregardedbythisprovision. Inthis regard,theIE SA notes<br />
<br />
thatcontractsmayincludeaspectsofperformance,whichareoptionalorcontingent.IntheIEA’sview,<br />
Article 6(1)(b) GDPR is not limited to aspects of contractual performance which are expressly<br />
<br />
mandatoryandunconditional obligationsof the parties.Accordingly,the IESA isnot satisfiedthatthe<br />
abilityto opt-out of any particularprocessing must logically be construed asconclusive evidence that<br />
such processing isnot necessarytoperform a contract.TheIE SA submits that theexercise of options<br />
<br />
by a datasubject inthe context ofa contractdoes not necessarilyundermine the agreemententered<br />
into, or the necessity of processing while suchoptions are engaged.TheIE SA refersto the CJEU case<br />
C-524/06 91 in support of its finding that necessity in the context of Article 6(1)(b) GDPR cannot be<br />
<br />
<br />
<br />
87CompositeResponse,paragraph59.<br />
88<br />
89CompositeResponse,paragraphs66–69.<br />
DraftDecision,paragraph4.30.<br />
90CompositeResponse,paragraph58.<br />
91Judgmentof18December2008,HeinzHuberv.BundesrepublikDeutschland,C-524-06,EU:C:2008:724.<br />
<br />
<br />
Adopted 20 assessed by reference tohypothetical alternativeforms of the WhatsApp IEservices, asthe CJEU has<br />
<br />
heldin thatcasethatprocessing whichexceedsthe most minimallevelof processing possible, maybe<br />
regardedasnecessary, where it rendersa lawful objective “more effective”.The IE SA statesthat it is<br />
not the role of supervisory authoritiestoimpose specific business models oncontrollers.<br />
<br />
<br />
74. The IESA,taking intoaccountthe specific factsofthiscase,considers thatWhatsApp IEasacontroller<br />
hasnotattemptedtoartificiallyincludeprocessing whichisnotnecessaryfor thefundamentalpurpose<br />
<br />
of its services. The IE SA considers that Guidelines 2/2019 on Article 6(1)(b) GDPR confirm the legal<br />
position, which is that service improvement processing pursuant to Article 6(1)(b) GDPR is not<br />
prohibited perse, aslong asit falls withinthe coreor essentialaspectsofthe service.<br />
<br />
<br />
4.4 Analysis of the EDPB<br />
<br />
<br />
4.4.1 Assessment of whether theobjections were relevant and reasoned<br />
<br />
75. The objections raised by the DE SA, FI SA, FR SA, NL SA, and NO SA concern “whether there is an<br />
92<br />
infringementoftheGDPR” .Additionally,theDESA andNOSA’sobjections alsoconcern“whetherthe<br />
actionenvisagedinthe DraftDecisioncomplieswith the GDPR” 9.<br />
<br />
76. The EDPBtakesnote of WhatsApp IE’sview thatnot a single objection put forwardby the CSAs meets<br />
94<br />
the threshold of Article 4(24) GDPR . From a generalstandpoint, WhatsApp IE argues that “to the<br />
extent Objectionsrelate to matterswhich are outside of the Defined Scope of Inquiry, as identified in<br />
<br />
the Draft Decision, they fail to satisfy the requirements of Article 4(24) GDPR and as such are not<br />
“relevant and reasoned”.” 95. Contrary toWhatsApp IE’sposition on relevance , objections canhave<br />
<br />
bearing on the “specific legal and factualcontent ofthe Draft Decision”,despite not aligning withthe<br />
scope of the inquiry as defined by an IE SA. Furthermore, the EDPB does not accept WhatsApp IE’s<br />
narrowingthe scope ofthe ”reasoned”criteriontoargumentsonissues thathave beeninvestigatedor<br />
<br />
addressed inthe inquiry 97,asno such limitationcanbe readinArticle 4(24)GDPR . 98<br />
<br />
77. Contraryto WhatsApp IE’sargument that CSAsmay not object tothe scope of the inquiry as decided<br />
<br />
by the IE SA, the EDPB does not share this reading of Article 65 GDPR. Furthermore, this possibility is<br />
explicitlystatedinthe RROGuidelines, especiallyregardingcomplaint-basedinvestigations 99.<br />
<br />
<br />
<br />
<br />
<br />
92GuidelinesonRRO,paragraph24.<br />
93GuidelinesonRRO,paragraph32.<br />
94WhatsAppIE’s Article65Submissions,Annex1,p.75-120.<br />
95WhatsAppIE’sArticle65Submissions,paragraph3.3.<br />
96<br />
WhatsAppIEcitestheGuidelinesonRRO,whichstatethat“[a]nobjectionshouldonlybeconsideredrelevant<br />
if it relatesto thespecificlegalandfactualcontentoftheDraftDecision”(paragraph14)todrawtheconclusion<br />
that any objection raising matters outsidethescopeof theinquiryis not relevant. SeeWhatsApp's Article65<br />
Submissions, paragraph 3.3. TheEDPB notes that paragraph14 of theGuidelines on RRO draws a distinction<br />
<br />
between relevant objections and “abstract or broad concerns or remarks” on the one hand and “minor<br />
disagreements”ontheother.Moreover,thisparagraphshouldbereadinconjunctionwithparagraph27ofthe<br />
Guidelines onRRO.<br />
97WhatsAppIE’sArticle65Submissions,paragraph3.3.<br />
98<br />
99GuidelinesonRRO,paragraph16-19.<br />
GuidelinesonRRO,paragraph27:“Forinstance,iftheinvestigationcarriedoutbytheLSAunjustifiablyfailsto<br />
coversomeoftheissuesraisedbythecomplainantorresultingfromaninfringementreportedbyaCSA,arelevant<br />
and reasoned objectionmaybe raised basedon the failure of the LSA to properly handle the complaint and to<br />
safeguardtherightsofthedatasubject.”<br />
<br />
<br />
<br />
<br />
Adopted 2178. WhatsApp IE also states that “were the EDPB to expand the scope of the Inquiry as set by the DPCat<br />
this stage, in the manner proposedin the Objections, this could not be reconciled with the procedural<br />
<br />
requirements of Irish or European Union (“EU”) law, and would infringe WhatsApp IE’s legitimate<br />
expectations,righttofairproceduresand dueprocess(including theright tobeheard),and rightsofthe<br />
100<br />
defence” . Despite claiming it is “clear”, WhatsApp IE does not demonstrate in which manner its<br />
procedural rights would be breached, just by the mere fact that the EDPB finds specific objections<br />
admissible. This isespeciallyquestionable, since admissibility determinesthe competenceofthe EDPB,<br />
<br />
but not the outcome of the dispute betweenthe LSA and the CSAs. Likewise, WhatsApp IE does not<br />
explainhow the mere actof considering the meritsof admissible objections inevitablyandirreparably<br />
101<br />
breachestheproceduralrightscitedby WhatsAppIE .AcceptingWhatsAppIE’sinterpretationwould<br />
severely limit the EDPB’s possibility to resolve disputes arising in the one-stop-shop, and thus<br />
undermine the consistent applicationoftheGDPR.Theobjectionsofthe DESA,FI SA,FR SA,NLSA, and<br />
<br />
NO SA on the finding of an infringement all have a direct connection with the Draft Decision as they<br />
refer toa specific part of the latter,whichis Finding 2. Allof those objections concern “whetherthere<br />
<br />
is an infringement of the GDPR” as they argue that the IE SA should have found an infringement of<br />
Article 6 GDPR 102or Article 6(1)(b) GDPR. As the IE SA considered that Article 6(1)(b) GDPR was not<br />
breached, the objections entaila need for a change of the IESA’sDraft Decisionleading to a different<br />
<br />
conclusion. Consequently, the EDPB finds that the DE SA, FI SA, FR SA, NL SA, and NO SA’s objections<br />
relatingtothe infringement ofArticle 6 or Article6(1)(b) GDPRrelevant.<br />
<br />
<br />
79. The part of the DE SA’s objection arguing that the IE SA should find an infringement of Article 5(1)(a)<br />
GDPRand impose the erasure of unlawfully processed personal dataand the banof the processing of<br />
data,andthepartof the NOSA’sobjectionarguingthatthe IE SA should order WhatsAppIE to“delete<br />
<br />
personal data” and “impose an administrative fine” are linked to the IE SA’s Finding 2 of the Draft<br />
DecisionwithregardtoArticle6(1)(b)GDPR.Therefore,theyaredirectlyconnectedwiththe substance<br />
<br />
of the Draft Decision and, if followed, would lead to a different conclusion, namely a change in this<br />
Finding. Thus, the EDPB considers that these parts of the DE SA and NO SA’s objections are also<br />
relevant.<br />
<br />
<br />
80. The objections of the DE SA, FI SA, FR SA, NL SA, and NO SA all include arguments on legal/factual<br />
mistakesinthe DraftDecisionthatrequire amending.More specifically, these CSAsprovide arguments<br />
tochallenge the DraftDecision’s consideration thatWhatsApp IEcanrely on Article6(1)(b) GDPRasa<br />
<br />
lawfulbasis for personal dataprocessing asspecified inthe TermsofService 10.The IESA held thatthe<br />
GDPR permits the reliance, by WhatsApp IE, on Article 6(1)(b) GDPR in the context of its offering of<br />
104<br />
Termsof Service including of users’ data in relationtoimprovement of the existing service and the<br />
maintenanceof securitystandards 105. This view is challengedin broad termsas wellasin detail.Some<br />
oftheCSAsprovide argumentschallengingthevalidityofthecontractonwhichtheuseofArticle6(1)(b)<br />
<br />
GDPRasalegalbasis depends, andwhich theIESA accepts 10.Someof theCSAs express thatofArticle<br />
<br />
<br />
<br />
<br />
<br />
100WhatsAppIE’sArticle65Submissions,paragraph3.13.<br />
101TheEDPBfailstoseehow,forinstance,declaringanobjectionadmissiblebutrejectingitonthemeritscould<br />
<br />
impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase.<br />
102As specifiedintheobjectionsoftheDESA,FRSAandNLSA.<br />
103DraftDecision,paragraph4.<br />
104DraftDecision,paragraph4.50.<br />
105DraftDecision,paragraph4.49.<br />
106<br />
DESA’s Objection,pp.3-4;FI SA’s Objection,paragraphs21-24;NLSA’s Objection,paragraph26.<br />
<br />
<br />
<br />
Adopted 22 6(1)(b) GDPRas a legalbasis cannot be reliedupon regardingthe purpose of service improvements 107<br />
108<br />
andstandardsof security .<br />
<br />
81. Some CSAs 109recall,while referringtothe termsof Guidelines 2/2019 on Article 6(1)(b) GDPR 110,that<br />
<br />
it is the fundamentaland mutuallyunderstood – by the partiesof the contract– contractualpurpose,<br />
which justifies that the processing is necessary. This purpose is not only based on the controller’s<br />
<br />
perspective but also on a reasonable data subject’s perspective when entering into the contract and<br />
thus on “the mutualperspectivesand expectationsofthe parties to the contract”. The FR SA and the<br />
NO SA 111disagree with the Draft Decisionin that the purposes of service improvement are described<br />
<br />
in the Draft Decision in very broad and vague terms, are not a logical precondition for the actual<br />
contractualserviceofWhatsAppIEandarenotthemainreasonofauser’sregistrationtotheWhatsApp<br />
<br />
services. The FI SA adds that most users, including the Complainant, are likely unaware of this<br />
processing ofpersonal datainthe context ofthe WhatsAppIE services 112.<br />
<br />
<br />
82. The DESA,FI SA, FRSA, NLSA, andNOSA’sobjections alsoidentify risksposedby theDraftDecisionas<br />
drafted in the current manner, in particular the interpretationof Article 6(1)(b) GDPR that could be<br />
113<br />
invoked by anycontroller for anyprocessing would undermine or bypass data protectionprinciples ,<br />
would lower the threshold for legality of data processing 114 and thus endanger the rights of data<br />
115<br />
subjects within the EEA . As anexample, the NOSA highlights that ”if it is possible to frame almost<br />
any processing of personal data in contractualterms such that it automatically becomes lawful, as<br />
<br />
would be the result pursuant to the [Draft Decision], data subjects would in realityhave no control of<br />
their personal data” 116, while “the FI SA stresses that this would create a significant risk that the<br />
117<br />
principle oflawfulness and fairness is circumvented” .<br />
<br />
83. WhatsAppIEcontends thatintermsof risk, theobjections must ”demonstratethelikelihood ofa direct<br />
negative impact of a certain significance of the Draft Decision on fundamental rights and freedoms<br />
118<br />
under the EU Charter and not just any data subject rights” . WhatsApp IE thus adds a condition to<br />
Article4(24) GDPR,whichis not supported by theGDPR 119.<br />
<br />
<br />
84. Considering the objections of the CSAs andthe argumentsbrought forwardby WhatsAppIE,the EDPB<br />
finds the objections of the DE SA, FI SA, FR SA, NL SA andNO SAs on the finding of aninfringement of<br />
<br />
Article6 or Article6(1)(b) GDPRreasoned.<br />
<br />
<br />
<br />
<br />
107FI SA’s Objection,paragraphs21-24;FRSA’s Objection,paragraphs8-16;NOSA’s Objection,pp.7-8.<br />
108<br />
FI SA’s Objection, paragraph 31;theDE SA’s Objectionmentions that securitymeasures arenot part of the<br />
contractbuta legalobligationunderArticle32GPDR,p.5.<br />
109DE SA’s Objection,p.5;FI SA’s Objection,paragraph31;FRSA’s Objection,paragraph10;NOSA’s Objection,<br />
p.6.<br />
110<br />
111Guidelines2/2019onArticle6(1)(b)GDPR,paragraphs32and33.<br />
FRSA’s Objection,paragraphs13-14;NOSA’s objection,pp.3-4.<br />
112FI SA’s Objection,paragraph22.<br />
113DESA’s Objection,pp.7-8.<br />
114<br />
115NLSA’s Objection,paragraphs28-29.<br />
FRSA’s Objection,paragraphs50-51.<br />
116NOSA’s Objection,p.8.<br />
117FI SA’s oObjection,paragraph33.<br />
118<br />
119WhatsAppIE’sArticle65Submissions,Annex1,p.73.<br />
Article1(2)GDPRprovidesthattheGDPRitself“protectsfundamentalrightsandfreedomsofnaturalpersons<br />
and in particulartheirright to protection of personal data”, whichdirectlystems from Article8(1) of theEU<br />
Charter. Therefore, thereis noreason to draw a distinction between thedata subject rights protected by the<br />
<br />
GDPRandthefundamentalrightsprotectedundertheEUCharterwheninterpretingArticle4(24)GDPR.<br />
<br />
<br />
Adopted 2385. As regardsthe partsof the DE SA andNO SA’sobjections requesting the finding of aninfringement of<br />
Article 5(1)(a) GDPR and specific corrective measures under Article 58 GDPR for the infringement of<br />
Article6(1)(b) GDPR,theEDPBconsidersthatthesepartsofthe objectionsdonot sufficiently elaborate<br />
<br />
the legalor factualargumentsthat would justify a change inthe Draft Decisionleading to the finding<br />
of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective measures<br />
mentioned above.Likewise, the significance of the risk for data subjects, which stemsfrom the IE SA’s<br />
<br />
Draft Decision not to conclude on the infringement of Article 5(1)(a) GDPR and not to impose the<br />
requestedcorrectivemeasures, is not sufficiently demonstrated.<br />
<br />
86. Considering the above, the EDPBfinds thatthe objections of the DESA, FI SA, FR SA, NL SA andNO SA<br />
on the finding of an infringement of Article 6 or Article 6(1)(b) GDPR are relevant and reasoned in<br />
<br />
accordancewithArticle4(24) GDPR.<br />
<br />
87. However, the parts of the DE SA and NO SA’s objections concerning the additional infringement of<br />
Article5(1)(a)GDPRandthe imposition ofspecific correctivemeasuresarenot “reasoned”anddonot<br />
meetthe threshold of Article4(24)GDPR.<br />
<br />
<br />
4.4.2 Assessment on the merits<br />
<br />
88. Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB<br />
shall take a binding decision concerning all the matterswhich are the subject of the relevant and<br />
<br />
reasonedobjections,inparticularwhether thereis aninfringement ofthe GDPR.<br />
<br />
89. Based on the documents transmittedby the IE SA, the EDPB understands that the purposes of the<br />
processing operationscoveredbythese objections arethefollowing: (i)service improvements,and(ii)<br />
“safety and security”. In its Terms of Service, WhatsApp IE refers to its own definition of safety and<br />
<br />
securityasfollows: "We worktoprotectthe safetyand securityofWhatsApp byappropriatelydealing<br />
with abusive people and activity and violations of our Terms. We prohibit misuse of our Services,<br />
harmfulconducttowardsothers,andviolationsofourTermsand policies,andaddresssituationswhere<br />
<br />
wemaybe able to helpsupport or protectourcommunity.We develop automatedsystemstoimprove<br />
our ability to detect and remove abusive people and activity that may harm our communityand the<br />
safety and securityof our Services. Ifwe learn of people or activitylike this, we will take appropriate<br />
<br />
actionbyremoving such people or activityor contacting law enforcement.Weshare information with<br />
otheraffiliatedcompanieswhenwelearnofmisuseorharmfulconductbysomeoneusing our Services."<br />
<br />
90. As a preliminary remark, the EDPB notes, as observed by the NL SA, that the purposes are vague,<br />
<br />
especially the one on “safetyand security”, mentioned by WhatsApp IE in its Terms of Service. The<br />
EDPB understands from the short description provided under the relevant section of WhatsApp IE's<br />
TermsofService thatitrefersto“misuse” ofWhatsAppservices, “harmfulconduct”,andactivitiesthat<br />
<br />
would violate WhatsApp IE’s Terms of Service. In its Draft Decision, the IE SA considered that the<br />
Complainant did not identify particular processing operations withany degreeof specificity, and that<br />
complaints should in generalhave a reasonable degreeof specificity, and,hence addressed the issue<br />
<br />
of Article 6(1)(b) GDPR in principle. In doing so, the Draft Decision refers to various terms: “abusive<br />
activity”(which is referredtoin WhatsAppIE’sTermsofService) 120, “fraud”121and“security”without<br />
further description122(which is referred to in WhatsApp IE’s Terms of Service), which do not bring<br />
<br />
clarity and/or more specificity on this purpose. Based on these elements, and considering that<br />
WhatsApp IE’sTermsof Service refer to another purpose of processing than the security carriedout<br />
<br />
<br />
12DraftDecision,paragraphs4.36,4.41,4.42.<br />
12DraftDecision,paragraphs4.38and4.49.<br />
12DraftDecision,paragraphs4.40,4.42,4.47,4.49.<br />
<br />
<br />
Adopted 24 bytechnicalandorganisationalmeasuresinorder tosecure the processing ofpersonaldata,networks<br />
and services or processing to which WhatsApp IE is entitled or obliged under other legal provisions<br />
<br />
(e.g.technicaland organisationalmeasuresapplied toprotectpersonal data,for instance asrequired<br />
under Article 32 GDPR 123), the EDPB is excluding “IT Security” from its assessment of the merits<br />
<br />
hereinafter. On a similar note, the EDPB highlights that when the purpose of the processing is “IT<br />
Security”, for instance in the meaning of Article 32 GDPR, the purpose of the processing has to be<br />
clearlyandspecifically identifiedby the controller124.<br />
<br />
125<br />
91. TheEDPBconsidersthattheobjections found tobe relevantandreasonedinthissubsection require<br />
an assessment of whether the Draft Decision needs to be changed insofar as it rejects the<br />
Complainant’sclaimthatthe GDPRdoesnot permitWhatsAppIE’srelianceonArticle 6(1)(b)GDPRfor<br />
<br />
the processing operationsset out initsTermsof Service. Whenassessing the meritsof the objections<br />
raised,the EDPBalsotakesintoaccount WhatsAppIE’sposition onthe objections anditssubmissions.<br />
<br />
92. The CSAs seek in essence to establish whether Article 6(1)(b) GDPR could serve as a valid legal basis<br />
<br />
for the processing of personal data at issue, namely for service improvements andsecurity features,<br />
inthe specific case andtoestablishwhether thereis aninfringement ofArticle 6(1)GDPR.<br />
<br />
93. The CJEU hasfound thatsofar asconcernstheprinciples relatingtolawfulnessof processing, Article6<br />
<br />
GDPRsets out an exhaustive and restrictivelist of the cases inwhich processing of personal datacan<br />
be regardedaslawful. Thus, in order to be considered lawful, processing must fall within one of the<br />
126<br />
casesprovided for in Article6 GDPR andit isthe controller’sobligationtoprovide andtobe able to<br />
prove that thecorrectlegalbasis isapplied for the respective processing.<br />
<br />
94. The EDPB considers that there is sufficient information in the file for it to decide whether the IE SA<br />
<br />
needstochangeitsDraftDecisioninsofar asit rejectsthe Complainant’sclaimthatthe GDPRdoesnot<br />
permit WhatsApp IE’sreliance on Article 6(1)(b) GDPR toprocess personal data in the context of its<br />
offering of itsTermsofService.<br />
<br />
<br />
95. As described above, in Section 4.3, the IE SA concludes in Finding 2 of its Draft Decision that the<br />
Complainant’s case is not made out that the GDPR does not permit the reliance by WhatsApp IE on<br />
<br />
Article 6(1)(b) GDPR in the context of the latter offering its Terms of Service. Neither Article 6(1)(b)<br />
GDPRnoranyother provision oftheGDPRprecludesWhatsAppIEfrom relyingon Article6(1)(b)GDPR<br />
as a legal basis to deliver a service, including the improvement of the existing service and the<br />
127<br />
maintenance of security standards insofar as that forms a core part of the service . The IE SA<br />
considers that, having regard to the specific terms of the contract and the nature of the service<br />
<br />
provided andagreeduponby theparties,WhatsAppIE mayin principle relyonArticle 6(1)(b)GDPRas<br />
a legalbasis of the processing of users’ data necessaryfor the provision of its WhatsApp services, on<br />
foot of the Complainant’s acceptance of the Terms of Service 12. The IE SA considers that this<br />
<br />
<br />
<br />
<br />
123WhatsAppIEmayalsofallunderlegaldutiestoprotectthesecurityofitsnetworksandservices,asrequired<br />
by other laws. Seefor instanceArticle40of theEuropeanElectronicCommunications Codeestablished under<br />
Directive(EU)2018/1972oftheEuropeanParliamentandoftheCouncilof11December2018.<br />
124SeeGuidelines2/2019onArticle6(1)(b)GDPR,paragraph16.<br />
125<br />
Objections concerning the issue on the applicability of Article 6(1)(b) GDPR for purposes of service<br />
improvementandsecurityfeatureswereraisedbytheDESA, FI SA,FR SA,NL SA, andNOSA.<br />
126Judgment of 11December 2019, Asociaţia de Proprietari bloc M5A-ScaraA,C-708/18,EU:C:2019:1064,<br />
paragraphs37and38.<br />
127DraftDecision,paragraph4.49.<br />
128<br />
DraftDecision,paragraph4.50.<br />
<br />
<br />
<br />
Adopted 25 information is clearly set out, publicly available and understandable by any reasonable user 12.<br />
130<br />
WhatsApp IEsupports the IESA’sconclusion .<br />
<br />
96. To assess the IE SA and WhatsApp IE’sclaims, the EDPB considers it necessary to recallthe general<br />
objectives that the GDPR pursues, which must guide itsinterpretation, together withthe wording of<br />
<br />
itsprovisions and itsnormative context 131.<br />
<br />
97. The GDPR develops the fundamental right tothe protectionof personal data found in Article 8(1) of<br />
<br />
the EU Charter and Article 16(1) of the Treaty on the Functioning of the EU, which constitute EU<br />
primarylaw 132.As the CJEU clarified, ”anEU act must be interpreted,asfar as possible, in sucha way<br />
as not to affect itsvalidity andin conformitywith primarylaw as a whole and, in particular, with the<br />
<br />
provisions of the Charter. Thus, if the wording of secondaryEU legislation is open to more than one<br />
interpretation,preferenceshouldbe given to theinterpretationwhichrendersthe provision consistent<br />
<br />
withprimarylaw ratherthanto the interpretationwhich leadsto its being incompatible with primary<br />
law” 133.Inview of rapidtechnologicaldevelopments andincreases in the scale of datacollection and<br />
<br />
sharing, the GDPR createsa strong andmore coherent data protectionframeworkin the EU, backed<br />
by strong enforcement,and built on the principle thatnaturalpersons should have control over their<br />
134<br />
own personal data . Byensuring a consistent, homogenous and equivalent high level of protection<br />
throughout the EU, the GDPR seeks to ensure the free movement of personal data within the EU 135.<br />
<br />
The GDPR acknowledges that the right to data protection needs to be balanced against other<br />
fundamentalrightsandfreedoms, such asthe freedom toconduct a business, in accordancewiththe<br />
136<br />
principle of proportionality andhas these considerations integratedintoits provisions. The GDPR,<br />
pursuant toEU primarylaw,treatspersonal dataasafundamentalrightinherent todata subjectsand<br />
137<br />
their dignity, and not as a commodity, they cantradeawaythrougha contract .The CJEU provided<br />
additionalinterpretativeguidanceby assertingthatthe fundamentalrightsofdata subjectstoprivacy<br />
andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests 138.<br />
<br />
<br />
98. The principle of lawfulness under Article 5(1)(a) and Article 6 GDPR is one of the main safeguardsto<br />
theprotectionofpersonaldata.Itfollowsarestrictiveapproachwherebyacontroller mayonlyprocess<br />
<br />
the personal data of individuals if it is able to rely on one of the basis found in the exhaustive and<br />
restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR 139.<br />
<br />
99. Theprinciple oflawfulness goeshandinhandwiththe principlesoffairnessandtransparencyinArticle<br />
<br />
5(1)(a) GDPR.Theprinciple of fairness includes, interalia, recognising the reasonable expectationsof<br />
<br />
<br />
<br />
<br />
129<br />
DraftDecision,paragraph4.42.<br />
130WhatsAppIE’sArticle65Submission,paragraphs5.47.<br />
13Judgmentof1August2022,Vyriausiojitarnybinėsetikoskomisija,C-184/20,),EU:C:2022:601,paragraph121.<br />
132<br />
133Recitals1and2GDPR.<br />
Judgment of 21 June 2022, Liguedes droits humains v. Conseil des ministres, C-817/19, , EU:C:2022:491,<br />
paragraph86;andjudgment of 2February2021,Consob, C-481/19, EU:C:2021:84, paragraph50and thecase-<br />
<br />
lawcited.<br />
134Article1(1)(2)andrecital6and7GDPR.<br />
135Article1(3)andrecitals9,10and13GDPR.<br />
136Recital4GDPR.<br />
137<br />
138Guidelines2/2019onArticle6(1)(b)GDPR,paragraph54.<br />
Judgmentof13May2014,GoogleSpainSL,C-131/12,EU:C:2014:317,paragraphs97and99.<br />
139Judgment of 11 December 2019, TK v Asociaţia de Proprietari blocM5A-ScaraA, C-708/18, EU:C:2019:1064,<br />
paragraph37.<br />
<br />
<br />
<br />
<br />
Adopted 26 datasubjects, considering possible adverse consequences aprocessing mayhave onthem,andhaving<br />
140<br />
regardtothe relationshipandpotentialeffectsof imbalancebetweenthem andthe controller .<br />
<br />
100.The EDPBagreeswiththe IE SA and WhatsAppIE thatthere isno hierarchybetweenArticle6(1) legal<br />
bases 14. However, this does not mean that a controller, as WhatsApp IE in the present case, has<br />
<br />
absolute discretion tochoose the legalbasis that suits better itscommercialinterests. The controller<br />
may only rely on one of the legal bases established under Article 6 GDPR if it is appropriate for the<br />
142<br />
processing in question . A specific legalbasis willbe appropriateinsofar as the processing canmeet<br />
its requirements set by the GDPR 143andfulfil the objective of the GDPR toprotect the fundamental<br />
rightsandfreedomsof naturalpersons andin particulartheir righttothe protectionof personaldata.<br />
<br />
Alegalbasiswillnot beappropriateifitsapplicationtoaspecific processing defeatsthispracticaleffect<br />
“effetutile”pursuedby theGDPRanditsArticle5(1)(a)andArticle6 GDPR 144.Thesecriteriastemfrom<br />
<br />
the contentof theGDPR 145 andthe interpretationfavourable totherightsofdatasubjects tobe given<br />
theretodescribed inparagraph97 above.<br />
<br />
<br />
101.The GDPR makesWhatsApp IE, asthe controller for the processing at stake, directly responsible for<br />
complying withthe GDPR’sprinciples,including theprocessing of datainalawful, fairandtransparent<br />
manner, and any obligations derived therefrom 14. This obligation applies even where the practical<br />
<br />
applicationofGDPRprinciples suchasthose of Article5(1)(a)andArticle(5)(2)GDPRare inconvenient<br />
or runcounter tothe commercialinterestsofWhatsApp IE.The controller isalsoobligedtobe able to<br />
<br />
demonstratethatitmeetstheseprinciplesandanyobligationsderivedtherefrom,suchasthatitmeets<br />
the specific conditions applicable toeachlegalbasis 147.More specifically, this condition to be able to<br />
<br />
relyonArticle 6(1)(b)GDPRasalegalbasistoprocess thedatasubject’sdataimplies thata controller,<br />
in line withitsaccountability obligationsunder Article 5(2) GDPR,hastobe able todemonstrate that<br />
148<br />
(a)a contractexistsand(b) the contractisvalidpursuant toapplicable nationalcontractlaws .<br />
<br />
102.The EDPB agrees that supervisory authorities do not have, under the GDPR, a broad and general<br />
competence incontractualmatters.However,theEDPB considers thatthe supervisory tasks, thatthe<br />
<br />
GDPR bestows on supervisory authorities, imply a limited competence to assess a contract’sgeneral<br />
<br />
140<br />
See, recital39GDPRandGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12.<br />
141DraftDecision,paragraph2.9,andWhatsAppIE'sArticle65Submission,paragraph8.34.<br />
14As mentionedinGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationoftheappropriate<br />
lawfulbasisistiedtotheprinciplesoffairnessandpurposelimitation.Itwillbedifficultforcontrollerstocomply<br />
<br />
withtheseprinciplesiftheyhavenotfirstclearlyidentifiedthepurposes oftheprocessing,oriftheprocessing<br />
of personal data goes beyondwhat is necessaryfor thespecified purposes. SeealsoSection 5 below on the<br />
potentialadditionalinfringementoftheprinciplesoffairness,purposelimitationanddataminimisation.<br />
143Judgmentof11December2019,TK v Asociaţiade Proprietari blocM5A -ScaraA,C-708/18,EU:C:2019:1064,<br />
paragraph37.<br />
144<br />
Judgment of 18 December 2008, Heinz Huber v. BundesrepublikDeutschland, C-524-06, EU:C:2008:724,<br />
paragraph52 on the concept of necessitybeing interpreted in a manner that fully reflects theobjectiveof<br />
Directive95/46/EC.Ontheimportanceofconsideringthepracticaleffect(“effetutile”)soughtbyEUlawinits<br />
interpretation,seealsoforinstance:judgmentof21June2022,Liguedesdroitshumainsv.Conseildesministres,<br />
<br />
C-817/19,EU:C:2022:491,paragraph195;andjudgmentof17September2002,MuñozandSuperiorFruiticola,<br />
C-253/00,EU:C:2002:497,paragraph30.<br />
145Article1(1)(2)and(5)GDPR.<br />
146Article5(2)GDPR“Principleofaccountability”ofcontrollers;seealsoOpinionoftheAdvocateGeneralof20<br />
<br />
147tember2022,MetaPlatformse.a.,C-252/21,,EU:C:2022:704,paragraph52.<br />
Guidelines2/2019onArticle6(1)(b)GDPR,paragraph26.<br />
14EDPBBindingdecision2/2022onthedisputearisenonthedraftdecisionoftheIESAregardingMetaPlatforms<br />
Ireland Limited (Instagram) under Article65(1)(a) GDPR, adopted on 28July2022(hereinafter“EDPB Binding<br />
decision2/2022”),paragraph84.<br />
<br />
<br />
<br />
<br />
Adopted 27 validity insofar as this is relevant to the fulfilment of their tasks under the GDPR49. Otherwise, the<br />
<br />
supervisory authoritiesswouldsee theirmonitoringandenforcementtaskunder Article57(1)(a)GDPR<br />
limitedto actions,such asverifying whether the processing at stake is necessaryfor the performance<br />
ofa contract(Article6(1)(b)GDPR),andwhetheracontractwithaprocessor under Article28(3)GDPR<br />
<br />
anddataimporter under Article 46(2)GDPRincludes appropriate safeguardspursuant totheGDPR.<br />
<br />
103.The DESA andNL SA 150arguethatthe validityof thecontractfor theWhatsApp servicesbetweenthe<br />
<br />
latterandtheComplainant isquestionable giventheserioustransparencyissues inrelationtothelegal<br />
basis reliedon 15. Incontract law, as a generalrule, both parties must be aware of the substance of<br />
the contractandof the obligationsof both partiestothe contractinorder towillingly enter intosuch<br />
<br />
contract.<br />
<br />
104.Notwithstanding the possible invalidity of the contract,the EDPBrefers toits previous interpretative<br />
152<br />
guidanceon thismatter toprovide below itsanalysis onwhetherthe processing for the purposes of<br />
service improvement and securityfeatures 153is objectively necessary for WhatsApp IE to provide its<br />
<br />
services tousers based onitsTermsof Service andthe natureof theservices.<br />
<br />
105.The EDPBrecalls 154that for the assessment of necessity under Article 6(1)(b) GDPR,”[i]t is important<br />
<br />
to determine the exact rationale ofthe contract, i.e. itssubstance and fundamental objective, asit is<br />
against this that it will be testedwhetherthe data processing is necessaryfor itsperformance” 155.As<br />
the EDPBhaspreviously stated,regardshould be giventothe particular aim,purpose, or objective of<br />
<br />
the serviceand, for applicabilityofArticle6(1)(b) GDPR,itisrequiredthat the processing isobjectively<br />
necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject 156.<br />
<br />
<br />
106.Moreover, the EDPBnotes thatthe controller should be able tojustify the necessity of itsprocessing<br />
byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose. Thisdependsnot only<br />
<br />
onthe controller’sperspective,but alsoonareasonable datasubject’sperspective whenenteringinto<br />
the contract 15.<br />
<br />
107.The IESA accepts“that,as a generalrule,theEPDB considersthat processing for the provision ofnew<br />
158<br />
services[…]would not benecessaryfor theperformanceofa contractfor online services” .However,<br />
the IESA considers that inthis particularcase,having regardtothe specific termsof the contractand<br />
<br />
the natureofthe services provided andagreeduponby theparties,WhatsApp IEmayinprinciple rely<br />
on Article 6(1)b) GDPR toprocess the user’s data necessary for the provision of its service, including<br />
throughthe improvement ofthe existing service andthe maintenanceof securitystandards.<br />
<br />
<br />
108.Inparticular,theIESA viewsservice improvement toanexisting service and“a commitmenttouphold<br />
certainstandards relating to abuse, etc.” asa “core” element of the contract betweenWhatsApp IE<br />
<br />
<br />
<br />
149EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs9and13.<br />
150DESA’s Objection,p.3;NLSA’s Objection,paragraph10.<br />
151DraftDecision,paragraph5.9.<br />
152<br />
Guidelines2/2019onArticle6(1)(b)GDPR.<br />
153Fortheterm security,seeparagraph90ofthisbindingdecision.<br />
154EDPBBindingdecision2/2022,paragraph89.<br />
155Article29WorkingPartyOpinion06/2014onthenotionoflegitimateinterestsofthedata controllerunder<br />
<br />
Article7 Directive95/46/EC, WP217, adopted on 9 April 2014(hereinafter, “WP29Opinion 06/2014on the<br />
notionoflegitimateinterests”),p.17.<br />
156Guidelines2/2019onArticle6(1)(b)GDPR,paragraph30.<br />
157EDPBBindingdecision2/2022,paragraph90.<br />
158DraftDecision,paragraph4.49.<br />
<br />
<br />
<br />
<br />
Adopted 28 and the users159. In support of this consideration, the IE SA refersto the information provided in the<br />
WhatsApp Terms of Service under the headings: “Ways To Improve Our Services.” and “Safety And<br />
<br />
Security.”160The IESA considers thatit is clearthatthe WhatsApp servicesare advertised(andwidely<br />
understood) asones thatrequires updatesandimprovement andso, thatanyreasonable user would<br />
<br />
“be well-informed that this is precisely the nature of the service being offered by WhatsApp and<br />
containedwithinthe contract” 161.<br />
<br />
109.The EDPBis of the opinion that WhatsAppIE is under the legaldutyto assess whetherthe processing<br />
<br />
of all its users data is necessary for the purpose of service improvements or if there are alternative,<br />
less intrusive waysto pursue thispurpose (e.g.insteadof relying on allusers' data for the purpose of<br />
<br />
service improvements, rely on a pool of users, who voluntarily agreed, by providing consent, to the<br />
processing oftheir personaldata for thispurpose).<br />
<br />
110.On this issue, the EDPBrecallsthatthe concept of necessity hasits own independent meaning under<br />
<br />
EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU<br />
instrument,in thiscase,the GDPR 162.Accordingly,theconceptofnecessity under Article6(1)(b) GDPR<br />
<br />
cannot be interpreted in a way that undermines this provision and the GDPR’sgeneralobjective of<br />
protectingthe righttothe protectionof personaldata 163orcontradictsArticle8 ofthe EU Charter.On<br />
the processing of data in the WhatsApp services, Advocate General Rantos supports a strict<br />
<br />
interpretationofArticle6(1)(b) GDPRamongother legalbasis, particularlytoavoidanycircumvention<br />
of therequirement for consent 16.<br />
<br />
<br />
111.The EDPB finds that an average user cannot fully grasp what is meant by processing for service<br />
improvement andsecurityfeatures,beawareofitsconsequences andimpactontheirrightstoprivacy<br />
and data protection, and reasonably expect it solely based on WhatsApp IE’s Terms of Service.<br />
<br />
Advocate General Rantos expresses similar doubts where he states, in relation to Facebook<br />
behavioural advertising practices, “According to the case-law of the Court of Justice, the processing<br />
<br />
must be objectivelynecessaryfor the performance ofthe contract in the sense that there must be no<br />
realistic,lessintrusivealternatives,takingintoaccountthereasonableexpectationsofthedatasubject.<br />
<br />
Italso concernsthe factthat,wherethecontractconsists ofseveralseparateservicesor elementsofa<br />
service that can be performed independentlyofone another, the applicabilityof Article 6(1)(b) of the<br />
GDPRshould beassessed in thecontextofeach ofthose servicesseparately” 165andaddsin afootnote<br />
<br />
that“Moreover,althoughmerelyreferencingormentioningdataprocessingina contractisnotenough<br />
to bring theprocessing in question within thescope ofArticle 6(1)(b) of theGDPR,processing maybe<br />
<br />
<br />
15DraftDecision,paragraph4.41.<br />
160<br />
161raftDecision,paragraphs4.34and4.35.<br />
DraftDecision,paragraph4.36.<br />
16Seeparagraphs103-105aboveontheprinciplesguidingtheinterpretationoftheGDPRandisprovisions.The<br />
CJEU alsostatedinHuberthat”whatisatissueis aconcept[necessity]whichhasitsownindependentmeaning<br />
inCommunitylawandwhichmustbeinterpretedinamannerwhichfullyreflectstheobjectiveofthatDirective,<br />
<br />
[Directive 95/46], as laid down in Article 1(1) thereof”. Judgment of 18 December 2008, Heinz Huber v<br />
BundesrepublikDeutschland,C-524/06,EU:C:2008:724,paragraph52.<br />
16Article1(2)GDPR.<br />
164Opinion of theAdvocateGeneral of 20 September 2022, Meta Platforms e.a., C-252/21), EU:C:2022:704,<br />
paragraph§51. TheEDPB refers to theAdvocateGeneral’s Opinion in its Binding Decision as anauthoritative<br />
<br />
sourceof interpretationto underlinetheEDPB’s reasoning on theprocessing of data in theFacebook service,<br />
withoutprejudicetothecase-lawthattheCJEUmaycreatewithitsfuturejudgmentsonCases C-252/21andC-<br />
446/21.<br />
16OpinionoftheAdvocateGeneralof20September2022,MetaPlatformse.a.,C-252/21,EU:C:2022:704,<br />
paragraph54.<br />
<br />
<br />
<br />
<br />
Adopted 29 objectively necessary even if not specifically mentioned in the contract, without prejudice to the<br />
166<br />
controller’stransparencyobligations” .<br />
167<br />
112.The EDPB provides in its guidance assessing what is “necessary” involves a combined, fact-based<br />
assessment of the processing “for the objective pursued and of whether it is less intrusive compared<br />
<br />
to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the<br />
processing is not “necessary”. Article6(1)(b) GDPRdoes not cover processing which is useful but not<br />
<br />
objectively necessary for performing the contractualservice or for taking relevant pre-contractual<br />
steps at the request of the data subject, even if it is necessary for the controller’s other business<br />
purposes. While the possibility of improvements of services mayroutinely be included in contractual<br />
<br />
terms,suchprocessing usually cannotbe regardedasbeingobjectively necessaryfor theperformance<br />
of thecontractwiththe user 168.<br />
<br />
<br />
113.When analysing the performance of a contract asa legalbasis, the necessity requirement has to be<br />
interpreted strictly. As stated earlier by the Article 29 Working Party (hereinafter “WP29”) 169, this<br />
<br />
“provision must be interpreted strictly and does not cover situations where the processing is not<br />
genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data<br />
subject bythecontroller” 17.<br />
<br />
<br />
114.Concerning the processing of service improvement, the EDPB finds that a reasonable user cannot<br />
expectthattheir personaldatais being processedfor service improvement simply because WhatsApp<br />
<br />
IE briefly refers to this processing in its Terms of Service (which both WhatsApp IE and the IE SA<br />
consider asconstitutingthe entiretyofthe contract),orbecause ofthe argumentthat“on the basisof<br />
the cont[r]act and wider circumstances, that a reasonable user would have had sufficient<br />
<br />
understanding that the service included the use of metrics for improvement” to which the IE SA<br />
refers171.<br />
<br />
172<br />
115.Inaddition,the IESA alreadydecided thatWhatsApp IEinfringeditstransparencyobligationsunder<br />
Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR by not clearly informing the Complainant and<br />
other users of the WhatsApp IEservices’ specific processing operations, the personal dataprocessed<br />
<br />
in them, the specific purposes they serve, and the legal basis on which each of the processing<br />
operations relies, as the IE SA concludes in its Draft Decision 173. The EDPB considers that this<br />
<br />
fundamentalfailureof WhatsAppIEtocomplywithitstransparencyobligationscontradictsthe IESA’s<br />
finding174thatWhatsAppIE’suserscouldreasonablyexpectservice improvementandsecurityfeatures<br />
<br />
asbeing necessaryfor theperformance of theircontract.<br />
<br />
<br />
<br />
166Ibid,footnote165.<br />
167<br />
Guidelines2/2019onArticle6(1)(b)GDPR,paragraph25.<br />
168Guidelines2/2019onArticle6(1)(b)GDPR,paragraph49.<br />
169The WP 29 - the predecessorof theEDPB - was established underArticle29 of Directive95/46/EC of the<br />
EuropeanParliamentandoftheCouncilof24October1995ontheprotectionofindividualswithregardtothe<br />
<br />
processingofpersonaldataandonthefreemovementofsuchdata (“Directive95/46/EC”)andhada role,inter<br />
alia,tocontributetouniformapplicationofnationalmeasuresadoptedundertheDirective.Manyofsubstantive<br />
principlesandprovisionsoftheGDPRalreadyexistedintheDirective95/46/EC,suchastheoneatstakeinthis<br />
Bindingdecision,thusWP29guidanceinthisrespectisrelevantfortheinterpretationoftheGDPR.<br />
170<br />
171P29Opinion06/2014onthenotionoflegitimateinterests,p.16.<br />
CompositeResponse,paragraph59.<br />
172DraftDecision,paragraph5.9.<br />
173DraftDecision,paragraph5.9andFinding3.<br />
174DraftDecision,paragraph4.42.<br />
<br />
<br />
<br />
<br />
Adopted 30116.As regardssecurity, the lackof clarityofthe Terms ofService makesit even hardtounderstand what<br />
arethe different purposes pursued andprocessing carriedout 175.<br />
<br />
117.The EDPB recallsthat “controllersshould make sure to avoid any confusion as to what the applicable<br />
legalbasis is” and thatthis is “particularlyrelevantwhere theappropriate legalbasis is Article6(1)(b)<br />
<br />
GDPRandacontractregardingonline servicesis enteredintobydata subjects”,because “[d]epending<br />
on the circumstances, data subjects may erroneously get the impression that they are giving their<br />
176<br />
consent in line with Article 6(1)(a) GDPR when signing a contract or accepting terms of service” .<br />
Article 6(1)(b) GDPR requires the existence of a contract, its validity, and the processing being<br />
necessaryto perform it.These conditions cannot be metwhere one of the parties(inthis case a data<br />
<br />
subject) is not provided with sufficient information to know that they are signing a contract, the<br />
processing of personaldata thatit involves, for which specific purposes andon which legalbasis, and<br />
how this processing is necessary to perform the services delivered. For the purposes of service<br />
<br />
improvement and security features, WhatsApp IE has not relied on any other legalbasis to process<br />
personal data. These transparencyrequirements are not only an additional and separate obligation,<br />
but also anindispensable andconstitutive partofthe legalbasis.<br />
<br />
<br />
118.Given that the main purpose for which a user uses the WhatsApp services is to communicate with<br />
others,andthatWhatsAppIEconditions theirusetotheuser’sacceptanceofacontractandtheservice<br />
improvement andsecurity 177 featurestheyinclude, the EDPB cannot see how a user would have the<br />
<br />
possibility of opting out of a particularprocessing which is part of the contract.Thus, WhatsApp IEis<br />
accountable toprove thatthe legalbasis applied for the processing at hand is validand the failure to<br />
demonstratethis proves thatArticle6(1) GDPRisnot the applicable legalbasis.<br />
<br />
119.The EDPB agreeswiththe DE SA, FI SA, FR SA, NL SA and NO SA 178that there is a risk that the Draft<br />
<br />
Decision’s failure to establish WhatsApp IE’s infringement of Article 6(1)(b) GDPR, pursuant to its<br />
interpretationby the IE SA, nullifies this provision and makes theoretically lawful any collection and<br />
<br />
reuseofpersonaldatainconnectionwiththeperformanceofacontractwithadatasubject.WhatsApp<br />
IEcurrentlyleaves the Complainant and other users ofthe WhatsApp services witha “takeit or leave<br />
it” choice. They may either contract away their right to freely determine the processing of their<br />
<br />
personal dataand submit toits processing for service improvements or security features,which they<br />
canneither expect, nor fully understand based on the insufficient information WhatsApp IE provides<br />
to them. Alternatively, they may decline accepting WhatsApp IE’s Terms of Service and thus be<br />
<br />
excludedfrom aservice thatenablesthem tocommunicatewithmillions ofusers.<br />
<br />
120.This precedent could encourage other economic operators touse the contractualperformance legal<br />
basisofArticle6(1)(b)GDPRforalltheirprocessing ofpersonaldata.Therewouldbe theriskthatsome<br />
controllers argue some connection betweenthe processing of the personal data of their consumers<br />
<br />
andthe contracttocollect,retainandprocess asmuch personaldatafrom theirusers aspossible and<br />
advance their economic interests at the expense of the safeguards for data subjects. Some of the<br />
<br />
safeguardsfrom which datasubjects would be deprived due toaninappropriate use of Article6(1)(b)<br />
GDPR as legal basis, instead of others such as consent under Article 6(1)(a) GDPR and legitimate<br />
interest under Article 6(1)(f) GDPR, are the possibility to specifically consent to certain processing<br />
<br />
<br />
175Forthemeaningoftheterm“security”,seeparagraph90above.<br />
17EDPBBindingDecision01/2021,paragraph214,andGuidelines 2/2019onArticle6(1)(b)GDPR,paragraph20.<br />
177Forthemeaningoftheterm“security”,seeparagraph90above.<br />
178<br />
DESA’s Objections–p.6,paragraph2andp.8,paragraph1;FI SA’s Objections–p.7,paragraphs32and33;<br />
FR SA’s Objections –paragraph 14;NL SA’s Objections – paragraphs 8 and 28; NO SA’s Objections – p. 4,<br />
paragraph3.<br />
<br />
<br />
<br />
Adopted 31 operations andnot toothersand tothe further processing of their personal data(Article 6(4)GDPR);<br />
their freedom towithdrawconsent (Article 7 GDPR);theirright tobe forgotten(Article17 GDPR);and<br />
<br />
the balancing exercise of the legitimate interests of the controller against their interests or<br />
fundamentalrightsandfreedoms(Article 6(1)(f) GDPR).<br />
<br />
121.The EDPBthusconcurs withthe objections of theDE SA, FI SA,FR SA, NL SA and NOSA 179toFinding 2<br />
180<br />
of the DraftDecisionin thatthe processing for the purposes of service improvements andsecurity<br />
featuresperformed by WhatsApp IE are objectively not necessary for the performance of WhatsApp<br />
IE’sallegedcontractwithitsusers andare not anessentialor core element ofsuch contract.<br />
<br />
122.Inconclusion, the EDPB decides that WhatsApp IE has inappropriatelyrelied on Article 6(1)(b) GDPR<br />
<br />
to process the Complainant’s personal data for the purpose of service improvement and security 181<br />
featuresin the context of itsTermsof Service andtherefore lacks a legalbasis toprocess these data.<br />
<br />
The EDPBwasnot requiredtoexamine whether dataprocessing for such purposes could be basedon<br />
other legal bases because the controller relied solely on Article 6 (1) (b) GDPR. WhatsApp IE has<br />
consequently infringed Article 6(1) GDPR byunlawfully processing personal data. The EDPB instructs<br />
<br />
the IE SA to alter its Finding 2 of its Draft Decision which concludes that WhatsApp IE may rely on<br />
Article6(1)(b) GDPRinthecontext ofitsoffering ofTermsofService andtoinclude aninfringement of<br />
<br />
Article6(1) GDPRbasedon theshortcomings thatthe EDPBhasidentified.<br />
<br />
<br />
5 ON THE POTENTIAL ADDITIONAL INFRINGEMENT OF THE<br />
<br />
PRINCIPLES OF FAIRNESS, PURPOSE LIMITATION AND DATA<br />
<br />
MINIMISATION<br />
<br />
<br />
5.1 Analysis by the LSA inthe DraftDecision<br />
<br />
123.Inlight oftheaforementionedinquiry’s scope,the DraftDecisionmentionsArticle5(1)GDPRinseveral<br />
182<br />
passages . As for the fairness principle, the inquiry consists of reference to the unfair processing<br />
pointedout bythe Complainant 183.Regardingthepurpose limitationanddataminimisationprinciples,<br />
there are no other references as the ones mentioned above. The Draft Decision makes several<br />
<br />
references toArticle 5(1)(a) GDPR andthe principle of transparency 184. However, the Draft Decision<br />
does not address whether Article 5(1)(a) GDPR regarding fairness principle or Article 5(1)(b) and (c)<br />
<br />
GDPR have been infringed. In its Draft Decision, the IE SA mentions its Decision on WhatsApp IE’s<br />
Transparency, which made findings to the effect that transparency obligations were infringed.<br />
Therefore,the IESA concludes, that“The inquiry in question focused on the same issues raised in the<br />
<br />
herein Complaint insofar as transparencyis concerned (although was much broader in scope). Given<br />
theseissues have alreadybeen investigated and adjudicated on bythe Commission, I provisionallyfind<br />
185<br />
thatthe transparencyissues raised in this Complaint have alreadybeenaddressed.”<br />
<br />
<br />
<br />
<br />
179<br />
DE SA’s Objections–p.5, paragraphs3and4;;FI SA’s Objections –p.6,paragraph24;FRSA’s Objections–<br />
p. 7,paragraph38;NLSA’s Objections–paragraph26;NOSA’s Objections-p.8.<br />
18Forthemeaningoftheterm“security”,seeparagraph90above.<br />
18Forthemeaningoftheterm“security”,seeparagraph90above.<br />
18See, forexample,DraftDecision,Section5,paragraphs5.1,5.7and5.8.<br />
183<br />
184omplaint,paragraphs2.3.1.and2.3.2.<br />
DraftDecision,Section5,paragraphs5.8and5.9.<br />
18DraftDecision,Section5,paragraphs5.9and5.10.<br />
<br />
<br />
Adopted 32 5.2 Summary of the objections raised by the CSAs<br />
<br />
124.The ITSAraisesanobjectionarguing that the Draft Decisionshouldbe amendedtoinclude findingsof<br />
<br />
aninfringement ofArticle 5(1)(a)GDPRinrelationtothe fairness principle. Thisobjection claimsthat,<br />
even though there is the IE SA’s Decision on WhatsApp IE’s Transparency, which incorporates the<br />
principle set out in the EDPB’sBinding Decision 1/2021 and where an infringement of transparency<br />
<br />
principle wastobe found, theinfringementregardingtothefairnessprinciple should beseparatefrom<br />
transparency.The IT SA elaboratesthatreferringtoArticle 6(1)(b) GDPRshould not be found tobe in<br />
<br />
line withthe fairness principle, asusers arefactuallyunable tograsphow their personal datais being<br />
used byWhatsApp IE 18.<br />
<br />
125.The IT SA raises another objection stating that the Draft Decision should be amended to include<br />
<br />
findings of infringement of Article 5(1)(b) and (c) GDPR. The IT SA is of the view that the fact that<br />
WhatsApp IE’s “(multifarious) processing activities involving personal data are grounded in Article<br />
187<br />
6(1)(b) GDPR entails an infringement ofpurpose limitation and data minimization principles” . The<br />
IT SA states that the IE SA has failed to investigate compliance with Article 5(1)(b) and (c) GDPR.<br />
Further,the ITSA statesthatallthe purposes of the processing of personal dataperformedunder the<br />
<br />
terms of Article 6(1)(b) GDPR must be specified and communicated to data subjects. As such, the<br />
service thatWhatsApp IEoffers pursues severalpurposes, thereforethe applicabilityof Article6(1)(b)<br />
<br />
GDPR should be assessed separately in the context of each service. The IT SA elaborates that the<br />
purposes provided tousers areinadequate andhave no connectiontothe processing activities.<br />
<br />
<br />
5.3 Position of the LSA on the objections<br />
<br />
126.The final position of the IE SA is that of not following these objections. in its Composite Response,<br />
concerning allobjections, the IESA notesthatthe objections onthe fairness principle inArticle 5(1)(a)<br />
188<br />
GDPRarenotinthescope oftheunderlying complaint .Furthermore,theIESAstatesthatthiswould<br />
procedurallyconstrain theIE SA’sabilitytoadopt itsfinal decision 18.<br />
<br />
127.Inaddition, the IE SA statesthatit would also risk breaching the controller’srightto afair procedure,<br />
<br />
as the controller was not afforded a right to be heardon such matter. The IE SA highlights the legal<br />
consequences thatwouldflow from makingmaterialchangesconcerning infringementsoutside ofthe<br />
complaint andDraftDecision,namelythelikelihood thatWhatsAppIEwouldsucceedinarguingbefore<br />
<br />
the Irish courts that it has been denied an opportunity to be heard on additional and extraneous<br />
findings thatare adverse toit 190.<br />
<br />
128.The IE SA further considers that the objection raised by the IT SA with regard to the possible<br />
<br />
infringementofArticle5(1)(b) and(c)GDPRis not relevantandreasoned,since itwould nothave been<br />
appropriate toundertake anopen-ended assessment of allprocessing operations bythe controller in<br />
191<br />
order to handle the complaint . This would have resulted in a disproportionate and open-ended<br />
examinationoftheprocessing carriedoutbyWhatsAppIE.Therefore,itwasmoreimportanttoresolve<br />
192<br />
the fundamentaldispute regardingtheinterpretationof Article6(1)GDPRfirst .<br />
<br />
<br />
186ITSA’s Objection,paragraph3,pages8-10.<br />
187<br />
ITSA’s Objection,page6.<br />
188CompositeResponse,paragraphs28and29.<br />
189Ibid.,paragraph29.<br />
190CompositeResponse,paragraphs28to32.<br />
191ITSA’s Objection,paragraph2.<br />
192<br />
CompositeResponse,paragraph25.<br />
<br />
<br />
<br />
Adopted 33 5.4 Analysis of the EDPB<br />
<br />
<br />
5.4.1 Assessment of whether theobjections were relevant and reasoned<br />
<br />
129.The ITSA’sobjection concerns “whetherthereis aninfringement ofthe GDPR” 193.<br />
<br />
130.The EDPB takesnote that WhatsApp IE agreeswiththe IE SA’s conclusion in its Composite Response<br />
<br />
thattheobjectionfrom theITSA aboutfinding aninfringementofArticle5(1)(a)GDPRalsowithregard<br />
to non-conformity with respect to the fairness principle is not relevant. In addition, WhatsApp IE<br />
<br />
submits that the objection does not meet the “reasoned” threshold asit is not basedon anydetailed<br />
factualor legalreasoningandfailstoaddressthe significanceofthe allegedriskstofundamentalrights<br />
194<br />
posed by the DraftDecision . According to WhatsAppIE,“it would be inappropriate for the EDPBto<br />
direct the [IE SA] to make any findings in respect of Article 5(1)(a) (fairness of lawfulness) in its final<br />
195<br />
decisionin theInquiryincircumstanceswherethisis outside theDefinedScope of Inquiry.”<br />
<br />
131.Inaddition tothe above mentioned,the Complainant doesnote: “Evenifa trainedlawyerreadsallthe<br />
textthatthecontrollerprovides,he/shecanonlyguesswhatdataisprocessed,forwhich exactpurpose<br />
<br />
and on which legalbasis. This is inherentlynon-transparent and unfair within the meaning of Articles<br />
5(1)(a) and 13(c).This approachthereforestandsin clearcontrast to informed consent or any form of<br />
196<br />
“plainlanguage” or even “easytounderstand” requirements(Recital39).”<br />
<br />
132.WhatsApp IE also affirms that compliance with Article 5(1)(a) GDPR is distinct from compliance with<br />
Article 6(1) GDPR and must be separately assessed before any finding of infringement could be<br />
197<br />
made .<br />
<br />
133.The EDPBrecallsthatanobjectioncould goasfarasidentifying gapsinthe draft decisionjustifying the<br />
need for further investigation by the IE SA, for example in situations where the investigation carried<br />
<br />
out by the IE SA unjustifiably fails to cover some of the issues raised by the Complainant 198. In this<br />
regard, the EDPB observes that, in the complaint, the Complainant alleges that the information<br />
<br />
provided inWhatsApp IE’sPrivacyPolicy “isinherentlynon-transparent and unfair within themeaning<br />
of Articles5(1)(a) and 13(c)”99.Thisis alsonoted bythe IESA 200.<br />
<br />
134.Aspreviously mentioned,the EDPBnotesthatthefirst objection ofthe ITSA concerns “whetherthere<br />
<br />
is aninfringement of the GDPR”asit arguesthat the IE SA should have found aninfringement of the<br />
fairnessprinciple under Article5(1)(a)GDPR.Assuchobjectiondemonstratesthat,iffollowed, itwould<br />
<br />
leadtoa different conclusion astowhetherthereis aninfringement ofthe GDPRornot, the objection<br />
is tobe considered as“relevant” 201.<br />
<br />
135.Inaddition,this objectionisalso consideredtobe “reasoned”sinceitputsforwardseveralfactualand<br />
<br />
legalargumentsfor the proposed changeinlegalassessment. The additionalinfringement stemsfrom<br />
<br />
<br />
<br />
<br />
193<br />
GuidelinesonRRO,paragraph24.<br />
194WhatsAppIE’sArticle65Submissions,pp.107-109.<br />
195Ibid.,p.31.<br />
196Complaint,paragraph2.3.1.<br />
197<br />
198WhatsAppIE’sArticle65Submissionsparagraph.4.25.<br />
GuidelinesonRRO,paragraph27.<br />
199Complaint,p.14.<br />
200DraftDecision,paragraph5.7.<br />
201GuidelinesonRRO,paragraph13.<br />
<br />
<br />
<br />
<br />
Adopted 34 202<br />
the scope and findings of the Draft Decision, which also mentions Article 5(1)(a) GDPR , and the<br />
overarchingnature ofArticle 5(1)(a)GDPR.<br />
<br />
136.Additionally, the EDPBfindsthattheobjection oftheITSA clearlydemonstratesthesignificance ofthe<br />
<br />
risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects, since it<br />
would create a dangerous precedent that would jeopardize the effective protectionof data subjects<br />
andthus entailflawedcorrective actions.<br />
<br />
137.The EDPBconsiders the objection on Article 5(1)(a) GDPRtobe adequatelyreasonedand recallsthat<br />
<br />
the assessment of merits of the objection is made separately, after it has been established that the<br />
objection satisfies therequirementsof Article4(24) GDPR 203.<br />
<br />
138.Although the second objection of the IT SA, relating to the additional infringements of the purpose<br />
<br />
limitationprinciple under Article5(1)(b)GDPRandthedataminimisationprinciple under Article5(1)(c)<br />
GDPR, is relevant and includes justifications concerning why and how issuing a decision with the<br />
<br />
changesproposed in theobjection isneededandhow the changewould leadtoadifferent conclusion<br />
in the Draft Decision, it does not satisfy all the requirements stipulated by Article 4(24) GDPR. In<br />
particular, the objection raised does not explicitly motivate why the Draft Decision itself, if left<br />
<br />
unchanged,would presentrisks for the fundamentalrightsandfreedomsof datasubjects. Inaddition,<br />
the EDPB notesthat the IT SA’s objection does not explicitly elaborate why such a risk is substantial<br />
and plausible204. Therefore, the EDPB concludes that this particular objection of the IT SA does not<br />
<br />
provide a cleardemonstrationof therisks as specificallyrequired byArticle 4(24)GDPR.<br />
<br />
5.4.2 Assessment of the merits<br />
<br />
139.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the<br />
<br />
matterswhich arethe subject of the relevant andreasoned objections, in particularwhether thereis<br />
aninfringement ofthe GDPR.<br />
<br />
140.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires<br />
<br />
anassessment of whether the DraftDecision needs tobe changedinsofar as it contains nofinding of<br />
infringement of the fairness principle under Article 5(1)(a) GDPR. When assessing the merits of the<br />
objection raised, the EDPB also takes into account WhatsApp IE’sposition on the objection and its<br />
<br />
submissions, focussed on arguingthattheITSA objectionis not relevantandreasoned,ratherthanon<br />
the content.<br />
<br />
141.Beforeproceedingwiththeassessment ofthemerits,theEDPBrecallsthatthebasic principlesrelating<br />
205<br />
to processing listed in Article 5 GDPR can, assuch, be infringed . This is apparent from the text of<br />
Article 83(5)(a) GDPR which subjects the infringement of the basic principles for processing to<br />
administrative finesof upto20 000 000 EUR,or inthe caseof anundertaking,ofup to4% ofthe total<br />
<br />
worldwide annual turnover ofthe preceding financialyear,whichever ishigher.<br />
<br />
142.Atfirst,theEDPBnotesthattheconceptoffairnessisnotdefined assuchintheGDPR.However,recital<br />
39 GDPRprovidessome elementsastoitsmeaning andeffect inthe context ofprocessing ofpersonal<br />
<br />
<br />
<br />
202TheObjectionreferstoparagraph5.7oftheDraftDecision.<br />
203GuidelinesonArt.65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjectionraised,whether<br />
the objectionmeetstherequirementsofArticle 4(24)GDPRand,ifso,addressthemerits ofthe objectioninthe<br />
bindingdecision.”).<br />
204<br />
205GuidelinesonRRO,paragraph37.<br />
Bindingdecision1/2021,paragraph191.<br />
<br />
<br />
<br />
Adopted 35 data.Animportantaspect oftheprinciple offairnessunder Article5(1)GDPR,whichis linkedtorecital<br />
39, isthatdata subjectsshould be able todetermine in advancewhat thescope andconsequences of<br />
<br />
the processing entails andthattheyshould not be takenby surprise ata laterpoint about theways in<br />
whichtheir personal datahave beenused 20.<br />
<br />
143.Fairness isanoverarching principle, whichrequires thatpersonaldatashall not be processed in away<br />
<br />
that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data<br />
subject. Measuresand safeguardsimplementing the principle of fairness also support the rightsand<br />
freedoms of data subjects, specifically the right toinformation (transparency), the right tointervene<br />
<br />
(access, erasure, data portability, rectification) and the right to limit the processing (right not to be<br />
subject to automated individual decision-making and non-discrimination of data subjects in such<br />
207<br />
processing) .<br />
<br />
144.The principles offairandtransparentprocessing requirethatthe data subject shall be informedofthe<br />
existence ofthe processing operationanditspurposes. Thecontroller should provide the datasubject<br />
withany further information necessarytoensure fair and transparentprocessing taking intoaccount<br />
<br />
the specific circumstances and context in which the personal data are processed. Furthermore, the<br />
datasubjectshould be informedoftheexistenceofprofiling andtheconsequences ofsuchprofiling 208.<br />
<br />
145.The EDPB underlines that the principles of fairness, lawfulness and transparency, allthree enshrined<br />
<br />
in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that<br />
every controller should respect when processing personal data. The link between these principles is<br />
<br />
evident from a number of GDPR provisions: recitals 39 and 42, Article 6(2) and Article 6(3)(b) GDPR<br />
refer tolawful andfairprocessing, while recitals60 and71 GDPR,aswellasArticle 13(2),Article 14(2)<br />
andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing.<br />
<br />
<br />
146.The IT SA statesthat “theinfringement of Article 5(1)(a) GDPRshould be found by the LSA in thecase<br />
at hand by having also regard to the more general fairness principle, which entails separate<br />
requirementsfromthose relating specificallyto transparency.” 209<br />
<br />
<br />
147.Thereis nodispute thatinitsDecision onWhatsAppIE’sTransparency,theIESA found a breachofthe<br />
transparency principle, but the EDPB considers that the principle of fairness has an independent<br />
meaning and stresses that an assessment of WhatsApp IE’s compliance with the principle of<br />
<br />
transparencydoesnot automaticallyruleout theneedfor anassessment ofWhatsAppIE’scompliance<br />
withthe principle of fairness too.<br />
<br />
148.The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter 21.<br />
<br />
TheEDPBhasalreadyprovidedsome elementsastothe meaningandeffect ofthe principle offairness<br />
in the context of processing personal data. For example, the EDPB has previously opined in its<br />
GuidelinesonDataProtectionbyDesignandbyDefaultthat“Fairnessisan overarchingprinciplewhich<br />
<br />
requires that personal data should not be processed in a way that is unjustifiably detrimental,<br />
<br />
<br />
<br />
206WP29GuidelinesontransparencyunderRegulation2016/679,paragraph10.<br />
207<br />
EDPB Guidelines 4/2019on Article25 Data Protectionby Design and byDefault, Version 2, Adopted on 20<br />
October2020,hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”).<br />
208Recital60GDPR.<br />
209ITSA’s Objection,paragraph3,p.9.<br />
210Article8 of theEU Charter states as follows:“1. Everyone has the right to the protection of personal data<br />
<br />
concerninghimorher.2.Suchdatamustbeprocessedfairlyforspecifiedpurposesandonthebasisoftheconsent<br />
ofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw”(emphasisadded).<br />
<br />
<br />
<br />
Adopted 36 unlawfully discriminatory, unexpectedor misleading to the data subject” 21. Among the key fairness<br />
elements that controllers should consider in this regard, the EDPB mentions autonomy of the data<br />
<br />
subjects, data subjects’ expectation, power balance, avoidance of deception, ethical and truthful<br />
processing 21. These elements are particularlyrelevant in the case at hand. The principle of fairness<br />
<br />
under Article 5(1)(a) GDPR underpins the entire data protection framework and seeks to address<br />
power asymmetriesbetweencontrollersand datasubjects in order tocancelout the negativeeffects<br />
<br />
of suchasymmetriesandensure the effectiveexercise of datasubjects’ rights.<br />
<br />
149.The EDPB has previously explained that “the principle of fairness includes, inter alia, recognising the<br />
reasonable expectationsof the data subjects, considering possible adverse consequences processing<br />
<br />
may have on them,and having regardto therelationship and potentialeffectsofimbalance between<br />
them andthe controller” 213.The EDPB recallsthat a fair balance must be struck between,on the one<br />
<br />
hand, the commercialinterests of controllers and, on the other hand, the rightsand expectations of<br />
datasubjectsunderthe GDPR 21.Akeyaspectofcompliancewiththeprinciple offairnessunderArticle<br />
5(1)(a) GDPR refers to pursuing “power balance” as a “key objective of the controller-data subject<br />
215<br />
relationship” , especially in the context of online services provided without monetary payment,<br />
where users are often not aware of the ways and extent to which their personal data is being<br />
216<br />
processed . Consequently, if data subjects are not enabled to determine what is done with their<br />
personal data,thisis incontrast withthe elementof “autonomy” of datasubjects astothe controlof<br />
217<br />
the processing of their personaldata .<br />
<br />
150.Considering the constantlyincreasing economic value of personaldatain thedigitalenvironment, itis<br />
particularly important to ensure that data subjects are protected from any form of abuse and<br />
<br />
deception, intentionalor not, whichwould result inthe unjustified loss of controlover theirpersonal<br />
data.Compliance byproviders ofonline servicesacting ascontrollerswith allthreeof the cumulative<br />
requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being<br />
<br />
provided and the characteristics of their users, serves as a shield from the danger of abuse and<br />
deception, especially in situations of power asymmetries. Therefore, the EDPB disagreeswith the IE<br />
<br />
SA’s finding that assessing WhatsApp IE’scompliance with the principle of fairness “would therefore<br />
not only represent a significant departure from the scope of inquiry, as formulated, but it would also<br />
<br />
risk breaching thecontroller’sright to a fair procedure,asregardsanymatterwhich was neverput to<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
211EDPB 4/2019 Guidelines on Article25, Data Protectionby Design andby Default, version2, adopted on20<br />
October2022,(hereinafter“GuidelinesonDataProtectionbyDesignandbyDefault”)paragraph69.<br />
212GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.<br />
213<br />
GuidelinesonArticle65(1)(a),paragraph12.<br />
214Onthebalancebetweenthedifferentinterestsatstakeseeforexample:Judgmentof12December2013,X,<br />
C-486/12,EU:C:2013:836;Judgmentof7May2009,CollegevanburgemeesterenwethoudersvanRotterdamv<br />
M. E. E. Rijkeboer,C-553/07,EU:C:2009:293; Judgmentof9November2010injoinedcases,VolkerundMarkus<br />
ScheckeGbR,C-92/09,andHartmutEifert,C-93/09,vLandHessen,EU:C:2010:662.<br />
215<br />
GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.<br />
216On“onlineservices”,seeGuidelines1/2019onArticle6(1)(b)GDPR,paragraphs3-5.<br />
217GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.Accordingtothis elementoffairness,<br />
“data subjects shouldbe granted the highest degree of autonomy possible to determine the use made of their<br />
personaldata,aswellasoverthescopeandconditionsofthatuseorprocessing”.<br />
<br />
<br />
<br />
<br />
Adopted 37 the complainant duringthe courseof inquiry.” 218Inaddition, it isimportant tonote that WhatsAppIE<br />
219<br />
hasbeen heardon the objections andthereforesubmitted writtensubmissions onthis matter .<br />
<br />
151.The EDPB haspreviously emphasised that the identification of the appropriate lawful basis is tied to<br />
the principles offairness andpurpose limitation 220.Inthis regard,theITSA rightlyobserves thatwhile<br />
<br />
finding a breachof transparencyrelatestothe way in which information has been provided to users<br />
via thetermsofservice andthe PrivacyPolicy, compliance withthe principle offairness alsorelatesto<br />
<br />
‘how the controlleraddressed thelawfulness of theprocessing activitiesin connection with its calling<br />
and messaging service’ 22.Thus, the EDPB considers that anassessment of compliance by WhatsApp<br />
<br />
IE withthe principle of fairness requiresalso anassessment of the consequences thatthe choice and<br />
presentation of the legalbasis entail for the WhatsApp services’ users. Inaddition, that assessment<br />
<br />
cannot be made in the abstract, but has to take into account the specificities of the particular<br />
messaging service and of the processing of personal datacarriedout, namelyfor purposes relatedto<br />
222<br />
improvements ofthe messaging service .<br />
<br />
152.The EDPB notes that in this particular case, the Complainant was forced to consent to the Terms of<br />
Service andthe PrivacyPolicy 223 andthisclearlyimpactsthe reasonableexpectationsofWhatsApp IE’s<br />
<br />
users byconfusing them onwhether clicking the ”Accept”buttonresultsin givingtheir consent tothe<br />
processing oftheirpersonaldata.TheEDPBnotesinthisregardthatoneoftheelementsofcompliance<br />
<br />
with the principle of fairness is avoiding deception (i.e. providing information “in an objective and<br />
neutralway, avoiding anydeceptiveor manipulative language or design” 224).<br />
<br />
153.As the IESA itselfnotes, the Complainant arguesthatWhatsApp IEreliedon ”forcedconsent” for the<br />
<br />
processing simply because it did in fact believe that the controller was relying on the legalbasis of<br />
consent for thatprocessing 225. TheComplainant presentsthescreenshot, aimingtodemonstratethat,<br />
226<br />
“thedatasubject was presentedwith an easyclick to quickly consent,and to returnto the service.”<br />
TheEDPBkeepsinmind thatinthecomplaint,thiswasexplainedinthecontextofarguingthatconsent<br />
<br />
wasforced. Therefore,theEDPBsharestheITSA’sconcernthatWhatsAppIEmisrepresentedthe legal<br />
basis of the processing and that WhatsApp IE’s users are left ”in the dark” as to the possible<br />
<br />
connections between the purposes sought, the applicable legal basis and the relevant processing<br />
activities27. This being said, the EDPB considers that the processing by WhatsApp IE cannot be<br />
228<br />
regardedasethicaland truthful because it is confusing with regardtothe type of data processed,<br />
<br />
<br />
<br />
<br />
218<br />
CompositeResponse,paragraph30.<br />
219WhatsAppIE’sArticle65Submissions,Category1f:“TheDPCshouldalsomakefindingsthatWhatsApp<br />
IrelandinfringedthefairnessprincipleunderArticle5(1)(a)GDPR/lawfulnessprincipleunderArticle5(1)(a)<br />
GDPR“,p. 31.<br />
220<br />
Guidelines1/2019onArticle6(1)(b)GDPR,paragraph1.<br />
221ITSA’s Objection,p.9.<br />
222DraftDecision,paragraph4.40.<br />
223Seeparagraph3above.<br />
224<br />
GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.<br />
225DraftDecision,paragraph5.7.<br />
226Complaint,p.5.<br />
227ITSA’s Objection,p.9.<br />
228<br />
GuidelinesonDataProtectionbyDesignandbyDefault,paragraph70,wheretheEDPBexplainsthat“ethical”<br />
means that“Thecontrollershouldseetheprocessing’swiderimpactonindividuals’rightsand<br />
dignity“and“truthful”meansthat“Thecontrollermustmakeavailableinformationabouthowtheyprocess<br />
personaldata,theyshouldactastheydeclaretheywillandnotmisleadthedatasubjects”.<br />
<br />
<br />
<br />
<br />
Adopted 38 the legalbasis used and the purposes of the processing, which ultimatelyrestrictsthe WhatsApp IE’s<br />
users’ possibility toexercise their datasubjects’ rights.<br />
<br />
<br />
154.Considering the seriousness of WhatsAppIE’smisrepresentationonthe legalbasis reliedonidentified<br />
in the currentBinding decision 22, the EDPBagreeswiththe ITSA thatWhatsApp IE haspresentedits<br />
service toitsusers inamisleading manner 230,whichadverselyaffectstheircontrolover theprocessing<br />
<br />
of theirpersonal dataandthe exercise oftheir datasubjects' rights.<br />
<br />
155.This isallthe more supported bythe fact thatthecircumstancesof the present caseasdemonstrated<br />
above 231andtheinfringement ofArticle6(1)(b)GDPR 232furtherintensifytheimbalancednatureofthe<br />
<br />
relationship betweenWhatsApp IEanditsusers brought up bythe ITSA’sobjection.<br />
<br />
156.The combination of factors, such asthe unbalancedrelationship betweenWhatsApp IE andits users,<br />
combined with the “take it or leave it” situation that they are facing due to the lack of alternative<br />
<br />
services in the market and the lack of options allowing them to adjust or opt out from a particular<br />
processing under their contract with WhatsApp IE, systematically disadvantages them, limits their<br />
<br />
control over the processing of their personal data and undermines the exercise of their rights under<br />
Chapter IIIGDPR.<br />
<br />
157.Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of<br />
<br />
fairnessunder Article5(1)(a)GDPRbyWhatsAppIEandtoadoptthe appropriatecorrectivemeasures,<br />
byaddressing,but withoutbeinglimitedto,thequestionofanadministrativefine forthisinfringement<br />
asprovided for in Section8 of thisBinding decision.<br />
<br />
<br />
<br />
6 ON THE FURTHERINVESTIGATION<br />
<br />
<br />
6.1.1 Analysis bythe LSA in the Draft Decision<br />
<br />
158.Accordingtotheclaim 233madeinthecomplaint,datasubjectshaveto“agreeto”WhatsAppIE’sTerms<br />
of Service andPrivacyPolicy atthe timeof the update thatwasmadetothe documents inApril 2018.<br />
<br />
The IESA considers thatitis necessarytorecognise the difference betweenagreeingtoacontractand<br />
providing consent to personal data processing specifically for the purposes of complying with the<br />
234<br />
GDPR.The IESA elaborates that WhatsAppIE does not rely on consent in order to process dataon<br />
foot of the Terms of Service, nor it is legally requiredto do so, thus reliance on Article 7 GDPR is not<br />
applicable, regarding the subject matter of the complaint and will not be a subject to further<br />
<br />
consideration.<br />
<br />
159.InitsDraftDecision,the IESA concludes thatargumentsonthe applicabilityof Article6(1)(b) GDPRas<br />
a legalbasis for data processing to facilitate (behavioural) advertising “are not relevant to the within<br />
<br />
inquiry”235,giventhe absence of references,relatedtoadvertising or sponsored content inWhatsApp<br />
IE’sTermsofService, andthe absence ofevidence thatsuch processing takesplace.<br />
<br />
<br />
<br />
<br />
229See, paragraph117above.<br />
230<br />
ITSAObjection,page9.<br />
231DraftDecision,paragraphs148-153.<br />
232DraftDecision,paragraphs117and122.<br />
233DraftDecision,paragraph3.11.<br />
234DraftDecision,paragraph3.19.<br />
235<br />
DraftDecision,paragraph4.8.<br />
<br />
<br />
<br />
Adopted 39160.Another considerationmadebythe IESAis relatedtothedataprocessing relatedto“exchangeofdata<br />
withaffiliatedcompanies” andthe processing ofspecialcategoriesof data,namely:<br />
<br />
1) The IE SA considers that there is no evidence 236for the assertion that WhatsApp IE is<br />
<br />
processing data that facilitates the inferring of special categories of personal data,<br />
pertainingtoreligious views,sexualorientation, politicalviewsandhealthstatus.Further,<br />
asstated,noevidence ispresentedin thisregardatall, thusa conclusion is madethat the<br />
<br />
processing ofspecialcategoriesofdatapursuanttoArticle9GDPR,doesnot fallwithinthe<br />
scope ofthe complaint andis thusirrelevant.<br />
<br />
2) In its Draft Decision, the IE SA notes that a distinguished feature of WhatsApp IE is the<br />
<br />
regular monitoring of its service, in order to ensure its well-functioning, as well as<br />
maintaining a security 237and abuse standards (both being part of the substance and<br />
fundamentalobject ofthe contract).Thus,WhatsAppIEcould relyonArticle 6(1)(b)GDPR<br />
238<br />
asalegalbasisfor such processing inprinciple. Further ,theIESA considers thatitis not<br />
for an authoritysuch as it, tasked withthe enforcement of data protectionlaw, to make<br />
<br />
assessments as to what will or will not make the performance of a contract possible or<br />
impossible. Instead,the generalprinciples set out in the GDPRandexplainedby theEDPB<br />
in the Guidance must be applied. These principles should be applied on a case-by-case<br />
<br />
basis, and should be afforded more weight than generalised examples provided in the<br />
Guidance,which arehelpful andinstructive but arebyno meansabsolute or conclusive.<br />
<br />
3) TheIESA statesthatitisclearfromthe TermsofService 239that“anysharing with affiliated<br />
<br />
companies forms part of the general “improvements” that are carried out pursuant to<br />
Article6(1)(b) GDPR”and“sharing of WhatsApp user data toMetaCompanies takesplace<br />
on a controller to processor basis only, there does not need to be a distinct legal basis<br />
<br />
supporting it(or assessment ofthisissue in theInquiry)”.Moreover,initsview,thereisnot<br />
an explicit prohibition envisagedin Guidelines 2/2019 on Article 6(1)(b) GDPR relatedto<br />
the processing ofpersonal datathatis necessarytofulfil acontractualterm thatcommits<br />
<br />
to improving the functionality, efficiency, etc. of an existing service. Further, the IE SA<br />
statesthatthecoreoftheservice,asoutlinedinthespecific contractwiththedatasubject,<br />
<br />
clearlyincludes thoseservices. Initsview,theprocessing isnecessarytodeliver theservice<br />
offered(as set out inthe TermsofService).<br />
<br />
161.The IESA supports the conclusions made above by referencetothe following:<br />
<br />
162.The IE SA 240 begins by pointing out that it is important todistinguish betweenagreeing toa contract<br />
<br />
thatmight involve personaldataprocessing, andthe provision ofconsent topersonaldataprocessing<br />
specifically for legitimisingthe saiddataprocessing under the GDPR.Itshouldalsobe notedthatthere<br />
are differences betweenthe legalbases for processing under Article 6(1)(a)and (b) GDPR.The IE SA<br />
<br />
continues thatin many such casesinvolving a contract betweena consumer and anorganisation,the<br />
lawfulbasis for processing ofpersonal datais“the necessityfor theperformance of acontract”under<br />
<br />
Article6(1)(b) GDPR.<br />
<br />
<br />
<br />
<br />
23DraftDecision,paragraph4.33;DraftDecisionSchedule,paragraphs3.29,3.30and3.31.<br />
237<br />
238orthemeaningofthetermsecurity,seeparagraph90ofthisbindingdecision.<br />
DraftDecision,paragraph4.45<br />
23DraftDecision,paragraph4.33,aswellasparagraphs4.36to4.43.<br />
24DraftDecision,paragraphs3.11to3.17.<br />
<br />
<br />
Adopted 40163.The IESA statesthatthe GDPRdoesnot set out anyform ofhierarchyoflawfulbases thatcanbe used<br />
for processing personal data, whether by reference to the categoriesof personal data or otherwise.<br />
<br />
Moreover, Article 7 GDPR(as relied on by the Complainant) concerns the conditions for consent and<br />
is relevant when considerations are made regarding whether particular criteria are met, in order to<br />
ensure thatthe consent is lawful.The aforementionedprovision isnot indicative of whichlawfulbasis<br />
<br />
the controller has to rely on, but instead assists the latter to determine whether the conditions of<br />
validityaremet.Therefore,theIESA thusconsiders thatArticle7GDPRisnot applicable tothe subject<br />
<br />
matterraisedbythe Complainant.<br />
<br />
164.The IE SA considers that no evidence waspresented whatsoever by the Complainant that WhatsApp<br />
IE processes personal data for the purpose of advertising and that it relies on Article6(1)(b) GDPRto<br />
241<br />
do so . Inaddition, the IE SA takes note that WhatsApp IE’sTerms of Service are not similar to the<br />
examplesof situations, citedin the complaint, where Article6(1)(b) GDPRdoes not apply, namely for<br />
advertising andsponsored consent. The IESA concludes thatargumentsrelatedtothe applicabilityof<br />
<br />
Article6(1)(b) GDPRfor dataprocessing thatfacilitatesadvertising,arenot relevant.<br />
<br />
165.In addition, as outlined in the Schedule to the Draft Decision 242, the assertions about WhatsApp IE’s<br />
alleged ability to infer religious views, sexual orientation, political views and health status are not<br />
243<br />
backedwithanyevidence onthe Complainant’spart.The IESA concludes thatthereis noevidence<br />
thatWhatsApp IEprocesses specialcategoriesof personal dataatall, thus the question ofprocessing<br />
such datadoes not fallwithinthe scope ofthe inquiry atall.<br />
<br />
244<br />
166.Moreover, according to the IE SA, it is evident from the Terms of Service that any sharing with<br />
affiliatedcompaniesforms partofthegeneral“improvements”thatarecarriedoutpursuanttoArticle<br />
6(1)(b) GDPR,andso in realityanycleardelineation betweenthese twoforms ofprocessing would be<br />
<br />
artificial. It needs to be pointed out that one aspect of the aforementioned sharing is the possible<br />
receptionofmessages for the purposes of directmarketingand, in particular,“anoffer for something<br />
245<br />
thatmight interest” therespective user.<br />
246<br />
167.The Complainant, however, argues that such improvements and security features, as referenced,<br />
and the associated sharing of data with other Meta Companies (then Facebook Companies), is not<br />
<br />
necessaryin order to deliver a messaging service, andthat simply placing these termsin the contract<br />
does not make them necessary. Although those statementsmight be true, according to the IE SA it<br />
does not follow that fulfilling these termsis not necessaryin order tofulfil the specific contract with<br />
<br />
WhatsAppIE.TheIESAaddsthattodothat,tousethelanguageoftheEDPB,itisnecessarytoconsider<br />
“thenatureof theservicebeing offered to thedata subject”.<br />
<br />
<br />
6.1.2 Summary ofthe objections raised bythe CSAs<br />
<br />
168.TheFISA,FR SAandITSAobjecttotheconclusions reachedbythe IESAinitsDraftDecision,requesting<br />
the IE SA tofurther investigatethe mattersof behavioural advertising,special categoriesof personal<br />
<br />
data, the provision of metrics tothird parties, including to companies belonging to the same group,<br />
andmarketing.<br />
<br />
<br />
241<br />
DraftDecision,paragraph4.8.<br />
242ScheduletoDraftDecision,paragraphs3.29and3.30.<br />
243ScheduletoDraftDecision,paragraph4.33.<br />
244DraftDecision,paragraphs4.33and4.41.<br />
245<br />
246DraftDecision,paragraph2.11(“WaysToImproveOurServices”).<br />
DraftDecision,paragraph4.36.<br />
<br />
<br />
<br />
Adopted 41169.On behaviouraladvertising,inthe FR SA’sview 24, the Draft Decisiondoesnot include an analysisfor<br />
the applicable legalbasis for the processing of personal data,relatedto behaviouraladvertising, asit<br />
<br />
considers thatneither the Complainant, nor WhatsAppIE’sgeneralTermsandConditions provide any<br />
evidence that personal data are processed for that purpose. It also notes that this exclusion is not<br />
justified byother elementssuchasinvestigationreportsor thesending ofquestionnaires bythe IESA.<br />
248<br />
Moreover,the FRSA is ofanopinion thatthe IESA should have carriedout aninvestigationin order<br />
to verify whether or not the WhatsApp IE processes personal data for the purposes of behavioural<br />
<br />
advertising.<br />
249<br />
170.Onspecialcategoriesofpersonaldata,theFRSAargues thattheDraftDecisiondoesnot pronounce<br />
on the lawfulness ground that is applicable with regard to the processing of special categoriesof<br />
<br />
personal data, even though the complaint does. In addition, together with examining whether the<br />
conditions are met in the present case for the processing of special categories of personal data<br />
pursuant toArticle 9(2)GDPR,the IE SA shouldhave carriedout the investigationsnecessary, inorder<br />
<br />
toverifywhether such processing is actuallytaking place.<br />
<br />
171.The IT SA opines 250that the processing of special categoriesof personal data relating to users that<br />
participate in chatswith business users relying on a third-partyprovider (which might be WhatsApp<br />
<br />
IE’s controlling company Meta) should have been identified as a specific processing activity to be<br />
assessed and evaluated separately by the IE SA. In addition, the IT SA considers that no in-depth<br />
assessment has beencarriedout in this regard,but insteadthatthe IE SA simply endorses WhatsApp<br />
<br />
IE’sstatementthatallcommunications areencrypted.<br />
<br />
172.On theprovisionofmetrics tothirdparties,includingtoaffiliated companies,theFR SA arguesthat<br />
the Draft Decision251 does not pronounce on the applicable legalbasis for such processing, despite<br />
<br />
mentioned initially in the complaint. It continues that the IE SA has not defined which activities are<br />
coveredunder such processing. Therefore,the FR SA requests theIE SA tocomplete itsDraftDecision<br />
<br />
in thisregard.Inaddition, the FR SA requests thatthe conditions for theapplicationof the other legal<br />
basesmentioned inArticle6 GDPR,namelyconsent, contractandlegitimateinterestareexamined,as<br />
well. Hence,theFR SA considers, thatWhatsAppIE cannot relyonthe aforementionedlegalbasesfor<br />
<br />
processing for the purposes provision ofmetricstothirdparties.<br />
<br />
173.The IT SA notes 252 that the arguments put forward by the IE SA regarding the joint assessment of<br />
processing for service improvement purposes and the exchange of data withaffiliated companies, is<br />
<br />
neither convincing, nor exhaustive. The IT SA is of the view that the IE SA should have identified and<br />
separately assessed the processing activities in question without “pooling” them into the service<br />
<br />
improvement category.Moreover,theexact wording usedinWhatsAppIE’sTermsofService includes<br />
“affiliatedcompanies”,“partners”and “service providers”, whichare,inthe IT SA’sview, unspecified,<br />
meaning that the exchange of personal data betweenthem could “hardly fall within the intra-group<br />
<br />
communications between WhatsApp and the other Meta companies and could be legitimised as a<br />
controller-processorrelationship.”TheIT SA arguesthattheIE SA couldhave identified andseparately<br />
<br />
assessed the legalbasis for the said exchangeof datawithpartnersandthird-partyservice providers.<br />
In addition, in the light of the complaint, the IT SA notes that data are exchanged with affiliated<br />
<br />
247<br />
FRSA’s Objection,paragraph6.<br />
248FRSA’s Objection,paragraph7.<br />
249FRSA’s Objection,paragraph33.<br />
250ITSA’s Objection,paragraph3.a.<br />
251<br />
252FRSA’s Objection,paragraphs35to45.<br />
ITSA’s Objection,paragraph3.b.<br />
<br />
<br />
<br />
Adopted 42 companies not only for service improvement purposes, but also for unspecified ones, relatedtothe<br />
management and provision of the WhatsApp services. The IT SA stresses on the need for further<br />
<br />
investigationon thismatter.<br />
<br />
174.On marketing, the FI SA takes note 253that the Draft Decisioncontains conclusions that WhatsAppIE<br />
may rely on Article 6(1)(b) GDPR as a legal basis in the context of its Terms of Service and, more<br />
<br />
precisely, for the processing for the purposes set out there, including marketing. Further, the FI SA<br />
opines that anassessment is needed inorder to determinewhether WhatsApp IEhasa relevant legal<br />
254<br />
basisfor processing personaldataformarketingpurposes .TheFISA arguesthat,providedthatthere<br />
is anindication in WhatsApp IE’sTerms ofService thata user might receive marketing messages,the<br />
IESA should have carriedout aninvestigationinthis regard 25.<br />
<br />
<br />
6.1.3 Position ofthe LSA on theobjections<br />
<br />
175.The IESA statesthatit does not propose to“follow” 256the objections raisedby the CSAs.<br />
<br />
176.Inthe lightof thesuggestionsmade bysome ofthe CSAs 257thatthe scope ofthe inquiry oughttohave<br />
<br />
considered additional factual matters, such as behavioural advertising, the IE SA notes that a<br />
complaint-based inquiry has been conducted. The IE SA considers thata requirement, from a CSA, to<br />
<br />
amendthe DraftDecision in order toinclude findings of infringement(s) thatfall outside ofthe scope<br />
ofthe complaint wouldconstrainitsabilitytoadopt itsfinaldecision. Moreover,theIE SA stressesout<br />
thatWhatsAppIEhasalreadybeeninformed aboutthe scope ofthe complaint.The IESA notes, inthis<br />
<br />
regard,thattherighttobe heardisexercisedinresponse toaparticularizedallegationofwrongdoing,<br />
and WhatsApp IE was not informed of an allegation of infringement relating to these additional<br />
258<br />
matters . In the IE SA’s opinion, an amendment would prevent the controller’s right to a fair<br />
procedure andhinder itsrighttobe heard.<br />
<br />
177.With regardtothe processing of special categoriesofpersonal dataand the assessment made bythe<br />
<br />
IE SA, the latter concludes that the reference to such processing by WhatsApp IE must be read asan<br />
element ofthe Complainant’sfundamentalallegation(i.e.thatthe agreementtothe TermsofService<br />
was a form of GDPR consent to processing of personal data, including consent to the processing of<br />
<br />
special categories of data). In circumstances, where the scope of the inquiry has addressed the<br />
fundamental issue of principle on which the complaint depends, the IE SA is satisfied that it is not<br />
<br />
necessary to also conduct an indiscriminate and open-ended assessment of the processing by<br />
WhatsApp IEthatmayotherwise fallwithinthe scope ofArticle 9 GDPR.<br />
<br />
178.Moreover,regardingthe statementsmade by the FR SA 259,the IESA contends thatit isunclear of the<br />
<br />
basis on which the former makes its assumptions, and adds that the matter has already been<br />
considered inthe Schedule tothe DraftDecision.<br />
<br />
179.Inaddition, having conductedanassessment ofthe core functions of WhatsAppIE’sTermsof Service,<br />
<br />
the IE SA concludes that the nature of the WhatsApp services offered includes regular service<br />
improvement asanaspectoftheagreementconcludedbetweenWhatsAppIEandtherespectiveuser,<br />
<br />
<br />
25FI SA’s Objection,paragraph3.<br />
254<br />
FI SA’s Objection,paragraph9.<br />
25FI SA’s Objection,paragraph10.<br />
25CompositeResponse,paragraph36.<br />
25CompositeResponse,paragraphs28to30.<br />
25CompositeResponse,paragraphs30-35.<br />
259<br />
CompositeResponse,paragraph34(“NoconsiderationofArticle9GDPRispresentintheDraftDecision.”).<br />
<br />
<br />
<br />
Adopted 43 thus the basis of the processing is to be regarded as necessary for the performance of the<br />
contract260.However,theIESA further notes 261, contractsmay include aspectsof performance which<br />
<br />
are optional or contingent. For example, most of the processing carried out by WhatsApp IE, which<br />
relatestocommunicationbetweenusersisoptionalforusers, asauser isnot obligedtosendmessages<br />
<br />
to other users (for example). Such processing is nevertheless directly linked to the core “messaging<br />
service” function; it would appear to be uncontroversial that such processing is necessary for the<br />
performanceofthe TermsofService,asatype ofmutuallyexpectedprocessing. Atthesame time,this<br />
<br />
processing is optional and not indispensable, and the Terms of Service can otherwise be performed<br />
without any messages being sent by a user. According to the IE SA, this reflectsthe fact the Article<br />
<br />
6(1)(b) GDPRisnot limitedtoaspectsofcontractualperformance whichareexpressly mandatoryand<br />
unconditional obligations ofthe parties.<br />
<br />
180.Regardingtheissue 262relatedtoWhatsAppIE’scontrollership anditsrelationshipwiththeother Meta<br />
<br />
companies, andthedegreeof investigationcarriedout, theIE SA contendsthatit “hasnothing further<br />
to addinthis regard”.<br />
<br />
<br />
6.1.4 Analysis ofthe EDPB<br />
<br />
6.1.4.1 Assessmentof whethertheobjectionswererelevantandreasoned<br />
<br />
181.In this section, the EDPB considers whether the objections raised by the FI SA, FR SA and IT SA,<br />
<br />
regardingtheneed for a further investigation,meetthe threshold ofArticle 4(24)GDPR.<br />
<br />
182.WhatsApp IEconsiders thatthe objections made bythe aforementionedCSAs are without merit.<br />
<br />
183.Inessence, WhatsApp IEarguesthatthe FR SA’sobjection raises concernswith regardtobehavioural<br />
<br />
advertising that are not connected to any factual content and do not have any merit, because, as<br />
confirmed before to the IE SA, WhatsApp IE does not engage in such processing 263. Moreover,<br />
WhatsAppIEconsiders 264thattheIESA appropriatelyaddressedthismatterinitsDraftDecision,given<br />
<br />
the vague nature of the complaint, the misconceptions regardingWhatsApp services, and the lackof<br />
evidence that such processing istaking place.WhatsApp IE thatno factualor legalargumentsare put<br />
<br />
forwardbythe FR SA.<br />
<br />
184.Furthermore,the EDPBtakesnote ofWhatsAppIE’spositiononthe objection raisedby theFR SA with<br />
regard to the processing of special categories of data, according to which they are based on a<br />
<br />
“misunderstanding of the Defined Scope of Inquiry”, aswell as the nature of the service offered and<br />
they “fail to take into account the investigations conducted by the [IE SA]”5. Further, WhatsApp IE<br />
emphasises thatitdoesnot processspecialcategoriesofdatainthe course ofproviding the WhatsApp<br />
<br />
services. Moreover, it is of the view66that the FR SA does not acknowledge that the processing in<br />
question has already been addressed by the IE SA in its Draft Decision, concluding that there is no<br />
<br />
<br />
<br />
<br />
<br />
<br />
26CompositeResponse,paragraphs57and59.<br />
261<br />
CompositeResponse,paragraph61.<br />
26CompositeResponse,paragraphs84and85.<br />
26WhatsAppIE’sArticle.65Submissions,paragraph4.27.<br />
26WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a.<br />
26WhatsAppIE’sArticle65Submissions,paragraph4.3.<br />
266<br />
WhatsAppIE’sArticle65Submissions,Section1.a,paragraph6.g.<br />
<br />
<br />
<br />
Adopted 44 evidence that it wastaking place and that it is irrelevant to the complaint and the inquiry. Thus, for<br />
WhatsApp IE,theFR SA’sobjection raisedis neitherrelevant,nor reasoned 267.<br />
<br />
185.With regard to the FR SA’s objection 268 regarding the legal basis for provisions of metrics to third<br />
parties and the need for a further investigation, WhatsApp IE states that it does not rely on Article<br />
<br />
6(1)(b) GDPRasa legalbasis for theprocessing. Further, the processing for metricspurposesis carried<br />
out ona controller-to-processor basisinorder toassist WhatsApp IEinprocessing whatforms part“of<br />
<br />
thegeneral‘improvements’”.WhatsAppIEaddsthatthereisnorequirementpresent tohave adistinct<br />
legalbasis for such sharing. Itstatesthat“theprovision of the WhatsApp Service doesnot involve any<br />
sharing ofEU WhatsAppusers’ personaldata with otherMetaCompanies on a controllerto controller<br />
269<br />
basis”. Furthermore, WhatsAppIE arguesthatthe IT SA’sobjection on the investigationof further<br />
sharing carriedout byWhatsAppIEwith“unspecifiedpartnersand serviceproviders” isnot relevantto<br />
the issues investigatedby the IESA, nor does it have connectionto thesubstance of the complaint or<br />
<br />
the DraftDecision. Moreover,WhatsApp IEconsiders thatit is not clear what“exchangeofdata” was<br />
referred to by the IT SA and its relevance to the inquiry. Thus, WhatsApp IE opines that the IT SA’s<br />
objection should be rejected.<br />
<br />
270<br />
186.Finally, withregardtotheFISA’sobjection ,WhatsAppIEarguesthattheFISA’sstatement,regarding<br />
therelianceonArticle6(1)(b)GDPRforprocessingfor marketingpurposesisirrelevantandfallsoutside<br />
of thedefined scope ofthe inquiry. Further,WhatsApp IEpoints out thatthe specific referencetothe<br />
<br />
Terms of Service is misunderstood, as it is relatedtopotential marketing messagesthat users might<br />
receive from businesses thatuse the servicesoffered by WhatsAppIE.Finally, WhatsAppIE considers<br />
thatsince businesses use WhatsAppBusiness API for exchangingmessages(withtheir owntermsand<br />
<br />
privacypolicies), it isnot thecontroller in respectof those processing operations.<br />
<br />
***<br />
<br />
187.As regardsthe objection of the FR SA, arguingthatthe IESA did not analyse theapplicable legalbasis<br />
for the processing of personaldatarelatedtobehaviouraladvertising,the EDPBestablishesthatit has<br />
<br />
a direct connectionwith theDraftDecision. The EDPBconsiders thatthe FR SA’s objection is relevant<br />
and, if followed, would lead to a different conclusion. It includes arguments on factual and legal<br />
mistakes in the IE SA’s Draft Decisionthat require amendments, for which it is considered reasoned.<br />
<br />
More specifically, the FR SA’sobjection allegesthatthe IESA should have carriedout aninvestigation<br />
inorder toverifywhetheror not WhatsAppIEprocessespersonal datafor the purposesofbehavioural<br />
advertising.<br />
<br />
<br />
188.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the<br />
position of the IE SA would incur a risk for the fundamental rightsand freedoms of data subjects, as<br />
well as the possibility that a controller could use the legal basis of the contract toprocess its users'<br />
<br />
data for targeted advertising purpose. The FR SA stresses out that such processing would be<br />
particularlymassive andintrusive, thus thatit is not inline withtheprovisions ofthe GDPR.<br />
<br />
189.The EDPBconsidersthattheobjections raisedbythe FRSA andthe ITSA withregardtothe processing<br />
of special categoriesof personal data have a direct connection withthe Draft Decision, as theyrefer<br />
<br />
(1) to the lack of conclusions with regardto the lawful ground applicable to the processing of such<br />
data,and(2)the rejectionof theComplainant’sargumentofthe processing ofsuchdata byWhatsApp<br />
<br />
<br />
267<br />
WhatsAppIE’sArticle65Submissions,paragraph4.3.<br />
268WhatsAppIE’sArticle65Submissions,paragraphs4.15to4.16.<br />
269WhatsAppIE’sArticle65Submissions,paragraph4.17.<br />
270WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b.<br />
<br />
<br />
Adopted 45 IE.Bothare found tobe relevantand,if followed would leadtoa different conclusion since the IE SA<br />
<br />
would have tocarry out further investigations in order to establish whether WhatsApp IE processes<br />
special categoriesof personal data,and if so, whether this is done in compliance withthe conditions<br />
set forthin Article9 GDPR.<br />
<br />
190.The EDPB notes that both objections argue on factualand legalmistakes in the Draft Decision that<br />
wouldrequire amendments,thustheyarebothreasoned.According totheFRSA, theIESA’sreasoning<br />
<br />
is not consistent, as the latter has not considered the matter related to the lawful ground for the<br />
processing of specialcategoriesofpersonal data,norevaluateditscompliance withArticle 9(2)GDPR,<br />
thustheIESA shallcarryout thenecessaryinvestigations.Asfor theITSA’sarguments,theEDPBnotes<br />
<br />
that no in-depth assessment was conducted by the IE SA regarding the allegations made by the<br />
Complainant that WhatsApp IE processes special categories of personal data, and instead simply<br />
endorsed WhatsAppIE’sargumentthatallcommunications are encrypted.<br />
<br />
191.Inthe Draft Decision, the EDPB identifies, aspreviously asserted by the FR SA and the IT SA, risks for<br />
the fundamental rights and freedoms of the data subjects, with concrete examples of targetedand<br />
<br />
behaviouraladvertising given,thatwouldhinder the users’ abilitytohave controlover theirdata,thus<br />
the FR SA’sandITSA’sobjections areconsidered reasoned.<br />
<br />
192.Taking into account the objection raised by the FR SA concerning the legal basis for the provision of<br />
metrics to third parties, the EDPB considers that it has a direct connection to the Draft Decision,<br />
<br />
because it reflects on the fact that the IE SA does not define what the processing for provision of<br />
metrics to third parties covers, and does not pronounce itself on the legalbasis applicable to such<br />
processing (including sharing between companies within the same group), even though initially<br />
<br />
mentioned in the latter. The objection is relevant, because if it were followed, different conclusions<br />
wouldbe reachedregardingtheconditions under whichWhatsAppIEcollectsconsent ofdata subjects<br />
for the processing oftheir personal datafor provision ofmetricstothirdparties.<br />
<br />
193.TheEDPBnotesthattheFRSA putsforwardargumentsregardingfactualandlegalmistakesthatrelate<br />
to the legalbasis applicable to the provisions of metrics to third parties, and regarding the lack of<br />
<br />
definition of what the aforementioned processing entails. For these reasons, the FR SA’s objection is<br />
considered reasoned.<br />
<br />
194.As regardsthe risks posed by the Draft Decision, the EDPB takesnote of the FR SA’s remarkthat the<br />
DraftDecisionwould be detrimentalfor the fundamentalrightsandfreedoms of datasubjects, asthe<br />
<br />
only informationprovided bythe IESA doesnot amount toany assessment.<br />
<br />
195.An objection is raised by the IT SA with regard to the exchange of personal data with affiliated<br />
companies. The EDPBis of the view that it hasa directconnection to the DraftDecision, asthe latter<br />
only coverstwopurposes ofprocessing, namelythisofservice improvement andsecurity, outof those<br />
raisedby the Complainant, hence lacks anassessment ofthe exchangeof databetweenWhatsApp IE<br />
<br />
and its affiliated companies. The EDPB considers the IT SA’s objection to be relevant, because, if<br />
followed, itwould leadtodifferentconclusions intheDraftDecision,regardingtheassessment related<br />
tothe core functions ofthe contractandthe exchangeofdata withaffiliatedcompanies.<br />
<br />
196.Asregardstothe risks posedtothe fundamentalrightsandfreedoms ofdatasubjects, the EDPBtakes<br />
<br />
note of the IT SA’s remarks that if the Draft Decision is left unchanged, it would lead to a severe<br />
infringement of the users’ right to self-determine the processing of their sensitive personal data, as<br />
alsorelatedtothe exchangeofdatawithaffiliatedcompaniesand, thus, it wouldprevent the usersto<br />
have controlover their data.<br />
<br />
<br />
<br />
<br />
<br />
Adopted 46197.The EDPB notes that the IT SA’s objection includes clarifications and argumentson factualand legal<br />
<br />
mistakes,namelythe failure oftheIESA toconduct investigationswithregardtothe exchangeofdata<br />
with affiliatedcompanies not only for service improvement purposes, but also for unspecified ones,<br />
relatedtothe managementandtheoverallprovision of theservice.<br />
<br />
198.Finally, the EDPB considers that the objection raised by the FI SA, with regardto the processing of<br />
<br />
personal data for the purposes of marketing, has a direct connection with the Draft Decision, as it<br />
reflects on the fact that the IE SA concludes that there is no evidence of processing related to<br />
marketing. The FI SA’s objection is considered relevant, as if followed it would lead to a different<br />
<br />
conclusion regardingthelegalbasis,namelythisofArticle6(1)(b) GDPRforprocessing ofpersonaldata<br />
for marketingpurposes.<br />
<br />
199.The FI SA putsforwardargumentsregardingthe factualandlegalmistakesmade bythe IESA, relating<br />
to the legalbasis for processing of personal data and the possibility for the respective WhatsApp IE<br />
<br />
users toreceivemarketingmessages. For these reasons, the FI SA’sobjection isconsidered reasoned.<br />
<br />
200.Asregardstotherisks posed bytheDraftDecisiontothefundamentalrightsandfreedomsofthe data<br />
subjects, the EDPB takes note of the FI SA’s remarkthat it would incur a risk for data subjects and,<br />
more precisely, theirunawarenessofthe processing and, asa consequence, their subsequent inability<br />
<br />
to have control over the processing of their personal data. Moreover, the EDPB considers that this<br />
could leadtoundermining their fundamentalrightof protectionoftheir personal data.<br />
<br />
6.1.4.2 Assessmenton themerits<br />
<br />
<br />
201.Inaccordance withArticle 65(1)(a) GDPR,in the context of a dispute resolution procedure, the EDPB<br />
shall take a binding decision concerning all the matters which are the subject of the relevant and<br />
reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.<br />
<br />
202.The EDPBconsiders thatthe objections found to be relevantandreasonedinthis subsection require<br />
<br />
anassessment of whethertheDraftDecisionneedstobe changed,astheyconclude thatthe IESA has<br />
not carried out a enough investigation as to the applicable legalbasis for WhatsApp IE’sprocessing<br />
operations(a) for the purposes of behaviouraladvertising, (b)involving specialcategoriesofpersonal<br />
<br />
data pursuant to Article 9 GDPR,(c) for provision of metricstothird partiesand (d) for the exchange<br />
of data withaffiliated companies for the purposes of service improvements and (e) for the purposes<br />
of marketing. When assessing the merits of the objections raised, the EDPB also takes into account<br />
<br />
WhatsApp IE’sposition on theobjections.<br />
<br />
203.In its submissions, WhatsApp IE supports the conclusions made by the IE SA that no further<br />
investigationis neededasregardsthe aforementionedissues raised.<br />
<br />
204.Withregardtobehaviouraladvertising,WhatsAppIEstatesthatit doesnot engageinsuchprocessing,<br />
whichfact wassubsequently “appropriatelyaddressed” 271bythe IESA inits DraftDecision.<br />
<br />
205.As for the specialcategoriesof personal data 272,WhatsApp IEcontends that it does not process such<br />
<br />
data in the course of providing the WhatsApp IE services. Moreover, the processing in question has<br />
alreadybeen addressedby the IESA in itsDraft Decision, concluding thatthere is no evidence thatit<br />
is takingplace andthatit is irrelevanttothe complaint andthe inquiry.<br />
<br />
<br />
<br />
<br />
271WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.a,aswellasparagraph4.27idem.<br />
272WhatsAppIE’sArticle65Submissions,Annex1,Section1.a,paragraph6.g.<br />
<br />
<br />
<br />
Adopted 47206.Moreover, WhatsApp IE argues that it does not rely on Article 6(1)(b) GDPR as a legal basis for<br />
processing for the provision of metricstothirdparties 273.Further, such processing is carriedout ona<br />
<br />
controller-to-processor basis in order to assist WhatsApp IE in processing that forms part “of the<br />
generalimprovements”.WhatsApp IEadds that there is no requirement tohave a distinct legalbasis<br />
<br />
for such sharing.It statesthat“theprovision of the WhatsApp Servicedoesnot involve any sharing of<br />
EU WhatsApp users’ personal data with other Meta Companies on a controller to controller basis”.<br />
Furthermore,WhatsAppIEopines thatthematteroffurther sharing 274 with“unspecified partnersand<br />
<br />
service providers” is not relevant tothe issues investigatedby the IE SA, nor does it have connection<br />
tothe substance of thecomplaint or the DraftDecision.<br />
<br />
207.Finally, withregardtothe processing for the purposes ofdirectmarketing,WhatsAppIEargues 275that<br />
<br />
it is irrelevantandfalls outside of the definedscope of theinquiry.<br />
<br />
208.The IE SA argues 276that it would have been infeasible, hypothetical, and contraryto the complaint<br />
within the meaning of Article 77 GDPR to undertake an assessment of all discrete processing<br />
<br />
operationsassociatedgenerallywiththeWhatsAppIE’sTermsofService,including whetherWhatsApp<br />
IE processes special categoriesof personal data in this context andwhether the sharing of data with<br />
<br />
third partiesspecifically is lawful, as wellas the additional mattersconcerning WhatsApp IE,in order<br />
toconclude aninvestigationofthecomplaint.Inrelationtotheprocessing ofArticle9GDPRcategories<br />
ofpersonal data,theIESA considers thattheinquiry hasaddressed thefundamentalissue ofprinciple<br />
<br />
on which the complaint depends, and this makes it unnecessary to conduct an indiscriminate and<br />
open-ended assessment of processing falling within the scope of this Article or the ePrivacy<br />
277<br />
Directive .<br />
<br />
209.Moreover, the IE SA considers that there is no evidence for the assertion that WhatsApp IE is<br />
processing personaldata,thatfacilitatestheinferringofspecialcategoriesofpersonaldata,pertaining<br />
<br />
toreligiousviews, sexualorientation,politicalviews andhealthstatus. Further,asstated,noevidence<br />
is presentedinthis regardatall,thus aconclusion is madethatthe processing ofspecial categoriesof<br />
<br />
personal data,pursuanttoArticle 9 GDPRconsent does not fallwithinthe scope ofthe complaint and<br />
is thus irrelevant. The Complainant considers the agreement tothe Privacy Policy and the Termsof<br />
Service to be anallegedconsent todata processing operations designated in those documents. This<br />
<br />
also includes the aforementioned data processing operations and the respective purposes, thus the<br />
EDPBconsiders thatthose processing operations arewithinthe scope ofthe complaint.<br />
<br />
210.Inaddition andtaking into account the previous paragraph, the IE SA 278warns the CSAs on the legal<br />
<br />
risks derived from asking throughthe objections toexpandthe materialscope ofthe inquiry and thus<br />
cover infringementsoutside ofthe complaint (namelythe processing ofspecialcategoriesofpersonal<br />
<br />
data, question of location data, factual investigations into the presence of behavioural advertising,<br />
sharing withthird parties)and the Draft Decisionthat the IE SA has not investigated(pursuant to its<br />
own decision to limit the scope of the inquiry) and put to WhatsApp IE as an allegation of<br />
<br />
wrongdoing 279.<br />
<br />
<br />
<br />
<br />
273<br />
WhatsAppIE’sArticle65Submissions,paragraphs4.15and4.16.<br />
27WhatsAppIE’sArticle65Submissions,paragraph4.17.<br />
27WhatsAppIE’sArticle65Submissions,Annex1,Section3.a,paragraph2.b.<br />
27CompositeResponse,paragraph22.<br />
27CompositeResponse,paragraph27.<br />
278<br />
CompositeResponse,paragraph28.<br />
27CompositeResponse,paragraphs29and31.<br />
<br />
<br />
Adopted 48211.The EDPB notes that the complaint reiterates the confusion of WhatsApp IE’susers over whether it<br />
<br />
processes personal data for the purposes of behavioural advertising, which of the users’ special<br />
categoriesof personal data are processed and for which purposes, the provision of metrics to third<br />
parties and the exchange of data with affiliated companies and on which basis, as well as for the<br />
<br />
processing ofpersonal datafor the purposes of marketing.<br />
<br />
212.WhatsApp IE’s Terms of Service note in general terms “WhatsApp works with partners, service<br />
providers, andaffiliated companiesto help us provide ways for you to connectwith their services.We<br />
use the information we receive from them to help operate, provide, and improve our Services”;<br />
<br />
“WhatsApp uses theinformation it has and also works with partners,service providers, and affiliated<br />
companiesto do this” andinthe matterofsharing datawithaffiliatedcompanies: “Weare partof the<br />
Facebook Companies. As part of the Facebook Companies, WhatsApp receivesinformation from, and<br />
<br />
sharesinformationwith, theFacebookCompanies asdescribed in WhatsApp's PrivacyPolicy”.<br />
<br />
213.The Terms of Service make up the entire agreement, and include a reference to two separate<br />
documents: WhatsApp IE’sPrivacy Policy and to the Meta Companies. WhatsApp IE’sPrivacy Policy<br />
statesthat“The typesof information we receiveand collect depend on how you use our Services.We<br />
<br />
require certainofYour Account Information in accordance with our Termsto deliver our Servicesand<br />
without this we will not be able to provide our Services to you.” With regardto sharing information<br />
with third parties, the Privacy Policy states that “You share your information as you use and<br />
<br />
communicate through our Services, and we share your information to help us operate, provide,<br />
improve,understand,customiseandsupport ourServices”.Further,thedocumentitselfdoes notmake<br />
any referenceswhatsoever for the processing of data for the purposes of behavioural advertising, or<br />
<br />
the processing of specialcategoriesofdatapursuant toArticle 9 GDPR. Asfor the provisionofmetrics<br />
to third parties and the exchange of data with affiliated companies, as well as the processing of<br />
personal data for the purposes of marketing, the Privacy Policy does not elaborate further on that<br />
<br />
matter.<br />
<br />
214.The CJEU assertedrecentlythatthe purpose ofArticle 9(1)GDPRis toensure anenhancedprotection<br />
of data subjects for processing, which, because of a particular sensitivity of the personal data<br />
processed, is liable to constitute a particularly serious interference with the fundamental rights to<br />
<br />
respect for private life and tothe protection of personal data, guaranteedbyArticles7 and 8 of the<br />
Charter 28. The CJEU adopts a wide interpretationof the terms“special categoriesof personal data”<br />
and “sensitive data” that includes data liable indirectly to reveal sensitive information concerning a<br />
281<br />
natural person . Advocate General Rantos reiterates the importance for the protection of data<br />
subjects of Article9 GDPRand applies thesame interpretationtothe potentialdataprocessing inthe<br />
WhatsAppservices for behaviouraladvertising bystatingthat“the prohibition on processing sensitive<br />
<br />
personaldatamayinclude theprocessing ofdatacarriedoutbyanoperatorofanonline socialnetwork<br />
consisting inthecollection ofa user’sdatawhenhe or she visits otherwebsitesor apps or enterssuch<br />
dataintothem, thelinking of such datatotheuser accounton the socialnetworkandthe use ofsuch<br />
<br />
data,providedthatthe informationprocessed, considered inisolation or aggregated,makeit possible<br />
toprofile users on thebasis ofthe categoriesthatemergefrom the listing inthatprovision oftypesof<br />
sensitive personaldata.”<br />
<br />
<br />
<br />
<br />
<br />
28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022),<br />
ECLI:EU:C:2022:601,§126.<br />
28Vyriausiojitarnybinėsetikoskomisija(CaseC-184/20,judgmentdeliveredon1August2022),<br />
ECLI:EU:C:2022:601,§127.<br />
<br />
<br />
Adopted 49215.Therefore, the GDPR and the case-law pay especial attention to the processing or the potential<br />
<br />
processing ofspecialcategoriesof personaldataunder Article9 GDPRtoensure the protectionofthe<br />
data subjects. Inthis connection, the Complainant allegesin its complaint, among others, a violation<br />
of Article9 GDPRandexpressly requeststhe IESA toinvestigate WhatsAppIE’sprocessing operations<br />
covered by this provision. In a subsequent submission on the preliminary Draft Decision, the<br />
<br />
Complainant criticises the scope that the IE SA decided to give to the complaint and its lack of<br />
investigation of WhatsApp IE’s processing activities and alleges that the IE SA failed to give due<br />
consideration toprocessing under Article9 GDPRandother casesin whichit relieson consent.<br />
<br />
216.In the present case, the IE SA did not carry out any investigation, regarding (a) the legal basis for<br />
<br />
WhatsApp IE’sprocessing operations for the purposes of behavioural advertising, (b) the applicable<br />
legal basis for processing special categories of personal data, pursuant to Article 9 GDPR, (c) the<br />
applicable legal basis for provision of metrics to third parties and (d) the exchange of data with<br />
affiliatedcompaniesfor thepurposes of serviceimprovements and(e)theprocessing of personaldata<br />
<br />
for the marketingpurposes. The IE SA categoricallyconcludes thatno further investigation is needed<br />
withregardtothese issues.<br />
<br />
217.Byfailingtoinvestigate,furthertothecomplaint,the processing of specialcategoriesofpersonaldata<br />
byWhatsApp IE,theIESA leavesunaddressed the risks thisprocessing poses for the Complainant and<br />
<br />
for WhatsAppIE’susers in general.First,there is the risk thatthe Complainant’s specialcategoriesof<br />
personal data are potentially processed by WhatsApp IE to build intimate profiles of them for the<br />
purposes ofbehaviouraladvertisingwithoutalegalbasisandina mannernotcompliant withtheGDPR<br />
<br />
and inparticular the strict requirementsof Articles 7 and Article9(2) GDPR.Second, thereis also the<br />
riskthatWhatsApp IEdoesnot consider certaincategoriesofpersonal dataitpotentiallyprocesses, as<br />
specialor sensitive categoriesofpersonaldatain line withtheGDPRandthe CJEU case-lawandtreats<br />
them accordingly. Third, the Complainant and other WhatsApp IE’susers, whose sensitive data are<br />
<br />
potentiallyprocessed may be deprived of certainspecialsafeguardsderived from the use of consent,<br />
such asthe possibility tospecifically consent tocertainprocessing operations andnot toothersandto<br />
the further processing of personal data under Article 6(4) GDPR; the freedom to withdraw consent,<br />
<br />
pursuant toArticle 7 GDPR, andthe subsequent right tobe forgotten. Fourth, given the size andthe<br />
number of users of WhatsApp IE in the social media market, leaving unaddressed the current<br />
ambiguity in the processing of special categories of personal data, and its limited transparency of<br />
WhatsAppIEvis-à-vis datasubjects,mayseta precedentforcontrollerstooperateinthesamemanner<br />
<br />
andcreatelegaluncertainty,hampering thefree flow ofpersonal datawithinthe EU.<br />
<br />
218.The EDPB further considers, also in view of these risks tothe Complainant and WhatsApp IE’susers,<br />
thatthe IE SA did not handle the complaint withalldue diligence.The EDPBconsiders the lackof any<br />
further investigation intothe legalbasis for WhatsApp IE’sprocessing operations for the purposes of<br />
<br />
behavioural advertising, the potential processing of special categories of personal data, applicable<br />
legalbasis for provision of metricstothirdpartiesandthe exchangeofdata withaffiliatedcompanies<br />
for the purposes of service improvements, aswellasthe processing of personal datafor the purposes<br />
ofmarketingasanomission, and– in thepresent case – finds itrelevant thattheComplainant alleged<br />
<br />
infringementsof Article9 in the complaint.<br />
<br />
219.The EDPBcontendsthatinthepresent case,theIE SA should have verifiedonthe basisof thecontract<br />
and the data processing actuallycarried out on which legalbases eachdata processing operation in<br />
question relies.<br />
<br />
220.The EDPB also highlights that byhaving excessively limited the scope of its inquiry despite the scope<br />
<br />
ofthecomplaint inthiscross-border case andsystematicallyconsidering themajorityofthe objections<br />
<br />
<br />
<br />
Adopted 50 raisedby the CSAs not relevantand reasonedandthus denying their formaladmissibility, the IE SA as<br />
<br />
LSA in thiscase, constrains the capacityof CSAs to actand tackle the risks todata subjects in sincere<br />
and effective cooperation. As ruled by the CJEU, the SA must exercise its competence within a<br />
framework of close cooperation with other supervisory authorities concerned and cannot “eschew<br />
<br />
essential dialogue with and sincere and effective cooperation with the other supervisory authorities<br />
concerned”. The limited scope that the IE SA gave tothe inquiry also impairs the EDPB’scapacityto<br />
conclude on the matter pursuant to Article 65 GDPR and thus ensure a consistent application of EU<br />
<br />
data protection law, despite the fact that the complaint covered these aspects and was introduced<br />
more thanfour yearsago.<br />
<br />
221.Asa result ofthelimitedscope ofthe inquiryandlackofassessment bythe IESA inthe DraftDecision,<br />
the EDPBdoes not have sufficient factualevidence on WhatsApp IE’sprocessing operationstoenable<br />
<br />
it to make a finding on any possible infringement by WhatsApp IE of its obligations under Article 9<br />
GDPRandother relevantGDPRprovisions.<br />
<br />
222.The EDPB decides that the IE SA shall carry out an investigation into WhatsApp IE’s processing<br />
operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article<br />
<br />
9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well<br />
asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for<br />
the purposes of service improvements, and in order to determine if it complies with the relevant<br />
<br />
obligations under the GDPR.Basedonthe resultsof thatinvestigationandthe findings, the IE SA shall<br />
issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR.<br />
<br />
<br />
<br />
7 ON CORRECTIVEMEASURESOTHER THAN ADMINISTRATIVE FINES<br />
<br />
7.1 Analysis by the IESA in the DraftDecision<br />
<br />
223.According tothe DraftDecision,the IE SAconcludes thatthe Complainant’scase is not made out that<br />
<br />
the GDPR does not permit the reliance by WhatsApp IE on Article 6(1)(b) GDPR in the context of its<br />
offering of Termsof Service 282. Therefore, without finding any infringement of this legalbasis, the IE<br />
SA wasnot ina position to consider the applicationof its correctivepowers as provided for in Article<br />
<br />
58(2)GDPR.<br />
<br />
224.Regardingthe provision of necessary information relatingtoWhatsApp IE’slegalbasis for processing<br />
pursuant to acceptance of the Terms of Service and whether the information set out was in a<br />
transparent manner, the IE SA recalled that it found infringements in this regard in a previous own-<br />
<br />
volition inquiry andexerciseda number of corrective powersin response, including anadministrative<br />
fine andanorder tobring theWhatsApp IE’sPrivacyPolicy intocompliance 283.<br />
<br />
7.2 Summary of the objections raised by the CSAs<br />
<br />
225.The NO SA objects to the IE SA’s finding by stating that WhatsApp IE cannot rely on Article 6(1)(b)<br />
284<br />
GDPR asa legalbasis for processing in the context of service improvements andsecurity features .<br />
As a consequence resulting from the finding of such infringement, the NO SA requests the IE SA to<br />
exercise corrective powers under Article 58(2) GDPR accordingly, byordering WhatsApp IE todelete<br />
<br />
<br />
<br />
282DraftDecision,Issue2.<br />
283DraftDecision,paragraph5.9andlastrowofthetableinp.38.<br />
284NOSAObjection,p.1,Introductoryremarks,paragraph3.<br />
<br />
<br />
<br />
Adopted 51 personal data that has been unlawfully processed under the erroneous assumption that it could be<br />
based on Article 6(1)(b) GDPR unless those data were also collected for other purposes with a valid<br />
<br />
legal basis, and by imposing an administrative fine against WhatsApp IE for unlawfully processing<br />
personal data in the context of service improvements and security features, erroneously relying on<br />
285<br />
Article6(1)(b) GDPR,asthatlegalbasis wasnot applicable in thiscase .<br />
<br />
226.The DE SAs object to the IE SA’s finding by stating that the IE SA should find that WhatsApp IE has<br />
breachedthe Article5(1)(a)andArticle6(1)GDPR.Asa consequence resulting from the finding ofsuch<br />
<br />
infringements, the DE SAs request the IE SA to impose a temporary or definitive limitation of the<br />
respectiveprocessing without legalbasisinaccordancewithArticle58(2)(f)GDPR,namely,theerasure<br />
<br />
of unlawfully processed personal dataand the banof the processing ofdata untila valid legalbasis is<br />
inplace 28.<br />
<br />
227.The FI SA objectsto the IESA’s finding by statingthatthe IE SA should find aninfringement of Article<br />
<br />
6(1)GDPR,notablybecause the FI SA isof the opinion thatWhatsAppIE cannot relyon Article6(1)(b)<br />
GDPR for all the processing operations set out in the Terms of Service, such as marketing, service<br />
287<br />
improvements and security purposes . As a consequence resulting from the finding of such<br />
infringement,the FISA requests theIESA tomakeuse ofitscorrectivepower accordingly,pursuant to<br />
Article 58(2)GDPR 288.Inorder to doso, the FI SA is of the opinion that the IESA should at least order<br />
<br />
WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR<br />
withrespect to the processing of marketing,service improvements and securityfor which WhatsApp<br />
<br />
IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83<br />
GDPR 289.<br />
<br />
<br />
7.3 Position of the IESA on the objections<br />
<br />
228.The IE SA is of the opinion that since it does not follow the objections raised on the infringements<br />
matters, it results that the IE SA does not follow the related objections on the corrective measures<br />
<br />
either290.The IESA also does not consider the objections tobe relevantand/or reasoned.<br />
<br />
<br />
7.4 Analysis of the EDPB<br />
<br />
<br />
7.4.1 Assessment of whether theobjections were relevant and reasoned<br />
<br />
229.The objections raised by the NO SA, DE SAs and FI SA concern “whether the action envisaged in the<br />
DraftDecision complieswith theGDPR” 291.<br />
<br />
230.As statedand analysed above in Subsection 4.4.1,the EDPBfinds the NO SA and DESA objections on<br />
292<br />
the subject of correctivemeasurespursuant toArticle58(2)GDPRrelevantbut not reasoned .<br />
<br />
231.Regarding the FI SA’s objection, WhatsApp IE considers it not relevant because it is based on an<br />
objection pertaining to a mistaken allegationof infringement of Article 6(1) GDPR 293andwhich does<br />
<br />
<br />
285NOSAObjection,p.8-9,EnvisagedoutcomeoftheRRO,secondbulletpoint.<br />
286DESAObjection,p.8,d.Envisagedresultoftheobjection.<br />
287FI SAObjection,paragraph36.<br />
288FI SAObjection,paragraph36.<br />
289<br />
FI SAObjection,paragraph36.<br />
290WhatsAppIE'sArticle65Submissions,paragraph80.<br />
291EDPBGuidelinesonRRO,paragraph32.<br />
292Paragraphs75,80,86and87above.<br />
293WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph3.<br />
<br />
<br />
<br />
<br />
Adopted 52 not satisfy the thresholds andlacksof merit 294.The EDPBdoesnot follow WhatsAppIE’sposition asit<br />
analyses andconcludes in Subsection 4.4.1 above that the objection of the FI SA on the finding of an<br />
<br />
infringement ofArticle6 GDPRor more specifically Article6(1)(b) GDPR,onwhichthe FI SA request of<br />
correctivemeasuresis based, isrelevant andreasoned.<br />
<br />
232.The FI SA’sobjection arguingthat the IESA should, inapplication ofArticle 58(2)GDPR,atleast order<br />
WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR<br />
<br />
withrespect to the processing of marketing,service improvements and securityfor which WhatsApp<br />
IEreliedupon Article6(1)(b)GDPRandconsider imposing anadministrativefine pursuant toArticle83<br />
GDPR, is linked to the IE SA’s Finding 2 of its Draft Decision with regard to Article 6(1)(b) GDPR.<br />
<br />
Therefore, the FI SA objection is directly connected with the substance of the Draft Decision and if<br />
followed, would lead to a different conclusion, namely a change of this Finding 2 as well as the<br />
imposition of correctivemeasures.<br />
<br />
233.Thus, the EDPBconsiders thatthe FI SAobjection isrelevant.<br />
<br />
<br />
234.Interms of argumentsclarifying why the amendment of the Draft Decision requestedby the FI SA is<br />
proposed, the FI SA firstly arguesthatif theIE SA does not make use of itscorrective powers, thereis<br />
a dangerthat WhatsAppIE continuestounlawfullyprocesspersonaldata onthe foot ofArticle 6(1)(b)<br />
<br />
GDPR for processing operations such as marketing, service improvements and security, and that<br />
WhatsApp IEcontinues toundermine or bypass dataprotectionprinciples 295.<br />
<br />
235.Secondly, the FI SA argues that because WhatsApp IE cannot rely on Article 6(1)(b) GDPR for all<br />
processing operations set out in its Terms of Service, this inevitably leads to the conclusion that<br />
<br />
correctivepowersmust beexercisedinorder tobring theprocessing operationsofWhatsApp IEinline<br />
withthe GDPR 296.<br />
<br />
236.Thirdly, the FI SA relies on the ruling of the CJEU C-311/18 Schrems II 297to argue that when an<br />
infringement is found, the supervisory authoritymust take appropriateactionin order toremedyany<br />
<br />
findingsofinadequacyandthereforetheFISA isoftheopinionthattheIESAmust exerciseappropriate<br />
andnecessarycorrective powers 298.<br />
<br />
237.Finally, according to the FI SA, the IE SA must exercise appropriate and necessary corrective powers<br />
<br />
andmust take intoaccount the nature andseverity ofthe abovementioned infringement since the FI<br />
SA is of theopinion thatthis infringementcannot be consider asminor 299.<br />
<br />
238.Intermsofthe significance of the risks posed by the DraftDecision,the FI SA arguesthatthe absence<br />
of appropriate and necessary corrective powers would amount toa dangerousprecedent, sending a<br />
<br />
deceiving message to the market and to data subjects, and would also endanger the fundamental<br />
rightsandfreedomsof datasubjects whose personal dataareandwillbe processedby the WhatsApp<br />
IE300.<br />
<br />
239.In addition, the FI SA argues that if WhatsApp IE could continue torely on Article 6(1)(b) GDPR, the<br />
<br />
datasubjects wouldnot have the possibility tocontrolthe processing of theirpersonal data,whilethe<br />
righttomonitor theprocessing of personaldatais animportantprinciple of theGDPR. 301<br />
<br />
<br />
<br />
294WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph4.<br />
295FI SAObjection,paragraph37.<br />
296FI SAObjection,paragraph40.<br />
297<br />
C-311/18SchremsII,paragraph111.<br />
298FI SAObjection,paragraphs41-42.<br />
299FI SAObjection,paragraphs42-43.<br />
300FI SAObjection,paragraph45.<br />
301FI SAObjection,paragraph45.<br />
<br />
<br />
<br />
<br />
Adopted 53240.The FI SA ends its argumentationbystatingthat theDraft Decisionaffectsallthe data subjectswithin<br />
the EEA.Therefore,the consequences of not making use of the correctivepowers pursuant to Article<br />
58(2)GDPRarevast 302.<br />
<br />
241.WhatsApp IE considers that the FI SA objection cannot satisfy the significance of risk threshold, as it<br />
<br />
does not set out how theDraftDecision wouldpose a directand significant risktofundamentalrights<br />
andfreedoms, because it is basedon a misunderstanding ofthe DraftDecisionand the definedscope<br />
ofinquiry303. WhatsApp IEalsoconsiders thatcontrarytothe FI SA statement,theGDPRprovidesdata<br />
<br />
subjectswitharangeofcontrolsandrightsover theirpersonal dataregardlessofthelegalbasesrelied<br />
on and therefore the Draft Decision does not pose a risk to data subjects’ fundamental rights and<br />
freedom 304.Moreover,WhatsApp IEconsiders thatthe FISA statementthattheDraftDecisionaffects<br />
all the data subjects within the EEA and that therefore, the consequences of not making use of the<br />
<br />
correctivepowers pursuant toArticle 58(2)GDPRare vast,is based on unsubstantiatedconcerns and<br />
unsupported by anyfactsor legalreasoning or anything which wasinvestigatedinthe inquiry 30.<br />
<br />
242.Considering WhatsApp IE’s arguments, the EDPB understands that WhatsApp IE is challenging the<br />
substance oftheFISA objectioninsteadofchallengingitsabilitytoclearlydemonstratethesignificance<br />
306<br />
of the risks posed by the Draft Decision .Therefore, the EDPB considers these arguments not<br />
applicable toassess whether theFI SA’sobjection is reasoned.<br />
<br />
243.Asthe FI SA objection clearlydemonstrateswhyanamendment ofthe DraftDecisionis proposed and<br />
how this amendment would lead to a different conclusion as to whether the envisaged action in<br />
<br />
relationto WhatsApp IE complies with the GDPR, it clearlydemonstrates a sound and substantiated<br />
reasoning andthe significance of therisks posed bythe DraftDecision.<br />
<br />
244.Therefore,the EDPBconsiders the FI SAobjectiontobe reasoned.<br />
<br />
245.Considering the FI SA objection and the arguments brought forward by WhatsApp IE, the EDPB<br />
<br />
considers thatthe FI SAobjection requesting corrective measurestobe imposed accordingto Article<br />
58(2)GDPRis relevantandreasonedpursuanttoArticle4(24)GDPR.<br />
<br />
<br />
7.4.2 Assessment on the merits<br />
Preliminarymatters<br />
<br />
<br />
246.The EDPB considers that the FI SA objection found to be relevant and reasoned in Subsection 7.4.1<br />
requiresanassessment ofwhetherthe DraftDecisionneedstobe changedinrespectofthe corrective<br />
<br />
measuresproposed. More specifically, the EDPBneeds toassess whether the IE SA should impose an<br />
order on WhatsApp IE to bring its processing operations in compliance with the provisions of Article<br />
6(1)GDPRwithrespect tothe processing for marketing,service improvements andsecurityfor which<br />
WhatsApp IE reliedupon Article 6(1)(b) GDPRand consider imposing an administrative fine pursuant<br />
<br />
toArticle83 GDPR,inapplicationof Article58(2) GDPR.<br />
<br />
247.Any issue concerning theimposition ofadministrativefinesis coveredbelow in Section8.<br />
<br />
248.Concerning the issue ofimposing correctivemeasuresin respectof theallegedinfringement of Article<br />
6(1)(b) GDPR for processing personal data for marketing purposeraisedbythe FI SA and which was<br />
not partofthescope oftheinquiry 307, it isappropriatetorefertotheEDPBconclusion asstatedabove<br />
<br />
<br />
<br />
30FI SAObjection,paragraph46.<br />
30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph5.<br />
30WhatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph6.<br />
305<br />
306hatsAppIE'sArticle65Submissions,tablep.96,sectionA,paragraph7.<br />
GuidelinesonRRO,paragraph18.<br />
30DraftDecision,paragraph4.8.<br />
<br />
<br />
Adopted 54 in Subsection 6.1.4.2,whichnotably statesthat the IE SA is instructed tolaunch aninvestigation into<br />
WhatsApp IE’sprocessing operations in its service in order to determine ifit processes personal data<br />
<br />
for marketing purposes and in order to determine if it complies with the relevant obligations under<br />
the GDPR. In this situation where the possibility for WhatsApp IE to rely on Article 6(1)(b) GDPR for<br />
processing personal data for marketing purpose has not been investigated, there is no ground to<br />
further proceed in the assessment of the merits of the FI SA’s objection requesting to impose<br />
<br />
corrective measures for processing personal data for marketing purpose by unlawfully relying on<br />
Article6(1)(b) GDPR.<br />
<br />
249.Conversely, concerning the issue of imposing corrective measures in respect of the alleged<br />
infringement of Article 6(1) GDPRfor processing for otherpurposesstatedinthe FI SA’s objection, it<br />
<br />
isappropriatetorefertotheEDPBconclusionasstatedabove inSubsection4.4.2,whichnotablystates<br />
thatWhatsAppIEhasinfringedArticle 6(1)GDPR byunlawfullyprocessing the Complainant’spersonal<br />
data, in particular by inappropriately relying on Article 6(1)(b) GDPR to process the Complainant’s<br />
308<br />
personaldatafor thepurposes of service improvement andsecurity featuresprocessing operations<br />
inthe context ofits Termsof Service.As a consequence, the EDPBfurtherproceedintheassessment<br />
ofthemeritsofthese partsoftheFI SA objection 309andanalyseswhetheranordertobringprocessing<br />
<br />
intocompliance should be imposed.<br />
<br />
250.When assessing the merits of the objection raised, the EDPB also takes into account WhatsApp IE’s<br />
position on the objectionand itssubmissions andthe findings inthis Binding Decision.<br />
<br />
251.It is alsoimportant to clarifythe EDPB’sviews in respect of itscompetence,incontrast to WhatsApp<br />
IE’s argument, which considers the EDPB is not competent to direct the IE SA to adopt specific<br />
310<br />
correctivemeasures .<br />
<br />
252.WhatsAppIEstates“Thisis clearfromthe objectionoftheFinnish SA, whichacknowledgesthatit isfor<br />
the IE SA alone to decide which corrective measures are appropriate and necessary, citing Case C-<br />
311/18 (SchremsII),para 112” 311.<br />
<br />
<br />
253.The EDPB finds that WhatsApp IE misunderstands the FI SA objection when it argues that it does<br />
acknowledge that it is for the IE SA alone to decide which corrective measures are appropriate and<br />
necessary, by citing paragraph112 of the Judgement of the CJEU of 16 July 2020, Data Protection<br />
Commissioner v Facebook Ireland Limited and Maximillian Schrems, C-311/18, ECLI:EU:C:2020:559 ,<br />
<br />
(hereinafter ‘C-311/18 Schrems II'). In fact, the FI SA does no such thing: in its objection “The FI SA<br />
refersto the ruling of the CJEU C-311/18 whereit was stated that if a supervisory authoritytakes the<br />
viewthataninfringementwasfound, therespectivesupervisoryauthoritymusttakeappropriateaction<br />
312<br />
inorder to remedyanyfindings ofinadequacy” inorder tosupport itsconclusion, whichstatesthat<br />
because “WhatsApp cannot relyon Article 6(1)(b) for all processing operationsset out in itsTermsof<br />
Service. Thisinevitably leads into the conclusion that corrective powersmust be exercised in order to<br />
313<br />
bringthe processing operationsof WhatsApp in line with theGDPR” .Thus,this statementby the FI<br />
SA seems tosimply strengthenthe needfor appropriatecorrectivemeasures tobe imposed.<br />
<br />
254.Moreover,WhatsAppIEconsiders theIESAhassole discretiontodeterminetheappropriatecorrective<br />
measuresin theevent of afinding of infringement 31.<br />
<br />
<br />
<br />
30Seeparagraph90ofthisBindingDecision.<br />
309<br />
FI SAObjection,paragraph36.<br />
31WhatsAppIE'sArticle65Submissions,paragraphs8.6to8.11.<br />
31WhatsAppIE'sArticle65Submissions,paragraph8.9.<br />
31FI SAObjection,paragraph41.<br />
31FI SAObjection,paragraph40.<br />
314<br />
WhatsAppIE'sArticle65Submissions,paragraphs8.12to8.14.<br />
<br />
<br />
<br />
Adopted 55255.WhatsApp IE considers that where a Draft Decision does not find an infringement and therefore<br />
proposes nocorrective measures,there cannot be a dispute oncorrective measureswithin thescope<br />
<br />
of Article 65 GDPR. WhatsAppIE arguesthat “should the EDPB find an infringement of Article 6(1)(b)<br />
GDPR, the appropriate course is for it to refer the matter back to the DPC, as IE SA, to determine<br />
whether to impose any appropriate corrective measuresand, if so, what those corrective measures<br />
should be. Were the EDPB to do otherwise and direct the DPC to make a specific order in the terms<br />
315<br />
proposed by certainObjections, it would exceeditscompetenceunderArticle65GDPR” .<br />
<br />
256.WhatsAppIE’sstatesthatitis “a matterfortheLSA to determinewhich(ifany) correctivemeasuresto<br />
orderandto ensurethat anyordercomplieswith allapplicable proceduralsafeguards, includingthose<br />
provided for under national law, and is issued in accordance with due process and in circumstances<br />
316<br />
wherethecontrollerhas beenaffordedaright to be heard” .<br />
<br />
257.WhatsApp IE also argues that “In the context of an inquiry relating to cross-border processing, the<br />
powerto determinewhichmeasuresareappropriateto exerciseundertheGDPRisa matterwithinthe<br />
317<br />
sole competenceoftheDPCasIESA—nottheEDPB” .WhileWhatsAppIEacknowledgesthat“Article<br />
65(1) GDPRallowsthe EDPBto consider reasoned objectionsconcerningwhethercorrectivemeasures<br />
envisaged by the IE SA comply with the GDPR”, it argues “it does not empower the EDPB to issue<br />
prescriptive instructions as to which (if any) of the corrective powers under Article 58 ought to be<br />
318<br />
exercised” .WhatsAppIE adds that“As noted in the EDPBGuidelines03/2021 on the application of<br />
Article65(1)(a) GDPR(‘Article65Guidelines’),atmost,the EDPBcan‘instructtheIESA tore-assess the<br />
envisaged action and change the draft decision in accordance with the binding decision of the<br />
319<br />
EDPB’” .<br />
<br />
258.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one-<br />
stop-shop mechanism andof the sharedcompetencesof the CSAs. While the EDPBagreesthat the IE<br />
SA does act as ‘sole interlocutor’ of the controller or processor0, this should not be understood as<br />
<br />
meaning it has ‘sole competence’ in a situation where the GDPR requires supervisory authorities to<br />
cooperatepursuant toArticle60 GDPRtoachieve aconsistent interpretationofthe Regulation 321.The<br />
fact that the IE SA will be the authority that can ultimately exercise the corrective powers listed in<br />
<br />
Article58(2) GDPRcannotneither limit the role of the CSAs withinthe cooperationprocedure nor the<br />
one of the EDPBinthe consistency procedure 322.<br />
<br />
259.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote<br />
a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount<br />
<br />
the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions<br />
the action(s) envisaged by the Draft Decision towards the controller or processor, or the absence<br />
thereof. More specifically, when raising anobjection on the existing or missing corrective measure in<br />
the DraftDecision, the CSA should indicatewhich actionit believes wouldbe appropriate for theIE SA<br />
<br />
toundertake andinclude inthe finaldecision.<br />
<br />
260.Asmentioned above,aside from the question ofadministrativefines tackledbelow inSection8, theFI<br />
SA calls on the IE SA touse its corrective powers under Article 58(2) GDPR, by imposing an order on<br />
<br />
<br />
31WhatsAppIE'sArticle65Submissions,paragraph8.11.<br />
31WhatsAppIE'sArticle65Submissions,paragraph8.13.<br />
31WhatsAppIE'sArticle65Submissions,paragraph8.14.<br />
31WhatsAppIE'sArticle65Submissions,paragraph8.14.<br />
319<br />
WhatsAppIE'sArticle65Submissions,paragraph8.14.<br />
32Article56(6)GDPR.<br />
32SeeArticle51(2),Article60,Article61(1)GDPRandtheJudgementoftheCJEUof15June2021,Facebook<br />
IrelandLtdandOthersvGegevensbeschermingsautoriteit,CaseC-645/19,ECLI:EU:C:2021:483,(hereinafter‘C-<br />
645/19FacebookIrelandLtdandOthers’),paragraphs53,63,68,72.<br />
322<br />
Articles63and65GDPR.<br />
<br />
<br />
<br />
Adopted 56 WhatsAppIEtobringitsprocessingoperationsintocompliancewiththe provisions ofArticle6(1)GDPR<br />
with respect to the processing of service improvements and security for which WhatsApp IE relied<br />
<br />
upon Article6(1)(b) GDPR.<br />
<br />
WhatsApp IE’spositiononthe objectionsand itssubmissions<br />
<br />
261.WhatsAppIEconsidersthat“Anycorrectivemeasuresshould be exercisedina manner consistentwith<br />
theprinciplesofproportionality” and“should not go beyond whatisnecessarytoachieve theobjective<br />
323<br />
ofensuring compliancewith theGDPR”,inparticularinaccordancewithRecital129 GDPR .<br />
<br />
262.In addition, WhatsApp IE argues that “the EDPB cannot direct, nor can the DPCimpose, a corrective<br />
orderthat wouldbe prescriptiveinspecifying a legalbasis on which WhatsApp Irelandmust rely” 32.<br />
<br />
263.Moreover,WhatsAppIE statesthat“WhatsApp Irelandcan onlybe orderedtobring itsprocessing into<br />
compliance by ensuring it has a valid legal basis for processing and must be afforded discretion as to<br />
325<br />
how it achievessuchcompliance” .<br />
<br />
264.Finally, WhatsAppIEarguesthat“Thereisno basis for theimposition ofadministrative fines” 326and“it<br />
would be inappropriate, disproportionate, and unnecessary to impose an administrative fine” 32, as<br />
<br />
further developed byWhatsApp IEin Section8.<br />
<br />
EDPB’sassessment on themerits<br />
<br />
265.In assessing the appropriate corrective measures to be applied, Article 58(2)(d) GDPR lists the<br />
following correctivemeasure:<br />
<br />
<br />
“order the controller or processor to bring processing operationsinto compliance with the provisions<br />
ofthis Regulation,whereappropriate,ina specifiedmanner and within a specified period”.<br />
<br />
266.According to recital 129 GDPR, every corrective measure applied by a supervisory authority under<br />
Article58(2)GDPRshouldbe “appropriate,necessaryandproportionateinviewofensuringcompliance<br />
<br />
withthe Regulation”in light ofthe circumstancesof eachindividual case.This highlightsthe need for<br />
the corrective measures and any exercise of powers by supervisory authorities to be tailoredto the<br />
specific case. Recital129 GDPR also provides that each measure should “respect the right of every<br />
<br />
person to be heard before any individual measure which would affect him or her adversely is taken”.<br />
The measures chosen should provide consideration to ensuring that theydo not create “superfluous<br />
costs” and“excessiveinconveniences”for the persons concernedinlight of theobjective pursued.<br />
<br />
267.Recital148 GDPR shows the duty for supervisory authoritiestoimpose correctivemeasures that are<br />
<br />
proportionate tothe seriousness ofthe infringement.<br />
<br />
268.TheEDPB recallsthatalthoughthe supervisory authoritymust determinewhich actionis appropriate<br />
andnecessary andtake into considerationall the circumstancesof the processing ofpersonal data in<br />
question in that determination, the supervisory authority is nevertheless required to execute its<br />
328<br />
responsibility for ensuring thatthe GDPRisfully enforcedwithalldue diligence .<br />
<br />
<br />
<br />
<br />
<br />
323<br />
WhatsAppIE'sArticle65Submissions,paragraph8.15.<br />
32WhatsAppIE'sArticle65Submissions,paragraph8.33.<br />
32WhatsAppIE'sArticle65Submissions,paragraph8.34.<br />
32C‑311/18SchremsII,paragraph112.<br />
32C‑311/18SchremsII,paragraph112.<br />
328<br />
C‑311/18SchremsII,paragraph112.<br />
<br />
<br />
<br />
Adopted 57269.The EDPB agreeswith the FI SA that “the infringement cannot be consider as minor” 329. The EDPB<br />
<br />
reiteratesthat lawfulness of processing is one of the fundamental pillars of the data protectionlaw<br />
andconsiders thatprocessing ofpersonaldatawithoutanappropriatelegalbasis isaclear andserious<br />
violation of the data subjects’ fundamental right to data protection. In addition, the infringement in<br />
<br />
the present case concernsa highnumber of datasubjects 330and alargeamount of personaldata.<br />
<br />
270.Indeed,theEDPBagreeswiththeFISAthat“IftheIESAdoesnotmakeuse oftheirrespectivecorrective<br />
<br />
powers, there is danger that WhatsApp continuesto unlawfully process personal data on the foot of<br />
Article 6(1)(b) GDPR” for service improvement and security processing operations 331and “there isa<br />
danger that WhatsApp continuesto undermine or bypass” data protection principles 332. In addition,<br />
<br />
failure toadopt anycorrectivemeasureinthis case“would amountto a dangerousprecedent,sending<br />
adeceivingmessage to themarket andto data subjects,and would endangerthe fundamentalrights<br />
<br />
andfreedomsofdatasubjectswhose personaldata are and willbe processed bythecontroller”. 333<br />
<br />
271.As aconsequence, the EDPBfinds it appropriateforanordertobringprocessingintocomplianceto<br />
<br />
be imposed in this case (without prejudice to the additional conclusions in respect of the imposition<br />
of administrativefines available below in Section8).<br />
<br />
272.According to the EDPB, the deadline for compliance with the order should be reasonable and<br />
<br />
proportionate,inlight ofthe potentialfor harmstothe datasubject rightsandtheresourcesavailable<br />
tothe controller toachievecompliance 334.<br />
<br />
273.Finally, the EDPB recallsthat non-compliance withan order issued by a supervisory authority canbe<br />
<br />
relevantbothin termsofit being subject toadministrativefines upto20.000.000eurosor,in thecase<br />
of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financial year in<br />
<br />
line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of<br />
administrative fines.335Inaddition, the investigative powersof supervisory authoritiesallow them to<br />
<br />
order the provision of all the information necessary for the performance of their tasks including the<br />
verificationof compliance withone of theirorders 336.<br />
<br />
274.Inlightoftheabove,theEDPBinstructstheIESAtoincludeinitsfinaldecisionanorderforWhatsApp<br />
<br />
IE to bring its processing ofpersonaldata for the purposes ofservice improvement and security<br />
<br />
<br />
329FI SAObjection,paragraph43.<br />
330<br />
FI SAObjection,paragraph46:“thedraftdecisionaffectsallthedatasubjectswithintheEEA.Therefore,the<br />
consequencesofnotmakinguseofthecorrectivepowerspursuanttoArticle58(2)GDPRarevast ”.<br />
331FI SAObjection,paragraph37.<br />
332FI SAObjection,paragraph37.<br />
333FI SAObjection,paragraph45.<br />
334<br />
TheEDPBrecallsitsBindingDecision1/2021adoptedon28July2021wheretheEDPBwascalledtoresolvea<br />
dispute pursuant to Article 65 GDPR concerning, among others, the appropriateness of the deadline for<br />
compliancesuggested inthedraft decision at stake. After highlighting therelevanceof Recitals 129 as well as<br />
148 GDPR for theimposition of correctivemeasures, theEDPB took intoaccount thenumber of data subjects<br />
<br />
affected and theimportanceof theinterest of affected data subjects in seeing therelevant provisions of the<br />
GDPR complied with ina short timeframe. WhiletheEDPB also tooknoteof thechallenges highlighted by the<br />
controller,itfoundinthatcasethatacomplianceorderwithathreemonths’timeframecouldnotbeconsidered<br />
disproportionateconsidering the infringement as well as the type of organization, its sizeand the means<br />
<br />
(includinginteraliafinancialresourcesbutalsolegalexpertise)availabletoit.Consequently,theEDPBinstructed<br />
theLSAto amendthedraftdecisionbyreducingthedeadlineforcompliancefromsixmonthstothreemonths.<br />
EDPBBindingDecision1/2021,paragraphs254-263.<br />
335Article83(2)(i)GDPR.<br />
336Article58(1)GDPR.<br />
<br />
<br />
<br />
<br />
Adopted 58 featuresin thecontextofits TermsofServiceinto compliancewith Article 6(1) GDPRin accordance<br />
withthe conclusion reachedbythe EDPB 337withina specified periodof time 33.<br />
<br />
<br />
<br />
8 ON THE IMPOSITION OFAN ADMINISTRATIVEFINE<br />
<br />
<br />
8.1 Analysis by the LSA inthe DraftDecision<br />
<br />
275.TheIESA asLSAdoes notfind anyinfringementintheDraftDecision,thusnocorrectivemeasuresand,<br />
in particular,noadministrativefine areforeseen. TheIE SA points out thatinthe own-volition inquiry<br />
<br />
in relation toWhatsApp IE’sPrivacyPolicy (deemed as “WhatsApp TransparencyDecision” by the IE<br />
SA)corrective measuresandamongthem anadministrativefine areincluded 33. Moreover,asfurther<br />
clarified by the IE SA, no further examination or the issuance of further determinationis needed, as<br />
<br />
the issues raisedin the latterareconsistent withthe present case.<br />
<br />
<br />
8.2 Summary of the objections raised by the CSAs<br />
<br />
276.The FR SA, NOSA, DE SA and IT SA object to the IE SA’sfailure to take actionwith respect to one or<br />
more specific infringements they deem should have been found and ask the IE SA to impose an<br />
<br />
administrativefineasa result of these infringements.<br />
<br />
277.The FR SA objects to the absence of an administrative fine by the IESA in its Draft Decision. Since a<br />
breachofArticle 6 GDPRhasbeencommittedin the opinion of theFR SA, whichin light ofthe serious<br />
character of this infringement should result in the imposition of an administrative fine. If further<br />
<br />
breaches were to be identified with regard to the processing related to behavioural advertising,<br />
provision ofmetricstothirdpartiesandwiththeprocessing ofspecialcategoriesofpersonaldata,they<br />
340<br />
should be takenintoaccount bythe IESA when defining the amount ofthe administrativefine . The<br />
FR SA therefore asksthe IE SA toimpose anadministrativefine.<br />
<br />
278.The NO SA and DE SA also argue that the IE SA should take concrete corrective measures against<br />
<br />
WhatsApp IE in relation to the additional infringement of Article 6(1) GDPR or Article 6(1)(b) GDPR,<br />
including toimpose anadministrativefine 341.<br />
<br />
279.The IT SA arguesthatthere should be anadministrative fine following the finding of aninfringement<br />
342 343<br />
ofArticle5(1)(a)GDPR ,andofArticle5(1)(b) and(c)GDPR .TheITSAarguesthatWhatsAppIEhas<br />
failedtocomplywiththe generalprinciple offairness under Article5(1)(a)GDPR,which,inthe view of<br />
<br />
the IT SA, entails separate requirements from those relating specifically to transparency. Moreover,<br />
the IT SA statesthat there is an additional infringement of points (b) and(c) of Article 5(1) GDPR on<br />
account of WhatsApp IE’s failure to comply with the purpose limitation and data minimisation<br />
<br />
principles. TheIT SA asks for a fine tobe issued for those additionalinfringements.<br />
<br />
<br />
<br />
<br />
<br />
<br />
337As establishedaboveinSubsection4.4.2.<br />
338<br />
Seeabovefootnote334onparagraph272.<br />
339DraftDecision,paragraph5.9.<br />
340FRSAObjection,paragraph53.<br />
341NOSAObjection,p.9;DESAObjection,p.8.<br />
342ITSAObjection,p.10.<br />
343<br />
ITSAObjection,p.8.<br />
<br />
<br />
<br />
Adopted 59280.Inaddition, theEDPBconsidersthe FISA’srequesttoconsider theimposition ofanadministrativefine,<br />
<br />
assummarised above inSubsection 7.2,not asa separateobjection but ratherasa possible outcome<br />
of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR 34.<br />
<br />
<br />
8.3 Position of the LSA on the objections<br />
<br />
281.TheIESA notesinitsComposite Response thatitis satisfiedthatthescope oftheinquiry isappropriate<br />
andno question of aninfringement ofthese provisions arisesfrom the complaint, thereforethe IE SA<br />
<br />
would not exercise itscorrectivepowers andwould not follow therespective objections 345.<br />
<br />
<br />
8.4 Analysis of the EDPB<br />
<br />
<br />
8.4.1 Assessment of whether theobjections were relevant and reasoned<br />
<br />
The objections raisedby theFR SA, NOSA, DESA andITSA concern“whethertheactionenvisaged in<br />
theDraft Decisioncomplieswith theGDPR” 346.<br />
<br />
282.Inaddition tothe primaryargument levelled against allCSA’s objections 347as wellas the arguments<br />
<br />
against the objections regarding Article 6(1) GDPR of these CSAs, WhatsApp IE provides additional<br />
arguments on why it considers these not to be relevant and/or reasoned. In a general manner,<br />
<br />
WhatsApp IEarguesthatin anyevent, thereis no basis for a finding that theyinfringedArticle 6(1), 9<br />
and/or 5 GDPR because the actualprocessing hasnot been investigatedor assessed in the course of<br />
348<br />
theinquiry bytheIESA .Moreover,WhatsAppIEopines thattheimposition ofanadministrativefine<br />
with respect to new findings of infringements would violate its right to be heard and rights of the<br />
defence 34. Furthermore, WhatsApp IE points out that the power to impose an administrative fine<br />
<br />
under the GDPR lies within the sole competence of the IE SA and that the EDPB does not have the<br />
power to consider objections solely challenging the amount of a fine or the possible instruction to<br />
350<br />
impose a fine .<br />
<br />
283.WhatsApp IEisof the view thatthe FR SA’sobjection cannotbe consideredrelevant because theyare<br />
dependent on another objection, which WhatsApp IE deems “anincorrect allegationof infringement<br />
<br />
of Article 6(1)(b) GDPR”351. WhatsAppIE alsodoes not consider the FR SAs objection to be reasoned<br />
enoughwithregardstothe powertoimpose administrativefineslying withtheLSA andconsiders that<br />
<br />
the FR SAs objection“fails tospecify anydirect,substantial, or plausible risks thatcould be prevented<br />
by applying Article 83(3)GDPR” 352.RegardingtheDESA and NOSA objections tothe imposition of an<br />
<br />
administrative fine, WhatsApp IE does not provide arguments against the “relevant and reasoned”<br />
threshold apartfrom the generalpositions alreadyreflected.<br />
<br />
<br />
344<br />
FI SAObjection,paragraph43to46.<br />
34CompositeResponse,paragraph78.<br />
34GuidelinesonRRO,paragraph32.<br />
34WhatsAppIE’sarguesthattheseare“matters[…]outsidetheDefinedScopeofInquiryand,assuch,these<br />
<br />
ObjectionsarenotrelevantanddonotmeettherequirementsofArticle4(24).Accordingly,theEDPBisnot<br />
competenttoenter intothesubstantiveconsiderationofthesubjectmattersoftheseObjectionsortopurport<br />
to directtheDPCtofindadditionalinfringementsoftheGDPR”(WhatsApp’sArticle65Submissions,paragraph<br />
7.3).TheEDPBdoes notsharethisunderstanding,asexplainedabove.SeeSection4.4.1.<br />
348<br />
349hatsAppIE’sArticle65Submissions,paragraph7.5.<br />
WhatsAppIE’sArticle65Submissions,paragraph7.4.<br />
35WhatsApp'sIE’sArticle65Submissions,paragraph7.9.<br />
35WhatsAppIE'sArticle65Submissions,Annex1,p.82.<br />
35WhatsAppIE'sArticle65Submissions,Annex1,p.82-83.<br />
<br />
<br />
<br />
<br />
Adopted 60284.It is in the EDPB’sunderstanding that the FR SA disagrees with a specific part of the IE SA’s Draft<br />
Decision, namely the lackof anadministrative fine regardingthe breachof Article6 GDPR.TheFR SA<br />
<br />
adds that if additional breacheswere tobe found after anyfurther investigations by the IE SA, they<br />
should be taken into account when assessing the fine and its amount 35. In consequence, the EDPB<br />
<br />
considers the objection tobe relevant.<br />
<br />
285.The FRSA further arguesthatthe lackofanadministrative fine isincontradictionwiththe seriousness<br />
of the issues at hand, the nature ofthe processing and the size ofthe controller 35. Inthe view of the<br />
<br />
FR SA, not imposing a fine would clearlybe detrimentaltothe rights,freedoms andguaranteesofthe<br />
data subjects andwould also lead toreduce the authorities' coercive power and, consequently, their<br />
ability to ensure effective compliance with the protection of the personal data of European<br />
<br />
residents355. Therefore,the EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate<br />
the significance ofthe risks posed by the DraftDecision.<br />
<br />
<br />
***<br />
<br />
286.The EDPBrecallsthatthe NO andDESAarguethat WhatsAppIE maynot relyon Article6(1)(b) GDPR<br />
<br />
for the specified data processing and the IE SA should exercise its corrective powers and impose an<br />
administrative fine356. If followed, these objections would lead to a different conclusion as to the<br />
<br />
possible imposition ofanadministrativefine. Inconsequence, theEDPBconsiders theobjections tobe<br />
relevantandto be reflections upon how the IE SA intheir view should 'give full effect tothe binding<br />
direction(s) asset out in the EDPB’sdecision 357. The EDPB finds that the objection is concrete in the<br />
<br />
changeproposed. However,it takesnote thatthe NOandDE SA’sassessment ofthe risks of the draft<br />
decision relatetothe IESAs interpretationofArticle6(1)(b) GDPRandnot sufficiently tothe lackofan<br />
<br />
imposition ofanadministrative fine. Therefore,the EDPBdoesnot consider this aspectof the NOand<br />
DE SAs objections tomeet the requirements of Article 4(24) GDPR andare therefore not sufficiently<br />
reasoned 358.<br />
<br />
<br />
287.Takingintoaccounttheaforementioned,theEDPBconsidersthattheobjectionoftheFRSA requesting<br />
the imposition of anadministrativefine is relevantandreasonedpursuanttoArticle4(24) GDPR.<br />
<br />
288.With respect tothe objection raisedby the ITSA concerning the imposition of anadministrative fine<br />
<br />
for the allegedinfringement ofthe fairnessprinciple enshrined inArticle5(1)(a), theEDPBfinds thatit<br />
stands in connection with the substance of the Draft Decision, as it concerns the imposition of a<br />
<br />
corrective measure for an additional infringement, which would be found as a consequence of<br />
incorporating the finding put forward by the objection. Clearly, the decision on the merits of the<br />
demandtotake correctivemeasuresfor aproposed additionalinfringement isaffectedby theEDPB’s<br />
<br />
decision on whethertoinstruct the IESA toinclude anadditionalinfringement.<br />
<br />
289.If followed, the IT SA’s objection sets out how it would lead to a different conclusion in terms of<br />
corrective measures imposed 359. Therefore, the EDPB finds the objections raised by the IT SA to be<br />
<br />
relevant.<br />
<br />
<br />
353FRSAObjection,paragraph53.<br />
354<br />
355FRSAObjection,paragraph56.<br />
FRSAObjection,paragraph56-57.<br />
356NOSAObjection,p.8-9;DESAobjection,p.8.<br />
357GuidelinesonArticle65(1)(a)GDPR,paragraph50.<br />
358SeealsoSection4.4.1ofthisBindingDecision.<br />
359<br />
ITSAObjection,p.8-10.<br />
<br />
<br />
<br />
Adopted 61290.WhatsApp IE argues the IT SA’s objection is insufficiently detailed, adding that it is not possible to<br />
identify the legalargumentsthe IT SA wishes toput forward in respect of the fine 360.The EDPB finds<br />
thatthe ITSA adequatelyargueswhytheypropose amending the DraftDecisionandhow thisleadsto<br />
<br />
a different conclusion in termsofadministrative fine imposed 361.<br />
<br />
291.WhatsAppIEarguestheobjection oftheITSA failstodemonstratetheriskposed bytheDraftDecision<br />
as required and, in doing so, WhatsApp IE dismisses the concerns articulated by the IT SA on the<br />
362<br />
precedent thedraft decision sets .<br />
<br />
292.The EDPBfindsthatthe ITSA articulatesanadverse effectonthe rightsandfreedomsofdata subjects<br />
if the DraftDecisionis left unchanged, byreferring toa failure toguaranteea highlevelof protection<br />
363<br />
inthe EU for the rightsandinterestsofthe individuals .<br />
<br />
293.Therefore,the EDPBconsidersthe IT SA’sobjectionconcerning the impositionof afine for the alleged<br />
additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned.<br />
<br />
<br />
***<br />
<br />
294.The EDPB recallsitsanalysis of whether the objection raised by the IT SA in respect of the proposed<br />
<br />
allegedadditionalinfringements of Article 5(1)(b) GDPRand 5(1)(c) GDPRmeetsthe threshold set by<br />
Article 4(24) GDPR (see Section 5.4.1 above). In light of the conclusion that such objection is not<br />
relevantand reasoned,the EDPBdoes not needtofurther examine thislinked objection.<br />
<br />
295.Furthermore, with regardto the FI SA’s objection the EDPB recalls the analysis made in Subsection<br />
<br />
7.4.1andin 8.2of thisBinding Decision.<br />
<br />
8.4.2 Assessment on the merits<br />
<br />
<br />
296.In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the<br />
matters which are the subject of the relevant and reasoned objections, in particular whether the<br />
<br />
envisagedactioninrelationtothe controller or processor complies withtheGDPR.<br />
<br />
297.Regarding the processing of purposes or of data categoriesraisedby the FR SA and which were not<br />
part of the scope of the inquiry, it is appropriate to refer to the EDPB conclusion as statedabove in<br />
<br />
subsection 6.1.4.2,wheretheIE SA is instructedtolaunchfurther investigations.<br />
<br />
298.Regarding the FI SA’s objection as mentioned in Subsection 8.2 and analysed in Section 7, the EDPB<br />
againrecallsthat it only takesnote ofit, asit is not deemeda separateobjection but rather apossible<br />
<br />
outcome of theIE SA’suse of itscorrectivepowers pursuant toArticle 58(2)GDPR.<br />
<br />
299.Whenassessing themeritsofall theobjections raised,theEDPBalsotakesintoaccount WhatsAppIE’s<br />
position on the objectionand itssubmissions.<br />
<br />
300.WhatsAppIE considers thatthe LSA hassole discretiontoimpose anadministrativefine. WhatsApp IE<br />
<br />
argues that in the context of a matter relating to cross-border processing, the power to impose an<br />
<br />
<br />
360WhatsAppIE'sArticle65Submissions,Annex1,p.108-109.<br />
361TheITSAargues thatthefindingofsuchinfringement“shouldresultintotheimpositionoftherelevant<br />
administrativefineasperArticle83(5)(a)GDPR”,addingtherequirementthateachfineshouldbe<br />
proportionateanddissuasiveandarguingthegravityoftheinfringement,seeITSAObjection,p.10.<br />
362<br />
363WhatsAppIE'sArticle65Submissions,Annex1,p.109.<br />
ITSAObjection,p.10.<br />
<br />
<br />
<br />
Adopted 62 administrativefine under theGDPRlieswithinthesole competenceofthe LSA andnot the CSAsor the<br />
EDPB. Furthermore, WhatsApp IE arguesthat the GDPR does not confer any power on the EDPB to<br />
<br />
consider objections solely challengingthe amountof afine, andthe EDPBmaynot giveinstructions as<br />
towhethera fine ought tobe imposed, or as toits amount 364.<br />
<br />
<br />
301.According to the EDPB, the views of WhatsApp IE amount to a misunderstanding of the GDPR one-<br />
stop-shop mechanism and of the shared competencesof the CSAs. The EDPBresponds to WhatsApp<br />
IE’sargumentthattheLSAhassole discretiontodetermine theappropriatecorrectivemeasuresinthe<br />
<br />
event ofa finding ofinfringement above (see Section7, paragraph258-259).<br />
<br />
302.While the EDPB agreesthat the LSA does act as “sole interlocutor” of the controller or processor 365,<br />
this should not be understood as meaning it has “sole competence” in a situation where the GDPR<br />
<br />
requires SAs to cooperate pursuant to Article 60 GDPR to achieve a consistent interpretationof the<br />
Regulation 36. The fact that the LSA will be the authority that can ultimately exercise the corrective<br />
<br />
powerslistedin Article58(2)GDPRcannotlimit the role ofthe CSAswithinthe cooperationprocedure<br />
or the one of the EDPBinthe consistency procedure 36.<br />
<br />
303.Therefore,contrarytoWhatsAppIE’sviews, the consistencymechanism mayalsobe usedtopromote<br />
<br />
a consistent applicationbythe supervisory authoritiesof thecorrectivemeasures, takingintoaccount<br />
the range of powers listed in Article 58(2) GDPR, whena relevant and reasoned objection questions<br />
<br />
the action(s) envisaged by the Draft Decision vis-a-vis the controller/processor, or the absence<br />
thereof368.More specifically, whenraising anobjection on the existing or missing corrective measure<br />
<br />
– suchasanadministrativefine – intheDraftDecision,theCSA should indicate whichactionit believes<br />
would be appropriatefor theLSA toundertakeandinclude in thefinal decision 369.<br />
<br />
8.4.2.1.1 Assessment of whetheranadministrativefine should be imposedfor the infringementof<br />
<br />
Article6(1) GDPR<br />
304.The EDPB considers that the objection found tobe relevant andreasoned in this subsection requires<br />
anassessment of whether the DraftDecisionneeds tobe changedin respect tothe lackof corrective<br />
<br />
measures proposed. More specifically, the EDPB needs to assess the request to impose an<br />
administrative fine for the infringements that are ought to be found by the LSA according to this<br />
<br />
Binding Decision.The EDPBrecallsitsconclusion inthisBinding Decisiononthe infringementof Article<br />
6(1)GDPR 370.<br />
<br />
305.The EDPBconcurs that the decision to impose anadministrative fine needs tobe takenona case-by-<br />
<br />
case basisin lightof thecircumstancesandis not anautomaticone 371. However,theEDPBrecallsthat<br />
<br />
<br />
36WhatsAppIE'sArticle65Submissions,paragraph7.9.<br />
365<br />
Article56(6)GDPR.<br />
36SeeGDPRArt.51(2),60,61(1),andC-645/19FacebookIrelandLtdandOthers, paragraphs53,63,68,72.<br />
36Article63and65GDPR.<br />
368GuidelinesonRRO,paragraph7.Objectionsmayrelatetobothexistingormissingelementsinthedraft<br />
<br />
decision.<br />
36GuidelinesonRRO,paragraphs29and33.<br />
37SeeSection4.4.2ofthisBindingDecision.<br />
37WP29GuidelinesonAdministrativefines,p.6(“Likeallcorrectivemeasuresingeneral,administrativefines<br />
<br />
shouldadequatelyrespondtothenature,gravityandconsequences ofthebreach,andsupervisoryauthorities<br />
mustassessallthefacts ofthecaseina mannerthatisconsistentandobjectivelyjustified.Theassessmentof<br />
whatis effective,proportionalanddissuasiveineachcasewillhavetoalsoreflecttheobjectivepursuedbythe<br />
correctivemeasurechosen,thatiseithertore-establishcompliancewiththerules,ortopunishunlawful<br />
behavior(orboth)”),p.7(“TheRegulationrequiresassessmentofeachcaseindividually”;“Finesarean<br />
<br />
<br />
<br />
<br />
Adopted 63 when a violation of the Regulation has been established, competent supervisory authorities are<br />
<br />
required to react appropriatelytoremedy this infringement in accordance with the means provided<br />
to them by Article 58(2) GDPR 372, which includes the possible imposition of an administrative fine<br />
373<br />
pursuant toArticle 58(2)(i) GDPR .<br />
<br />
306.Indeed, asalreadymentioned the consistency mechanism mayalso be used to promote a consistent<br />
applicationofadministrativefines 374: wherearelevantandreasonedobjectionidentifiesshortcomings<br />
<br />
in the reasoning leading tothe imposition of the fine atstake (or naturallythe lackof one), the EDPB<br />
can instruct the LSA to engage in a new assessment of the need for a fine or the calculation of a<br />
375<br />
proposed fine .<br />
<br />
307.The EDPBagainwantstorecallthat althoughthe supervisory authoritymust determine whichaction<br />
is appropriate and necessary and take into consideration all the circumstances of the processing of<br />
<br />
personal datain question inthat determination,the supervisory authorityis nevertheless requiredto<br />
executeits responsibility for ensuring that the GDPRis fully enforced withalldue diligence 376.Recital<br />
<br />
148 shows theduty for supervisory authoritiesto impose correctivemeasuresthat areproportionate<br />
tothe seriousness ofthe infringement 377.<br />
<br />
<br />
308.With respect tothe imposition of anadministrative fine, the EDPBrecallsthe requirements of Article<br />
83(1)GDPR,aswellasthatdue account must be giventothe elementsof Article83(2) GDPR.<br />
<br />
309.Asalreadyestablished theEDPBconsiders the lawfulnessofprocessingtobe one ofthe fundamental<br />
<br />
pillars of the data protection law and that processing of personal data without an appropriate legal<br />
basis is aclear andserious violation of the datasubjects’ fundamentalright todataprotection 378.The<br />
379<br />
EDPBthereforeagreeswiththe FR SA in considering the identified breachasserious .<br />
<br />
Furthermore, the EDPB takes the view that the infringement at issue relates to the processing of<br />
personal dataof asignificant numberofpeopleina cross-borderscopeandthattheimpact onthem<br />
<br />
hastobe considered 38.<br />
<br />
310.The EDPB underlines that the specific circumstances of the case have to be reflected. Such<br />
<br />
circumstances not only refer to the specific elements of the infringement, but also those of the<br />
controller or processor whocommittedthe infringement,namelyitssize andfinancial position 381.<br />
<br />
<br />
<br />
importanttoolthatsupervisoryauthoritiesshoulduseinappropriatecircumstances.Thesupervisory<br />
<br />
authoritiesareencouragedtousea consideredandbalancedapproachintheiruseofcorrectivemeasures,in<br />
ordertoachievebothaneffectiveanddissuasiveaswellasa proportionatereactiontothebreach.Thepointis<br />
to notqualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhandnottousethem<br />
insuchawaywhichwoulddevaluetheireffectivenessasa tool.”).<br />
372<br />
373C-311/18SchremsII,paragraph111.<br />
SeealsoFI SAObjection,paragraph43.<br />
374Recital150GDPR.<br />
375GuidelinesonRRO,paragraph34.<br />
376C-311/18SchremsII,paragraph112.<br />
377<br />
Recital 148GDPR states, forinstance:“in a caseof a minor infringement or if thefinelikely to beimposed<br />
wouldconstitutea disproportionateburdentoa natural person,a reprimandmaybeissuedinsteadofa fine”.<br />
TheEDPBconfirmedthat“theindicationsprovidedbythisRecitalcanberelevantfortheimpositionofcorrective<br />
measures in general and for the choiceof the combination of correctivemeasures that is appropriateand<br />
<br />
proportionatetotheinfringementcommitted”.EDPBBindingDecision1/2021,paragraph256.<br />
378Article8(2),EUCharter.<br />
379FRSAObjection,paragraph56.<br />
380SeeGuidelinesoncalculationoffines,paragraph54.<br />
381<br />
OnturnoverseeGuidelinesoncalculationoffines,paragraph49;alsoFRSAobjection,paragraph56.<br />
<br />
<br />
Adopted 64311.Though the damageis verydifficult toexpress in termsof a monetaryvalue, it remains the case that<br />
data subjects have been faced with data processing that should not have occurred (by relying<br />
<br />
inappropriately on Article 6(1)(b) GDPR as a legal basis as established in section 4.4.2). The data<br />
processing in question entails decisions about information that data subjects are exposed to or<br />
excluded from receiving.The EDPB recallsthat non-materialdamageis explicitly regardedas relevant<br />
<br />
in recital75 GDPR and that such damage may result from situations “where data subjects might be<br />
deprivedof their rights and freedomsor prevented from exercising controlover their personal data”.<br />
<br />
Giventhe nature andgravityof the infringement ofArticle 6(1)GDPR,arisk of damagecausedtodata<br />
subjects is, insuch circumstances,consubstantial withthe finding of the infringementitself.<br />
<br />
312.In the light of the nature and gravity of the infringement pursuant to Article 83(2)(a) GDPR as<br />
<br />
identified inthe paragraphsabove, inthe view of theEDPBthe combination ofthe mentionedfactors<br />
alreadyclearlytipthe balance infavourofimposinganadministrativefine.<br />
<br />
313.For conduct infringing data protection rules, the GDPR does not provide for a minimum fine. Rather,<br />
the GDPR only provides for maximum amounts in Article 83(4)–(6) GDPR, in which several different<br />
<br />
typesof conduct aregrouped together.Afine canultimatelyonly be calculatedbyweighing upallthe<br />
elementsexpressly identified in Article83(2)(a)–(j) GDPR,relevanttothe case andany other relevant<br />
<br />
elements, even if not explicitly listed in the said provisions (as Article 83(2)(k) GDPR requires togive<br />
due regardto any other applicable factor). Finally, the final amount of the fine resulting from this<br />
assessment must be effective, proportionate and dissuasive in each individual case (Article 83(1)<br />
<br />
GDPR).Anyfine imposedmust sufficiently takeintoaccountallofthese parameters,whilstatthesame<br />
time not exceedingthe legalmaximum provided for inArticle 83(4)–(6)GDPR 382.<br />
<br />
314.Inlight ofthe above, the EDPBinstructstheIESAtoimposeanadministrativefine, remaining inline<br />
<br />
with the criteria provided for by Article 83(2) GDPR and ensuring it is effective, proportionate and<br />
dissuasive in line with Article 83(1) GDPR, in accordance withthe conclusions reached by the EDPB,<br />
<br />
namelythe identified infringementof Article6(1) GDPR.<br />
<br />
8.4.2.1.2 Assessment of whetheranadministrativefine should be imposedfor the infringementof<br />
the fairnessprinciple under Article5(1)(a)GDPR<br />
<br />
<br />
315.The EDPB recalls its conclusion in this Binding Decision on the infringement by WhatsApp IE of the<br />
fairness principle under Article 5(1)(a) GDPR383 and that the objection raised by the IT SA, which is<br />
<br />
found to be relevant and reasoned, requested the IE SA to exercise its power to impose an<br />
administrative fine38.<br />
<br />
316.The EDPB takesnote of WhatsApp IE’sview that the IT SA objection is not relevant and reasoned 385<br />
and also notes that WhatsApp IE takes that view that inappropriate, clearly disproportionate, and<br />
<br />
unnecessary toimpose anadministrative fine 386.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
382SeeGuidelinesoncalculationoffines,paragraph16.<br />
383Section5.4.2ofthisBindingDecision.<br />
384Paragraphs289-293ofthisBindingDecision.<br />
385<br />
386Paragraph138ofthisBindingDecision.<br />
WhatsAppIE'sArticle65Submissions,Annex1,p.109.<br />
<br />
<br />
<br />
Adopted 65317.The EDPBagainrecallsthat the decisiontoimpose anadministrative fine needs tobe takenon acase-<br />
387<br />
by-case basis in light of the circumstances andis not anautomatic one and the specificities of the<br />
case have tobe takeninto account.<br />
<br />
318.As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically<br />
linked totheprinciples of lawfulness andtransparencyunder thesame provision, hasanindependent<br />
388<br />
meaning .<br />
<br />
319.Considering the EDPB’s findings in Section 5.4.2 that WhatsApp IE has not complied with key<br />
requirementsof the principle of fairness, the EDPB reiteratesitsview that WhatsApp IEhas infringed<br />
the principle of fairness under Article 5(1)(a) GDPR and agreeswith the IT SA that this infringement<br />
<br />
should be adequately taken into account by the IE SA in the calculation of the amount of the<br />
administrative fine tobe imposed following the conclusion ofthis inquiry.<br />
<br />
320.Therefore, the EDPB instructsthe IE SA to take intoaccount the infringement by WhatsApp IE of the<br />
<br />
fairnessprinciple enshrinedinArticle5(1)(a)GDPRasestablishedabove whendeterminingthe fine for<br />
the violation of Article 6(1) GDPR asinstructed above. If, however, the IE SA considers an additional<br />
fine for the breachofthe principle offairness isanappropriatecorrectivemeasure,theEDPBrequests<br />
the IE SA toinclude this in its final decision. Inanycase, the IE SA must take into account the criteria<br />
<br />
providedfor byArticle83(2)GDPRandensuringit iseffective,proportionateanddissuasive inline with<br />
Article83(1) GDPR.<br />
<br />
<br />
<br />
9 BINDINGDECISION<br />
<br />
321.Inlight of the above andin accordancewiththe taskof the EDPBunder Article70(1)(t) GDPRtoissue<br />
<br />
binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision in<br />
accordancewithArticle65(1)(a) GDPR.<br />
<br />
322.The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in<br />
accordancewithArticle65(2) GDPR.<br />
<br />
323. On the objections concerning whether the LSA should have found an infringement for lack of<br />
<br />
appropriatelegalbasis<br />
<br />
1. The EDPB decidesthat the objections of the DE SA, FI SA, FR SA, NL SA and NO SA regarding<br />
WhatsApp relianceon Article6(1)(b) GDPR,meettherequirementsof Article4(24) GDPR.<br />
<br />
2. The EDPB decides that WhatsApp IE has inappropriately relied on Article 6(1)(b) GDPR to<br />
process the Complainant’spersonal data for the purpose of service improvement and securityin the<br />
<br />
contextofitsTermsofService andthereforelacksalegalbasis toprocess thesedata.WhatsAppIEhas<br />
consequently infringed Article6(1)GDPRby unlawfully processing personal data.<br />
<br />
3. The EDPB instructsthe IE SA to alter its Finding 2 of its Draft Decision, which concludes that<br />
WhatsAppIEmayrelyonArticle6(1)(b) inthecontextofitsoffering ofTermsofService,andtoinclude<br />
<br />
aninfringement ofArticle6(1)GDPR,onthebasisoftheconclusion reachedbytheEDPBinthisBinding<br />
Decision.<br />
<br />
<br />
<br />
<br />
387Seeaboveparagraph305ofthisBindingDecision.<br />
388Seeparagraph147-149ofthisBindingDecision.<br />
<br />
<br />
<br />
Adopted 66324.Onthe objectionsconcerningthepotentialadditionalinfringement oftheprinciple offairness<br />
<br />
<br />
4. The EDPB decides thatthe objection of the IT SA regardingthe infringement by WhatsApp IE<br />
of theprinciple of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR.<br />
<br />
5. The EDPB instructs the IE SA to find in its final decision an additional infringement of the<br />
principle offairness under Article 5(1)(a)GDPRbyWhatsApp IE.<br />
<br />
325. On the objection concerning the potential additional infringement of the principles of purpose<br />
<br />
limitationand dataminimisation<br />
<br />
6. OntheobjectionbytheITSAconcerningthe possible additionalinfringementsoftheprinciples<br />
of purpose limitationanddataminimisation under Article5(1)(b) and(c) GDPR,theEDPBdecides this<br />
objection does not meetthe requirementsofArticle 4(24)GDPR.<br />
<br />
326. Onthe objectionsconcerningthepotentialneedfor furtherinvestigation:<br />
<br />
7. The EDPB decides that the objections of the IT SA, FR SA and FI SA regarding the lack of<br />
<br />
investigationof WhatsApp’sprocessing operationsin itsservice ofspecial categoriesofpersonal data<br />
(Article 9 GDPR), of data processed for the purposes of behavioural advertising, for marketing<br />
purposes, aswellasfortheprovision ofmetricstothirdpartiesandtheexchangeofdatawithaffiliated<br />
<br />
companies for the purposes of service improvements, meetthe requirementsof Article4(24)GDPR.<br />
<br />
8. The EDPB decides that the IE SA shall carry out an investigation into WhatsApp’s processing<br />
operationsinitsserviceinorder todetermineifitprocesses specialcategoriesofpersonaldata(Article<br />
9 GDPR),processes datafor the purposes of behavioural advertising,for marketingpurposes, as well<br />
<br />
asfor the provision of metricstothird partiesand the exchangeof data withaffiliatedcompanies for<br />
the purposes of service improvements, and in order to determine if it complies with the relevant<br />
obligations under the GDPR.Basedon the results of thatinvestigationandthe findings theIE SA shall<br />
<br />
issue a new DraftDecisioninaccordancewithArticle 60 (3)GDPR.<br />
<br />
327. On correctivemeasuresotherthan administrative fines<br />
<br />
9. TheEDPBdecidesthattheobjectionoftheFI SArequesting correctivemeasurestobe imposed<br />
incompliance withtheArticle 58(2)GDPRmeetthe requirementsof Article4(24)GDPR.<br />
<br />
10.On the objections by the DE and NO SAs requesting corrective measures to be imposed in<br />
<br />
compliance with the Article 58(2) GDPR, the EDPB decides that these objections do not meet the<br />
requirementsof Article4(24)GDPR.<br />
<br />
11.The EDPB instructsthe IESA to include in its finaldecision anorder for WhatsApp IEto bring<br />
its processing of personal data for the purposes of service improvement and security featuresin the<br />
<br />
context of its Terms of Service into compliance with Article 6(1) GDPR in accordance with the<br />
conclusion reachedby theEDPB 389withina specified periodof time 39.<br />
<br />
328.Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis<br />
<br />
12.The EDPB decides that the objections of the FR SA regarding the imposition of an<br />
administrative fine for the infringement of Article 6(1) GDPRmeetsthe requirements of Article 4(24)<br />
<br />
GDPR.<br />
<br />
<br />
<br />
38As establishedaboveinSubsection4.4.2.<br />
39Seeabovefootnote334onparagraph272.<br />
<br />
<br />
Adopted 67 13.The EDPB decidesthat the relevant partsof the objections of the NO and DE SAs specifically<br />
<br />
relatingto anadministrative fine for the lackof legalbasis donot meet the threshold of Article 4(24)<br />
GDPR.<br />
<br />
14.The EDPBinstructsthe IESA tocover theadditional infringement ofArticle 6(1)GDPRwithan<br />
administrative fine, which is effective, proportionate and dissuasive in accordance withArticle 83(1)<br />
<br />
GDPR. In determining the fine amount, the IE SA must give due regardto all the applicable factors<br />
listedinArticle 83(2)GDPR,inparticularthenatureandgravityofthe infringementandthe number of<br />
datasubjects affected.<br />
<br />
329. On theobjectionconcerningtheimpositionofan administrativefinefor theinfringementofthefairness<br />
<br />
principle underArticle5(1)(a) GDPR<br />
<br />
15.The EDPBdecidesthattheobjection ofthe ITSA regardingthe impositionofanadministrative<br />
fine for the infringementof Article5(1)(a) GDPRmeetsthe requirementsof Article4(24)GDPR.<br />
<br />
16.The EDPB instructs the IE SA to take into account the infringement by WhatsApp IE of the<br />
<br />
fairness principle enshrined in Article 5(1)(a) GDPR when determining the fine for the violation of<br />
Article6(1)GDPRasinstructedabove.If,however,theIESA considers anadditionalfine for thebreach<br />
oftheprinciple of fairnessisanappropriatecorrectivemeasure,theEDPBrequeststheIESA toinclude<br />
<br />
thisinitsfinaldecision. Inanycase,theIESA must takeintoaccountthe criteriaprovidedforby Article<br />
83(2)GDPRandensuring it iseffective,proportionate and dissuasive in line withArticle 83(1)GDPR.<br />
<br />
330. On the objection concerning the imposition of an administrative fine for the infringement of Article<br />
5(1)(b) and (c) GDPR<br />
<br />
17.The EDPB decides that it does not need to examine the objection of the IT SA regarding the<br />
<br />
imposition of anadministrative fine for the infringement of Article5(1)(b) and(c)GDPR.<br />
<br />
<br />
10 FINAL REMARKS<br />
<br />
<br />
331.This Binding Decisionis addressedtothe IESA andthe CSAs. The IE SA shall adopt itsfinaldecision on<br />
the basis ofthis binding decision pursuant toArticle65(6) GDPR.<br />
<br />
332.Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the<br />
EDPBdoes not take anyposition on the meritof anysubstantial issues raised bythese objections. The<br />
<br />
EDPBreiteratesthat itscurrent decisioniswithout anyprejudice toanyassessments the EDPBmaybe<br />
calledupon tomake in other cases, including with the same parties, taking into account the contents<br />
of therelevant draftdecision and theobjections raised bythe CSAs.<br />
<br />
333.According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding<br />
<br />
Decision without undue delay and at the latest by one month after the EDPB has notified its Binding<br />
Decision.<br />
<br />
334.The IE SA shall inform the EDPBof the date when its finaldecision is notified to the controller or the<br />
processor 391. This Binding Decision will be made public pursuant to Article 65(5) GDPR without delay<br />
392<br />
afterthe IESA hasnotified itsfinaldecision tothe controller .<br />
<br />
<br />
<br />
391Article65(6)GDPR.<br />
392Article65(5)and(6)GDPR.<br />
<br />
<br />
<br />
Adopted 68 393<br />
335.The IESA willcommunicate its finaldecision to theBoard .Pursuant to Article70(1)(y) GDPR,theIE<br />
SA’s final decision communicated tothe EDPB willbe included in the registerof decisions which have<br />
beensubject totheconsistency mechanism.<br />
<br />
<br />
<br />
<br />
For the EuropeanDataProtectionBoard<br />
<br />
The Chair<br />
<br />
<br />
<br />
(Andrea Jelinek)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
39Article60(7)GDPR.<br />
<br />
<br />
Adopted 69<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Whatsapp_Ireland_Limited_-_IN-18-5-6&diff=30713
DPC (Ireland) - Whatsapp Ireland Limited - IN-18-5-6
2023-01-25T15:05:04Z
<p>AK: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Ireland<br />
|DPA-BG-Color=background-color:#013d35;<br />
|DPAlogo=LogoIE.png<br />
|DPA_Abbrevation=DPC<br />
|DPA_With_Country=DPC (Ireland)<br />
<br />
|Case_Number_Name=Whatsapp Ireland Limited - IN-18-5-6<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=noyb website<br />
|Original_Source_Link_1=https://noyb.eu/sites/default/files/2023-01/FINAL%2520%2528adoption%2520version%2529%2520Decision%2520%2528WA%2529%2520Redacted%2520%25281%2529_geschw%25C3%25A4rzt.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=25.05.2018<br />
|Date_Decided=12.01.2023<br />
|Date_Published=19.01.2023<br />
|Year=2023<br />
|Fine=5,500,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 7 GDPR<br />
|GDPR_Article_Link_4=Article 7 GDPR<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
|GDPR_Article_9=Article 24 GDPR<br />
|GDPR_Article_Link_9=Article 24 GDPR<br />
|GDPR_Article_10=Article 56 GDPR<br />
|GDPR_Article_Link_10=Article 56 GDPR<br />
|GDPR_Article_11=Article 58 GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR<br />
|GDPR_Article_12=Article 60 GDPR<br />
|GDPR_Article_Link_12=Article 60 GDPR<br />
|GDPR_Article_13=Article 65 GDPR<br />
|GDPR_Article_Link_13=Article 65 GDPR<br />
|GDPR_Article_14=Article 77 GDPR<br />
|GDPR_Article_Link_14=Article 77 GDPR<br />
|GDPR_Article_15=Article 79 GDPR<br />
|GDPR_Article_Link_15=Article 79 GDPR<br />
|GDPR_Article_16=Article 83 GDPR<br />
|GDPR_Article_Link_16=Article 83 GDPR<br />
|GDPR_Article_17=<br />
|GDPR_Article_Link_17=<br />
|GDPR_Article_18=<br />
|GDPR_Article_Link_18=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=German Whatsapp user (represented by noyb - European Centre for Digital Rights)<br />
|Party_Link_1=https://noyb.eu/en<br />
|Party_Name_2=Whatsapp Ireland Limited<br />
|Party_Link_2=https://www.whatsapp.com/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=LR<br />
|<br />
}}<br />
<br />
Following a complaint filed by a German Whatsapp user, the Irish DPA found Whatsapp IE’s processing of personal data for “service improvements” and “security” to be unlawful, and fined the company €5,500,000.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy. <br />
<br />
Under the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data. [[Article 6 GDPR#1|Article 6(1) GDPR]] detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account.<br />
<br />
A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.<br />
<br />
Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.<br />
<br />
Secondly, the use of the Whatsapp service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. [[Article 7 GDPR#4|Article 7(4) GDPR]], which defines the conditions for consent, specifically states that “''utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract''”. As such, the “consent” upon which the data controller seeks to rely is invalid.<br />
<br />
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.<br />
<br />
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.<br />
<br />
The BfDI referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].<br />
<br />
Responding to the Complainant’s assertions Whatsapp IE submitted, among other points, that it does not rely on consent as the lawful basis for the relevant processing of personal data. According to the company, “''the legitimization of the processing at issue in this inquiry falls under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]'' [necessary for the performance of a contract] ''and therefore an assessment under Article 6(1)(b) only is required''”. (DPC Preliminary Draft Decision, para 3.4)<br />
<br />
=== Holding ===<br />
In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).<br />
<br />
<u>Issue 1 – Whether Clicking on the “Accept” Button Constitutes or Must be Consent for the Purposes of the GDPR</u><br />
<br />
The DPC proposed, in its draft report, to make two separate findings on this issue: firstly, that Whatsapp IE has not sought to rely on consent in order to process personal data ''"to deliver the Terms of Service"''; and secondly, that Whatsapp IE is not legally obliged to rely on consent in order to do so (2.21).<br />
<br />
In two other similar decisions – based on complaints filed by ''noyb'' concerning forced consent on social media platforms Facebook and Instagram – the DPC proposed similar conclusions on the issue of consent and the EDPB directed them to dismiss these findings (Please see [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Facebook)_-_IN-18-5-5 IN-18-5-5]; [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Instagram)_-_IN-18-5-7 IN-18-5-7]). However, in the present case the EDPB decision does not contain any instruction or direction that would require the DPC to disturb proposed finding 1 (2.22). However, given that finding 1 represented the dismissal/rejection of part of the compliant, a separate decision must be adopted by the supervisory authority of the complainant (HmbBfDI), in accordance with the procedure in [[Article 60 GDPR#9|Article 60(9) GDPR]]. Accordingly, the DPC removed its proposed “Finding 1” from its Final Decision (2.23).<br />
<br />
<br />
<u>Issue 2 – Reliance on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a Lawful Basis for Personal Data Processing</u><br />
<br />
The second issue concerns whether Whatsapp IE can rely on Article 6(1)(b) as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “''processing is necessary for the performance of a contract to which the data subject is a party''”. Addressing this issue, the DPC first sought to address the question of scope – identifying which processing practices they are concerned with in this context – before moving to the question of contractual necessity as a lawful basis.<br />
<br />
In terms of scope, the DPC began by stating that their analysis will be based only on the Whatsapp Terms of Service, and not on the Privacy Policy. In their view, the Privacy Policy is essentially an explanatory document for the purposes of transparency, and not part incorporated within the terms of service (3.4 – 3.5). The DPC then takes issue with the generality, or vagueness of the complaint, which – in their view – does not identify “''specific processing operations by reference to an identifiable body of data with any clarity of precision''” (3.6). Furthermore, according to the DPC, the complainant was not entitled to request that the DPC “''conduct an assessment of all processing operations carried out by Whatsapp''” (3.6). After stating that “''the Complaint does, however, focus on a number of particular processing activities and has a specific focus on data processed to facilitate improvements to services and advertising''” (3.7), the DPC explains that their draft decision proposed an assessment of whether Whatsapp IE can rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for data processing for service improvements, providing metrics to third parties (such as companies within the same group of companies), and advertising. However, on the question of advertising, the DPC states that “''no evidence has been presented by the Complainant that Whatsapp processes personal data for the purpose of advertising''” (3.8), and therefore data processing for advertising is not relevant to this inquiry. With regards to “providing metrics to third parties”, the DPC states later in the decision that “''any sharing with affiliated companies formed part of the general ‘improvements’ that are carried out pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]''” (3.33). Therefore, the DPC took the view that providing metrics to third parties forms part of service improvements as “''any clear delineation between these two forms of processing was artificial''” (3.33). As a result, the DPC restricted the scope of their inquiry to “regular improvements and maintaining standards of security”.<br />
<br />
Issuing its Binding Decision, the EDPB disagreed with the DPC’s assessment of scope, in particular the exclusion of data processed for advertising. The EDPB stated as follows:<blockquote>“''The inquiry underpinning this decision ought to have included an examination of ‘the legal basis for [Whatsapp’s] processing operations for the purposes of behavioural advertising, the potential processing of special categories of personal data, applicable legal basis for provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, as well as the processing of personal data for the purposes of marketing''’” (EDPB – 218).</blockquote>Accordingly, the EDPB directed the DPC to commence a new inquiry into whether Whatsapp processes data in the ways described (EDPB 222). The DPC did not conduct this inquiry as, in their view, “''that direction cannot be addressed… in this decision''” and proceeded in their analysis, continuing to exclude questions of data processed for advertising.<br />
<br />
Regarding the second question, whether the data processing is necessary for the purpose of a contract between Whatsapp IE and its users, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “''the ‘core’ functions of a contract must be assessed in order to determine what processing is objectively necessary in order to perform it''” (3.27). However, the DPC added that “''necessity is to be determined by reference to the particular contract''” (3.27) and “''it is not for an authority such as the'' [DPC], ''tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible''” (3.45). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “''the actual bargain which has been struck between the parties''” (3.30). The DPC stated “''it seemed to me… that Whatsapp’s model and the service being offered is explicitly one that includes improvements to an existing service, and a commitment to upholding certain standards relating to abuse, etc., that is common across all affiliated platforms''” (3.42). Accordingly, the Draft Decision “''proposed to conclude, in the Draft Decision... that WhatsApp was, in principle, entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for processing personal data''” (3.50).<br />
<br />
However, when issuing its Binding Decision, with regard to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:<blockquote>“''The EDPB agrees with the IE SA and Whatsapp IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Whatsapp IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under [[Article 6 GDPR]] if it is appropriate for the processing at stake''" (EDPB - 100).<br />
<br />
"''The GDPR makes Whatsapp IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Whatsapp IE and its business model''” (EDPB - 101).<br />
<br />
"''The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR''" (EDPB - 102).<br />
<br />
“''[i]t is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance''” (EDPB – 105).<br />
<br />
"''the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR''" (EDPB - 110).</blockquote>Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for service improvements and security is not essential to the contract between Whatsapp IE and its users. The EDPB observes that Whatsapp is under a duty to consider the possibility of less intrusive ways to pursue the stated purpose, for example, “''rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose''” (EDPB - 109).<br />
<br />
Furthermore, the EDPB points to an imbalance of knowledge surrounding the contract, “''an average user cannot fully grasp what is meant by processing for service improvements and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonable expect it solely based on Whatsapp IE’s Terms of Service''” (EDPB – 111). As explained by the EDPB, the DPC has already acknowledged that Whatsapp IE infringed its transparency obligations under the GDPR (see “Issue 3” below), and this undermines the argument that the processing is lawful on the basis of contractual performance. This is because, “''one of the parties (in this case a data subject)'' [has not been] ''provided with sufficient information to know they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered… These transparency requirements are not only an additional and separate obligation, but also an indispensable and constitutive part of the legal basis''” (EDPB - 117).<br />
<br />
The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Whatsapp IE can process personal data on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]:<blockquote>“''[T]here is a risk that the Draft Decision’s failure to establish Whatsapp IE's infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], pursuant to the interpretation by the [DPC], nullifies this provision and makes theoretically lawful any collection and reuse of personal data in connection with the performance of a contract with a data subject''" (EDPB - 119).<br />
<br />
“''This precedent could encourage other economic operators to use the contractual performance legal basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contract to collect, retain, and process as much personal data from their users as possible and advance their economic interests at the expense of the safeguards for data subjects''” (EDPB – 120).</blockquote>In light of all of the above, the EDPB directed the following:<blockquote>“''Processing for the purposes of service improvements and security features performed by Whatsapp IE are objectively not necessary for the performance of Whatsapp IE's alleged contract with its users and are not an essential or core element of it''" (EDPB - 132).<br />
<br />
"''Whatsapp IE has inappropriately relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the complainant's personal data for the purposes of service improvements and security in the context of its Terms of Service and therefore lacks a legal basis to process the data. The EDPB was not required to examine whether data processing for such purposes could be based on other legal bases because the controller relied solely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Whatsapp IE has consequently infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by unlawfully processing personal data''” (EDPB - 122).</blockquote>Accordingly, under instruction from the EDPB, The DPC altered “Finding 2” of its Draft Decision, finding that “''Whatsapp was not entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the Complainant’s personal data for the purpose of service improvement and security in the context of the Whatsapp Terms of Service''” (Finding 2).<br />
<br />
<br />
<u>Issue 3 – Whether Whatsapp Provided the Requisite Information on the Legal Basis for Processing on foot of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and Whether it did so in a Transparent Manner</u><br />
<br />
On the issue of transparency, [[Article 13 GDPR#1|Article 13(1) GDPR]] outlines the information the controller must provide to a data subject at the time when personal data are obtained and [[Article 12 GDPR#1|Article 12(1) GDPR]] details the manner in which this data must be provided.<br />
<br />
Prior to the issuing its decision in the case at hand, the DPC concluded an own-volition inquiry in relation to the extent to which Whatsapp’s Privacy Policy achieved compliance with the GDPR’s transparency framework (“the Whatsapp Decision”). This decision concluded that Whatsapp had infringed Articles 12(1) and 13(1)(c) GDPR, and exercised corrective powers against Whatsapp, including an administrative fine. Therefore, addressing this issue in this Final Decision, the DPC restated the conclusion of the Whatsapp Decision and upheld the aspect of the complaint that identified infringements of the GDPR in this context.<br />
<br />
<br />
<u>Issue 4 (Additional Issue) – Whether Whatsapp Infringed the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] Principle of Fairness</u><br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] principle of fairness. The DPC decided not to follow the objection, as the “''principle of fairness was not examined during the course of this inquiry and, consequently, Whatsapp was not afforded the opportunity to be heard in response to a particularised allegation of wrongdoing''” (5.1). The matter was referred to the EDPB, who determined as follows:<blockquote>“''Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject''” (EDPB – 143)<br />
<br />
"''the principle of fairness has an independent meaning and… an assessment of Whatsapp IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Whatsapp IE’s compliance with the principle of fairness too''" (EDPB - 147).<br />
<br />
"''the concept of fairness stems from the EU Charter…'' [it] ''underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights''” (EDPB - 148).<br />
<br />
“''Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjects are protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data… Therefore, the EDPB disagrees with the'' [DPC]''’s finding that assessing Whatsapp IE’s compliance with the principle of fairness ‘would therefore… represent a significant departure from the scope of the inquiry.’ In addition, it is important to note that Whatsapp IE has been heard on the objections and therefore submitted written submissions on this matter''” (EDPB- 150).<br />
<br />
“''Whatsapp has presented its service to users in a misleading manner… The combination of factors, such as the unbalanced relationship between Whatsapp IE and its users, combined with the ‘take it or leave it’ situation that they are facing… systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights''” (EDPB – 154, 156).</blockquote>Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Whatsapp IE, and to “''adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement''” (EDPB – 157).<br />
<br />
As directed by the EDPB, the DPC found that “''Whatsapp has infringed the principle of fairness pursuant to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]''".<br />
<br />
<br />
<u>Summary of Envisaged Action</u><br />
<br />
On the Transparency issue, the DPC’s draft decision proposed findings of infringement which overlapped with those that were found to have already occurred in another DPC's decision on Whatsapp [see issue 3 above]. Accordingly, the DPC did not propose the exercise of further corrective powers (7.1). However, as a consequence of the infringements of Article 6(1) and the Article 5(1)(a) principle of fairness that were established by the EDPB, the DPC was further directed by the EDPB to address those infringements by way of the exercise of corrective powers, namely the making of an order to bring processing into compliance and the imposition of an administrative fine (7.2).<br />
<br />
Accordingly, the DPC made an order pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], requiring Whatsapp IE to bring processing into compliance (“the Order”) within a period of six months commencing on the day following the date of service, in Whatsapp, of this Decision. “''More specifically, in this regard, WhatsApp is required to take the necessary action to address the EDPB’s finding that WhatsApp is not entitled to carry out the Processing on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]… Such action may include, but is not limited to, the identification of an appropriate alternative legal basis, in [[Article 6 GDPR#1|Article 6(1) GDPR]], for the Processing together with the implementation of any necessary measures, as might be required to satisfy the conditionality associated with that/those alternative legal basis/bases''” (9.105). Furthermore, “''An administrative fine is hereby imposed, pursuant to Articles 58(2)(i) and 83 GDPR, addressed to WhatsApp, in the amount of €5.5 million''” (9.106).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.<br />
1<br />
In the matter of the General Data Protection Regulation<br />
DPC Inquiry Reference: IN-18-5-6<br />
In the matter of JG, a complainant, concerning a complaint directed against WhatsApp Ireland Limited<br />
in respect of the WhatsApp Service<br />
Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act,<br />
2018 and Articles 60 and 65 of the General Data Protection Regulation<br />
Further to a complaint-based inquiry commenced pursuant to Section 110 of the Data Protection Act<br />
2018<br />
DECISION<br />
Decision-Maker for the Commission:<br />
Helen Dixon<br />
________________________________<br />
Commissioner for Data Protection<br />
Dated the 12 th day of January 2023<br />
Data Protection Commission<br />
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.<br />
2<br />
21 Fitzwilliam Square South<br />
Dublin 2, Ireland<br />
1. I NTRODUCTION AND P ROCEDURAL B ACKGROUND<br />
P URPOSE OF THIS DOCUMENT<br />
1.1 This document is a decision (“the Decision”) of the Data Protection Commission (“the Commission”),<br />
made in accordance with Section 113 of the Data Protection Act 2018 (“the 2018 Act”), arising<br />
from an inquiry conducted by the Commission, pursuant to Section 110 of the 2018 Act (“the<br />
Inquiry”).<br />
1.2 The Inquiry, which commenced on 20 August 2018, examined whether WhatsApp Ireland Limited<br />
(“WhatsApp”) complied with its obligations under the EU General Data Protection Regulation<br />
(Regulation (EU) 2016/679 of the European Parliament and of the Council) (“the GDPR”) in respect<br />
of the subject matter of a complaint made by Mrs. (“the Complainant”). The complaint was<br />
referred to the Commission by the Hamburg Data Protection Authority: Der Hamburgische<br />
Beauftragte für Datenschutz und Informationsfreiheit (“the Hamburg DPA“) on 25 May 2018 (“the<br />
Complaint“). The Hamburg DPA subsequently passed the Complaint to the German Federal Data<br />
Protection Authority, the relevant national authority: Bundesbeauftragter für den Datenschutz<br />
und die Informationsfreiheit (“the German Federal DPA“). The Complainant is at all times<br />
represented by noyb – European center for digital rights.<br />
1.3 This Decision further reflects the binding decision that was made by the European Data Protection<br />
Board (the “EDPB” or, otherwise, the “Board”), pursuant to Article 65(2) of the GDPR 1 (the<br />
“Article 65 Decision”), which directed changes to certain of the positions reflected in the draft<br />
decision that was presented by the Commission for the purposes of Article 60 GDPR (“the Draft<br />
Decision”) as detailed further below. The Article 65 Decision will be published on the website of<br />
the EDPB, in accordance with Article 65(5) of the GDPR, and a copy of same is attached at Schedule<br />
2 to this Decision.<br />
1.4 Further details of procedural matters are set out in Schedule 1 to this Decision.<br />
2. FACTUAL B ACKGROUND AND THE C OMPLAINT<br />
FACTUAL B ACKGROUND<br />
2.1 WhatsApp is an online instant messaging platform. In order to access the WhatsApp service, a<br />
prospective user must create a WhatsApp account. To create a WhatsApp account, a prospective<br />
user is required to accept a series of terms and conditions, referred to by WhatsApp as its Terms<br />
1 Binding Decision 5/2022 on the dispute submitted by the Irish SA on WhatsApp Ireland Limited, adopted 5<br />
December 2022<br />
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.<br />
3<br />
of Service (the “Terms of Service”). When a prospective user accepts the Terms of Service, the<br />
terms contained therein constitute a contract between the (new) user and WhatsApp. It is only<br />
on acceptance of the Terms of Service that the individual becomes a registered WhatsApp user.<br />
2.2 In April 2018, WhatsApp updated the Terms of Service to give effect to changes it sought to implement<br />
to comply with the obligations which would arise when the GDPR became applicable from 25 May<br />
2018. Obligations introduced by the GDPR include, inter alia, a requirement that organisations<br />
processing personal data have a lawful basis for any such processing. Legal bases provided for in<br />
the GDPR include consent of the data subject, necessity based on the requirement to fulfil a<br />
contract with the data subject or processing based on the legitimate interests of the data<br />
controller. In addition, such organisations are required to provide detailed information to users<br />
at the time personal data is obtained in relation to the purposes of any data processing and the<br />
legal basis for any such processing. In essence, there must be a legal basis for each processing<br />
operation or sets of operations (of personal data) and there are transparency requirements in<br />
respect of the communication of such information to individual users.<br />
2.3 To continue to access the WhatsApp service, all users were required to accept the updated Terms of<br />
Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of<br />
existing users by way of a series of information notices and options, referred to as an<br />
“engagement flow” or “user flow”. The engagement flow was designed to guide users through<br />
the processing of accepting the updated Terms of Service; the option to accept the updated<br />
“terms” was presented to users at the final stage of the engagement flow. As referenced in the<br />
full text of the Terms of Service, a separate Privacy Policy provides information to users on<br />
WhatsApp’s processing of personal data in respect of the service.<br />
2.4 Existing users were not provided with an opportunity to disagree and continue to use the service, to<br />
copy their account, or to delete their account. The only available choice was to accept the Terms<br />
of Service, stop using the app or uninstall the app.2<br />
2.5 Figures 2.1 below is a screenshot of the final stage of the “engagement flow” which brought an existing<br />
user, the Complainant, through the process of accepting the updated Terms of Service. The<br />
screenshot is in German; an English translation can be found below.<br />
2 Complaint, paragraph 1.4.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Whatsapp_Ireland_Limited_-_IN-18-5-6&diff=30710
DPC (Ireland) - Whatsapp Ireland Limited - IN-18-5-6
2023-01-25T14:48:32Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Ireland<br />
|DPA-BG-Color=background-color:#013d35;<br />
|DPAlogo=LogoIE.png<br />
|DPA_Abbrevation=DPC<br />
|DPA_With_Country=DPC (Ireland)<br />
<br />
|Case_Number_Name=Whatsapp Ireland Limited - IN-18-5-6<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=noyb website<br />
|Original_Source_Link_1=https://noyb.eu/sites/default/files/2023-01/FINAL%2520%2528adoption%2520version%2529%2520Decision%2520%2528WA%2529%2520Redacted%2520%25281%2529_geschw%25C3%25A4rzt.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=25.05.2018<br />
|Date_Decided=12.01.2023<br />
|Date_Published=19.01.2023<br />
|Year=2023<br />
|Fine=5,500,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 7 GDPR<br />
|GDPR_Article_Link_4=Article 7 GDPR<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
|GDPR_Article_9=Article 24 GDPR<br />
|GDPR_Article_Link_9=Article 24 GDPR<br />
|GDPR_Article_10=Article 56 GDPR<br />
|GDPR_Article_Link_10=Article 56 GDPR<br />
|GDPR_Article_11=Article 58 GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR<br />
|GDPR_Article_12=Article 60 GDPR<br />
|GDPR_Article_Link_12=Article 60 GDPR<br />
|GDPR_Article_13=Article 65 GDPR<br />
|GDPR_Article_Link_13=Article 65 GDPR<br />
|GDPR_Article_14=Article 77 GDPR<br />
|GDPR_Article_Link_14=Article 77 GDPR<br />
|GDPR_Article_15=Article 79 GDPR<br />
|GDPR_Article_Link_15=Article 79 GDPR<br />
|GDPR_Article_16=Article 83 GDPR<br />
|GDPR_Article_Link_16=Article 83 GDPR<br />
|GDPR_Article_17=<br />
|GDPR_Article_Link_17=<br />
|GDPR_Article_18=<br />
|GDPR_Article_Link_18=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=German Whatsapp user (represented by noyb - European Centre for Digital Rights)<br />
|Party_Link_1=https://noyb.eu/en<br />
|Party_Name_2=Whatsapp Ireland Limited<br />
|Party_Link_2=https://www.whatsapp.com/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=LR<br />
|<br />
}}<br />
<br />
Following a complaint filed by a German Whatsapp user, the Irish DPA found Whatsapp IE’s processing of personal data for “service improvements” and “security” to be unlawful, and fined the company €5,500,000.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy. <br />
<br />
Under the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data. [[Article 6 GDPR#1|Article 6(1) GDPR]] detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account.<br />
<br />
A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.<br />
<br />
Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.<br />
<br />
Secondly, the use of the Whatsapp service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. [[Article 7 GDPR#4|Article 7(4) GDPR]], which defines the conditions for consent, specifically states that “''utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract''”. As such, the “consent” upon which the data controller seeks to rely is invalid.<br />
<br />
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.<br />
<br />
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.<br />
<br />
The BfDI referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].<br />
<br />
Responding to the Complainant’s assertions Whatsapp IE submitted, among other points, that it does not rely on consent as the lawful basis for the relevant processing of personal data. According to the company, “''the legitimization of the processing at issue in this inquiry falls under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]'' [necessary for the performance of a contract] ''and therefore an assessment under Article 6(1)(b) only is required''”. (DPC Preliminary Draft Decision, para 3.4)<br />
<br />
=== Holding ===<br />
In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).<br />
<br />
<u>Issue 1 – Whether Clicking on the “Accept” Button Constitutes or Must be Consent for the Purposes of the GDPR</u><br />
<br />
The DPC proposed, in its draft report, to make two separate findings on this issue: firstly, that Whatsapp IE has not sought to rely on consent in order to process personal data ''"to deliver the Terms of Service"''; and secondly, that Whatsapp IE is not legally obliged to rely on consent in order to do so (2.21).<br />
<br />
In two other similar decisions – based on complaints filed by ''noyb'' concerning forced consent on social media platforms Facebook and Instagram – the DPC proposed similar conclusions on the issue of consent and the EDPB directed them to dismiss these findings (Please see [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Facebook)_-_IN-18-5-5 IN-18-5-5]; [https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Instagram)_-_IN-18-5-7 IN-18-5-7]). However, in the present case the EDPB decision does not contain any instruction or direction that would require the DPC to disturb proposed finding 1 (2.22). However, given that finding 1 represented the dismissal/rejection of part of the compliant, a separate decision must be adopted by the supervisory authority of the complainant (HmbBfDI), in accordance with the procedure in [[Article 60 GDPR#9|Article 60(9) GDPR]]. Accordingly, the DPC removed its proposed “Finding 1” from its Final Decision (2.23).<br />
<br />
<br />
<u>Issue 2 – Reliance on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a Lawful Basis for Personal Data Processing</u><br />
<br />
The second issue concerns whether Whatsapp IE can rely on Article 6(1)(b) as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “''processing is necessary for the performance of a contract to which the data subject is a party''”. Addressing this issue, the DPC first sought to address the question of scope – identifying which processing practices they are concerned with in this context – before moving to the question of contractual necessity as a lawful basis.<br />
<br />
In terms of scope, the DPC began by stating that their analysis will be based only on the Whatsapp Terms of Service, and not the Privacy Policy. In their view, the Privacy Policy is essentially an explanatory document for the purposes of transparency, and not part incorporated within the terms of service (3.4 – 3.5). The DPC then takes issue with the generality, or vagueness of the complaint, which – in their view – does not identify “''specific processing operations by reference to an identifiable body of data with any clarity of precision''” (3.6). Furthermore, the complainant was not entitled to request that the DPC “''conduct an assessment of all processing operations carried out by Whatsapp''” (3.6). After stating that “''the Complaint does, however, focus on a number of particular processing activities and has a specific focus on data processed to facilitate improvements to services and advertising''” (3.7), the DPC explains that their draft decision proposed an assessment of whether Whatsapp IE can rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for data processing for service improvements, providing metrics to third parties (such as companies within the same group of companies), and advertising. However, on the question of advertising, the DPC states that “''no evidence has been presented by the Complainant that Whatsapp processes personal data for the purpose of advertising''” (3.8), and therefore data processing for advertising is not relevant to this inquiry. With regards to “providing metrics to third parties”, the DPC states later in the decision that “''any sharing with affiliated companies formed part of the general ‘improvements’ that are carried out pursuant to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]''” (3.33). Therefore, the DPC took the view that providing metrics to third parties forms part of service improvements as “''any clear delineation between these two forms of processing was artificial''” (3.33). As a result, the DPC restricted the scope of their inquiry to “regular improvements and maintaining standards of security”.<br />
<br />
Issuing its Binding Decision, the EDPB disagreed with the DPC’s assessment of scope, in particular the exclusion of data processed for advertising. The EDPB stated as follows:<blockquote>“''The inquiry underpinning this decision ought to have included an examination of ‘the legal basis for [Whatsapp’s] processing operations for the purposes of behavioural advertising, the potential processing of special categories of personal data, applicable legal basis for provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, as well as the processing of personal data for the purposes of marketing''’” (EDPB – 218).</blockquote>Accordingly, the EDPB directed the DPC to commence a new inquiry into whether Whatsapp processes data in the ways described (EDPB 222). The DPC did not conduct this inquiry as, in their view, “''that direction cannot be addressed… in this decision''” and proceeded in their analysis, continuing to exclude questions of data processed for advertising.<br />
<br />
Regarding the second question, whether the data processing is necessary for the purpose of a contract between Whatsapp IE and its users, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “''the ‘core’ functions of a contract must be assessed in order to determine what processing is objectively necessary in order to perform it''” (3.27). However, the DPC added that “''necessity is to be determined by reference to the particular contract''” (3.27) and “''it is not for an authority such as the'' [DPC], ''tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible''” (3.45). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “''the actual bargain which has been struck between the parties''” (3.30). The DPC stated “''it seemed to me… that Whatsapp’s model and the service being offered is explicitly one that includes improvements to an existing service, and a commitment to upholding certain standards relating to abuse, etc., that is common across all affiliated platforms''” (3.42). Accordingly, the Draft Decision “''proposed to conclude, in the Draft Decision... that WhatsApp was, in principle, entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for processing personal data''” (3.50).<br />
<br />
However, when issuing its Binding Decision, with regard to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:<blockquote>“''The EDPB agrees with the IE SA and Whatsapp IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Whatsapp IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under [[Article 6 GDPR]] if it is appropriate for the processing at stake''" (EDPB - 100).<br />
<br />
"''The GDPR makes Whatsapp IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Whatsapp IE and its business model''” (EDPB - 101).<br />
<br />
"''The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR''" (EDPB - 102).<br />
<br />
“''[i]t is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance''” (EDPB – 105).<br />
<br />
"''the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR''" (EDPB - 110).</blockquote>Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for service improvements and security is not essential to the contract between Whatsapp IE and its users. The EDPB observes that Whatsapp is under a duty to consider the possibility of less intrusive ways to pursue the stated purpose, for example, “''rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose''” (EDPB - 109).<br />
<br />
Furthermore, the EDPB points to an imbalance of knowledge surrounding the contract, “''an average user cannot fully grasp what is meant by processing for service improvements and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonable expect it solely based on Whatsapp IE’s Terms of Service''” (EDPB – 111). As explained by the EDPB, the DPC has already acknowledged that Whatsapp IE infringed its transparency obligations under the GDPR (see “Issue 3” below), and this undermines the argument that the processing is lawful on the basis of contractual performance. This is because, “''one of the parties (in this case a data subject)'' [has not been] ''provided with sufficient information to know they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered… These transparency requirements are not only an additional and separate obligation, but also an indispensable and constitutive part of the legal basis''” (EDPB - 117).<br />
<br />
The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Whatsapp IE can process personal data on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]:<blockquote>“''[T]here is a risk that the Draft Decision’s failure to establish Whatsapp IE's infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], pursuant to the interpretation by the [DPC], nullifies this provision and makes theoretically lawful any collection and reuse of personal data in connection with the performance of a contract with a data subject''" (EDPB - 119).<br />
<br />
“''This precedent could encourage other economic operators to use the contractual performance legal basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contract to collect, retain, and process as much personal data from their users as possible and advance their economic interests at the expense of the safeguards for data subjects''” (EDPB – 120).</blockquote>In light of all of the above, the EDPB directed the following:<blockquote>“''Processing for the purposes of service improvements and security features performed by Whatsapp IE are objectively not necessary for the performance of Whatsapp IE's alleged contract with its users and are not an essential or core element of it''" (EDPB - 132).<br />
<br />
"''Whatsapp IE has inappropriately relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the complainant's personal data for the purposes of service improvements and security in the context of its Terms of Service and therefore lacks a legal basis to process the data. The EDPB was not required to examine whether data processing for such purposes could be based on other legal bases because the controller relied solely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]. Whatsapp IE has consequently infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by unlawfully processing personal data''” (EDPB - 122).</blockquote>Accordingly, under instruction from the EDPB, The DPC altered “Finding 2” of its Draft Decision, finding that “''Whatsapp was not entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the Complainant’s personal data for the purpose of service improvement and security in the context of the Whatsapp Terms of Service''” (Finding 2).<br />
<br />
<br />
<u>Issue 3 – Whether Whatsapp Provided the Requisite Information on the Legal Basis for Processing on foot of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and Whether it did so in a Transparent Manner</u><br />
<br />
On the issue of transparency, [[Article 13 GDPR#1|Article 13(1) GDPR]] outlines the information the controller must provide to a data subject at the time when personal data are obtained and [[Article 12 GDPR#1|Article 12(1) GDPR]] details the manner in which this data must be provided.<br />
<br />
Prior to the issuing its decision in the case at hand, the DPC concluded an own-volition inquiry in relation to the extent to which Whatsapp’s Privacy Policy achieved compliance with the GDPR’s transparency framework (“the Whatsapp Decision”). This decision concluded that Whatsapp had infringed Articles 12(1) and 13(1)(c) GDPR, and exercised corrective powers against Whatsapp, including an administrative fine. Therefore, addressing this issue in this Final Decision, the DPC restated the conclusion of the Whatsapp Decision and upheld the aspect of the compliant that identified infringements of the GDPR in this context.<br />
<br />
<br />
<u>Issue 4 (Additional Issue) – Whether Whatsapp Infringed the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] Principle of Fairness</u><br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] principle of fairness. The DPC decided not to follow the objection, as the “''principle of fairness was not examined during the course of this inquiry and, consequently, Whatsapp was not afforded the opportunity to be heard in response to a particularised allegation of wrongdoing''” (5.1). The matter was referred to the EDPB, who determined as follows:<blockquote>“''Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject''” (EDPB – 143)<br />
<br />
"''the principle of fairness has an independent meaning and… an assessment of Whatsapp IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Whatsapp IE’s compliance with the principle of fairness too''" (EDPB - 147).<br />
<br />
"''the concept of fairness stems from the EU Charter…'' [it] ''underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights''” (EDPB - 148).<br />
<br />
“''Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjects are protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data… Therefore, the EDPB disagrees with the'' [DPC]''’s finding that assessing Whatsapp IE’s compliance with the principle of fairness ‘would therefore… represent a significant departure from the scope of the inquiry.’ In addition, it is important to note that Whatsapp IE has been heard on the objections and therefore submitted written submissions on this matter''” (EDPB- 150).<br />
<br />
“''Whatsapp has presented its service to users in a misleading manner… The combination of factors, such as the unbalanced relationship between Whatsapp IE and its users, combined with the ‘take it or leave it’ situation that they are facing… systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights''” (EDPB – 154, 156).</blockquote>Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Whatsapp IE, and to “''adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement''” (EDPB – 157).<br />
<br />
As directed by the EDPB, the DPC found that “''Whatsapp has infringed the principle of fairness pursuant to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]''".<br />
<br />
<br />
<u>Summary of Envisaged Action</u><br />
<br />
On the Transparency issue, the DPC’s draft decision proposed findings of infringement which overlapped with those that were found to have already occurred in the Whatsapp Transparency Decision. Accordingly, the DPC did not propose the exercise of further corrective powers (7.1). However, as a consequence of the infringements of Article 6(1) and the Article 5(1)(a) principle of fairness that were established by the EDPB, the DPC was further directed by the EDPB to address those infringements by way of the exercise of corrective powers, namely the making of an order to bring processing into compliance and the imposition of an administrative fine (7.2).<br />
<br />
Accordingly, the DPC made an order pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], requiring Whatsapp IE to bring processing into compliance (“the Order”) within a period of six months commencing on the day following the date of service, in Whatsapp, of this Decision. “''More specifically, in this regard, WhatsApp is required to take the necessary action to address the EDPB’s finding that WhatsApp is not entitled to carry out the Processing on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]]… Such action may include, but is not limited to, the identification of an appropriate alternative legal basis, in [[Article 6 GDPR#1|Article 6(1) GDPR]], for the Processing together with the implementation of any necessary measures, as might be required to satisfy the conditionality associated with that/those alternative legal basis/bases''” (9.105). Furthermore, “''An administrative fine is hereby imposed, pursuant to Articles 58(2)(i) and 83 GDPR, addressed to WhatsApp, in the amount of €5.5 million''” (9.106).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.<br />
1<br />
In the matter of the General Data Protection Regulation<br />
DPC Inquiry Reference: IN-18-5-6<br />
In the matter of JG, a complainant, concerning a complaint directed against WhatsApp Ireland Limited<br />
in respect of the WhatsApp Service<br />
Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act,<br />
2018 and Articles 60 and 65 of the General Data Protection Regulation<br />
Further to a complaint-based inquiry commenced pursuant to Section 110 of the Data Protection Act<br />
2018<br />
DECISION<br />
Decision-Maker for the Commission:<br />
Helen Dixon<br />
________________________________<br />
Commissioner for Data Protection<br />
Dated the 12 th day of January 2023<br />
Data Protection Commission<br />
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.<br />
2<br />
21 Fitzwilliam Square South<br />
Dublin 2, Ireland<br />
1. I NTRODUCTION AND P ROCEDURAL B ACKGROUND<br />
P URPOSE OF THIS DOCUMENT<br />
1.1 This document is a decision (“the Decision”) of the Data Protection Commission (“the Commission”),<br />
made in accordance with Section 113 of the Data Protection Act 2018 (“the 2018 Act”), arising<br />
from an inquiry conducted by the Commission, pursuant to Section 110 of the 2018 Act (“the<br />
Inquiry”).<br />
1.2 The Inquiry, which commenced on 20 August 2018, examined whether WhatsApp Ireland Limited<br />
(“WhatsApp”) complied with its obligations under the EU General Data Protection Regulation<br />
(Regulation (EU) 2016/679 of the European Parliament and of the Council) (“the GDPR”) in respect<br />
of the subject matter of a complaint made by Mrs. (“the Complainant”). The complaint was<br />
referred to the Commission by the Hamburg Data Protection Authority: Der Hamburgische<br />
Beauftragte für Datenschutz und Informationsfreiheit (“the Hamburg DPA“) on 25 May 2018 (“the<br />
Complaint“). The Hamburg DPA subsequently passed the Complaint to the German Federal Data<br />
Protection Authority, the relevant national authority: Bundesbeauftragter für den Datenschutz<br />
und die Informationsfreiheit (“the German Federal DPA“). The Complainant is at all times<br />
represented by noyb – European center for digital rights.<br />
1.3 This Decision further reflects the binding decision that was made by the European Data Protection<br />
Board (the “EDPB” or, otherwise, the “Board”), pursuant to Article 65(2) of the GDPR 1 (the<br />
“Article 65 Decision”), which directed changes to certain of the positions reflected in the draft<br />
decision that was presented by the Commission for the purposes of Article 60 GDPR (“the Draft<br />
Decision”) as detailed further below. The Article 65 Decision will be published on the website of<br />
the EDPB, in accordance with Article 65(5) of the GDPR, and a copy of same is attached at Schedule<br />
2 to this Decision.<br />
1.4 Further details of procedural matters are set out in Schedule 1 to this Decision.<br />
2. FACTUAL B ACKGROUND AND THE C OMPLAINT<br />
FACTUAL B ACKGROUND<br />
2.1 WhatsApp is an online instant messaging platform. In order to access the WhatsApp service, a<br />
prospective user must create a WhatsApp account. To create a WhatsApp account, a prospective<br />
user is required to accept a series of terms and conditions, referred to by WhatsApp as its Terms<br />
1 Binding Decision 5/2022 on the dispute submitted by the Irish SA on WhatsApp Ireland Limited, adopted 5<br />
December 2022<br />
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.<br />
3<br />
of Service (the “Terms of Service”). When a prospective user accepts the Terms of Service, the<br />
terms contained therein constitute a contract between the (new) user and WhatsApp. It is only<br />
on acceptance of the Terms of Service that the individual becomes a registered WhatsApp user.<br />
2.2 In April 2018, WhatsApp updated the Terms of Service to give effect to changes it sought to implement<br />
to comply with the obligations which would arise when the GDPR became applicable from 25 May<br />
2018. Obligations introduced by the GDPR include, inter alia, a requirement that organisations<br />
processing personal data have a lawful basis for any such processing. Legal bases provided for in<br />
the GDPR include consent of the data subject, necessity based on the requirement to fulfil a<br />
contract with the data subject or processing based on the legitimate interests of the data<br />
controller. In addition, such organisations are required to provide detailed information to users<br />
at the time personal data is obtained in relation to the purposes of any data processing and the<br />
legal basis for any such processing. In essence, there must be a legal basis for each processing<br />
operation or sets of operations (of personal data) and there are transparency requirements in<br />
respect of the communication of such information to individual users.<br />
2.3 To continue to access the WhatsApp service, all users were required to accept the updated Terms of<br />
Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of<br />
existing users by way of a series of information notices and options, referred to as an<br />
“engagement flow” or “user flow”. The engagement flow was designed to guide users through<br />
the processing of accepting the updated Terms of Service; the option to accept the updated<br />
“terms” was presented to users at the final stage of the engagement flow. As referenced in the<br />
full text of the Terms of Service, a separate Privacy Policy provides information to users on<br />
WhatsApp’s processing of personal data in respect of the service.<br />
2.4 Existing users were not provided with an opportunity to disagree and continue to use the service, to<br />
copy their account, or to delete their account. The only available choice was to accept the Terms<br />
of Service, stop using the app or uninstall the app.2<br />
2.5 Figures 2.1 below is a screenshot of the final stage of the “engagement flow” which brought an existing<br />
user, the Complainant, through the process of accepting the updated Terms of Service. The<br />
screenshot is in German; an English translation can be found below.<br />
2 Complaint, paragraph 1.4.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Instagram)_-_IN-18-5-7&diff=30707
DPC (Ireland) - Meta Platforms Ireland Limited (Instagram) - IN-18-5-7
2023-01-25T14:30:42Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Ireland<br />
|DPA-BG-Color=background-color:#013d35;<br />
|DPAlogo=LogoIE.png<br />
|DPA_Abbrevation=DPC<br />
|DPA_With_Country=DPC (Ireland)<br />
<br />
|Case_Number_Name=IN-18-5-7<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=noyb website<br />
|Original_Source_Link_1=https://noyb.eu/sites/default/files/2023-01/DPCDecision_Instagram.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=25.05.2018<br />
|Date_Decided=31.12.2022<br />
|Date_Published=11.01.2023<br />
|Year=2022<br />
|Fine=180,000,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 7 GDPR<br />
|GDPR_Article_Link_4=Article 7 GDPR<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
|GDPR_Article_9=Article 24 GDPR<br />
|GDPR_Article_Link_9=Article 24 GDPR<br />
|GDPR_Article_10=Article 56 GDPR<br />
|GDPR_Article_Link_10=Article 56 GDPR<br />
|GDPR_Article_11=Article 58 GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR<br />
|GDPR_Article_12=Article 60 GDPR<br />
|GDPR_Article_Link_12=Article 60 GDPR<br />
|GDPR_Article_13=Article 65 GDPR<br />
|GDPR_Article_Link_13=Article 65 GDPR<br />
|GDPR_Article_14=Article 77 GDPR<br />
|GDPR_Article_Link_14=Article 77 GDPR<br />
|GDPR_Article_15=Article 79 GDPR<br />
|GDPR_Article_Link_15=Article 79 GDPR<br />
|GDPR_Article_16=Article 83 GDPR<br />
|GDPR_Article_Link_16=Article 83 GDPR<br />
|GDPR_Article_17=<br />
|GDPR_Article_Link_17=<br />
|GDPR_Article_18=<br />
|GDPR_Article_Link_18=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Belgian Instagram user (represented by noyb - European Centre for Digital Rights)<br />
|Party_Link_1=https://noyb.eu/en<br />
|Party_Name_2=Meta Platforms Ireland Limited<br />
|Party_Link_2=https://about.meta.com/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=LR<br />
|<br />
}}<br />
<br />
Following a complaint filed by a Belgian Instagram user, the Irish DPA found Meta IE’s processing of personal data for behavioral advertising to be unlawful, and fined the company €180 million.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).<br />
<br />
Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. [[Article 6 GDPR#1|Article 6(1) GDPR]] details the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.<br />
<br />
A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (APD), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.<br />
<br />
Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives. <br />
<br />
Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. [[Article 7 GDPR#4|Article 7(4) GDPR]], which defines the conditions for consent, specifically states that “''utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract''”. As such, the “consent” upon which the controller seeks to rely is invalid.<br />
<br />
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.<br />
<br />
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.<br />
<br />
The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].<br />
<br />
In response to the complaint Meta IE submitted, among other points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The company stated that it “''does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use''” (Para 41).<br />
<br />
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with [[Article 60 GDPR#3|Article 60(3) GDPR]]. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with [[Article 60 GDPR#4|Article 60(4) GDPR]], to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.<br />
<br />
=== Holding ===<br />
In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).<br />
<br />
<br />
<u>Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be considered consent for the purposes of the GDPR and, if so, whether it is valid consent for the purposes of the GDPR</u><br />
<br />
The DPC identified the first issue as consisting of two parts: “''first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes''” (34).<br />
<br />
On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “''as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing''” (46).<br />
<br />
Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “''inherently problematic''”, and “[no] ''one ground has normative priority over the others''” (51). <br />
<br />
However, in its binding decision the EDPB instructed the DPC to remove its conclusion on finding 1 (EDPB - 203), stating as follows:<blockquote>“''The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under [[Article 6 GDPR]] if it is appropriate for the processing at stake''" (EDPB - 107).<br />
<br />
“[The DPC] ''cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve''” (EDPB - 202).</blockquote>Accordingly, the DPC made no finding on the matters encompassed by their assessment of issue 1.<br />
<br />
<br />
<u>Issue 2 – Whether Meta Ireland could rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for processing of personal data in the context of the Terms of Use and/or Data Policy</u><br />
<br />
The second issue concerned whether Meta IE could rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller had to demonstrate that such “''processing is necessary for the performance of a contract to which the data subject is a party''”.<br />
<br />
Taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b), the DPC acknowledged that “''consideration of the meaning of the term ‘contract’ within a data protection context is required''”. However, the DPC also asserted that an assessment of the terms “''necessary''” and “''performance''” is also required, and they ''“do not have competence to consider substantive issues of contract law, and, accordingly'' [their] ''analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service''” (87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “''reflected in the terms of the precise contract between those parties''” (95). The DPC explained that, in their view, “''the core of the service offered is premised on the delivery of personalised advertising''” (106) and proposed to conclude that “''Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising''” (116).<br />
<br />
When issuing its Binding Decision, the EDPB, emphasised "''the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service''" (EDPB - 99). With regard to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:<blockquote>"''The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model''” (EDPB - 108).<br />
<br />
"''The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR… the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not''" (EDPB - 112).<br />
<br />
"''...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR''" (EDPB - 119).</blockquote>Turning to the facts of the case, the EDPB outlined a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "''Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to share content and communicate with others''" (EDPB - 120). The EDPB also takes into account Article 21(2) and (3) GDPR, "''the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes''". Because this right exists, "''the processing cannot be necessary to perform a contract'' [as the] ''subject has the possibility to opt out from it at any time, and without providing any reason''" (EDPB - 125).<br />
<br />
The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Meta IE can process personal data on the basis of Article 6(1)(b):<blockquote>“''...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject''" (EDPB - 134).<br />
<br />
"''As a result, owing to the number of users of the Instagram service, the market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the Complainant and the millions of users of Instagram service in the EEA and affect the protection of the hundreds of millions of people covered by the GDPR''" (EDPB - 135).</blockquote>In light of all of the above, the EDPB directed the following:<blockquote>“..''.behavioural adveritising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it''" (EDPB - 136).<br />
<br />
"''Meta has inappropriately relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the complainant's personal data in the context of the Instagram Terms of Use and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Use for the purpose of behavioural advertising. Meta IE has consequently infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by unlawfully processing personal data''” (EDPB - 137).</blockquote>Accordingly, under instruction from the EDPB, The DPC altered “''Finding 2''” of its Draft Decision, finding that “''Meta Ireland was not entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the Complainant’s personal data for the purpose of behavioural advertising in the context of the Instagram Terms of Use''”.<br />
<br />
<br />
<u>Issue 3 – Whether Meta Ireland provided the requisite information on the legal basis for<br />
processing on foot of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and whether it did so in a transparent manner</u><br />
<br />
On the issue of transparency, [[Article 13 GDPR#1|Article 13(1) GDPR]] outlines the information the controller must provide to a data subject at the time when personal data are obtained and [[Article 12 GDPR#1|Article 12(1) GDPR]] details the manner in which this data must be provided.<br />
<br />
Describing the information provided by Meta IE to Instagram users, the DPC stated:<blockquote>“''Meta Ireland has not provided meaningful information as to the processing operation(s) and/or set(s) of operations that occur in the context of the Instagram service, either on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] or any other legal basis. Indeed, I would go so far as to say that it is impossible for the user to identify with any degree of specificity what processing is carried out on what data, on foot of the specified lawful bases, in order to fulfil these objectives… Indeed, it could be said that there is a significant deficit of information made available to data subjects''” (188).<br />
<br />
“''Taking into account the circular, disjointed nature of the information provided by Meta Ireland and the generalised, high-level overview it provided, I am not satisfied that the information was clear and concise''” (190).</blockquote>The DPC also describes the “''significant link''” (194) between the principle of transparency and the principle of fairness in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], and finds that, with regards to the issue of transparency, it is appropriate to made a finding of an infringement of the principle of Article 5(1)(a) (Para 197).<br />
<br />
In light of the above, the DPC found that “''In relation to processing for which Meta Ireland indicated reliance upon [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], Articles 5(1)(a), 12(1) and 13(1)(c) have been infringed''”.<br />
<br />
<br />
<u>Issue 4 (Additional Issue) – Whether Meta Ireland Infringed the Article 5(1)(a) Principle of Fairness</u><br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] principle of fairness. The DPC decided not to follow the objection, as the “''principle of fairness was not examined during the course of this inquiry and, consequently, Meta Ireland was not afforded the opportunity to be heard in response to a particularised area of wrongdoing''” (200). The matter was referred to the EDPB, who determined as follows:<blockquote>"''the principle of fairness has an independent meaning and… an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too''" (EDPB - 224).<br />
<br />
"''the concept of fairness stems from the EU Charter of Fundamental Rights''" (EDPB - 225).<br />
<br />
“''Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject…'' [it] ''underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights''” ( EDPB - 225, 226).<br />
<br />
"''The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights''” (EDPB - 234).</blockquote>Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to adopt the "''appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement''” (EDPB - 235).<br />
<br />
As directed by the EDPB, the DPC found that “''Meta Ireland has infringed the principle of fairness pursuant to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]''”.<br />
<br />
<br />
<u>Summary of Envisaged Action</u><br />
<br />
The DPC made an order pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], requiring Meta IE to bring processing into compliance in accordance with its transparency obligations under Articles 5(1)(a), 12(1) and 12(1)(c) GDPR, within 3 months of the date of the date of notification of any final decision. The order also requires Meta IE to address the EDPB’s finding that it is not entitled to carry out data processing on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], and to bring its processing into compliance with [[Article 6 GDPR#1|Article 6(1) GDPR]].<br />
<br />
Furthermore, pursuant to Articles 58(2)(i) and 83 GDPR, and under the direction of the EDPB, the DPC imposed an administrative fine in the amount of €180 million. This fine is made up of an €70 million fine for failing to provide sufficient information on processing operations (Articles 5(1)(a) and 13(1)(c) GDPR); a €60 million fine for failing to provide this information in a concise, transparent, intelligent, and easily accessible form, using clear and plain language (Articles 5(1)(a) and 12(1) GDPR); and a €50 million fine for the unlawful processing of personal data (Article 6(1) GDPR).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=EDPB_-_Binding_Decision_4/2022_-_%27Meta_(Instagram)%27&diff=30701
EDPB - Binding Decision 4/2022 - 'Meta (Instagram)'
2023-01-25T13:48:02Z
<p>AK: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=European Union<br />
|DPA-BG-Color=<br />
|DPAlogo=logoEDPB.png<br />
|DPA_Abbrevation=EDPB<br />
|DPA_With_Country=EDPB<br />
<br />
|Case_Number_Name=Binding Decision 4/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=EDPB<br />
|Original_Source_Link_1=https://edpb.europa.eu/system/files/2023-01/edpb_binding_decision_202204_ie_sa_meta_instagramservice_redacted_en.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Started=25.07.2022<br />
|Date_Decided=05.12.2022<br />
|Date_Published=11.01.2023<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 7 GDPR<br />
|GDPR_Article_Link_4=Article 7 GDPR<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
|GDPR_Article_9=Article 24 GDPR<br />
|GDPR_Article_Link_9=Article 24 GDPR<br />
|GDPR_Article_10=Article 56 GDPR<br />
|GDPR_Article_Link_10=Article 56 GDPR<br />
|GDPR_Article_11=Article 58 GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR<br />
|GDPR_Article_12=Article 60 GDPR<br />
|GDPR_Article_Link_12=Article 60 GDPR<br />
|GDPR_Article_13=Article 65 GDPR<br />
|GDPR_Article_Link_13=Article 65 GDPR<br />
|GDPR_Article_14=Article 77 GDPR<br />
|GDPR_Article_Link_14=Article 77 GDPR<br />
|GDPR_Article_15=Article 79 GDPR<br />
|GDPR_Article_Link_15=Article 79 GDPR<br />
|GDPR_Article_16=Article 83 GDPR<br />
|GDPR_Article_Link_16=Article 83 GDPR<br />
|GDPR_Article_17=<br />
|GDPR_Article_Link_17=<br />
|GDPR_Article_18=<br />
|GDPR_Article_Link_18=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Belgian Instagram user (represented by noyb - European Centre for Digital Rights)<br />
|Party_Link_1=https://noyb.eu/en<br />
|Party_Name_2=Meta Platforms Ireland Limited<br />
|Party_Link_2=https://about.meta.com/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=LR<br />
|<br />
}}<br />
<br />
Following a referral under the [[Article 60 GDPR|Article 60 GDPR]] procedure, the EDPB issued a binding decision finding Meta IE’s processing of personal data for behavioural advertising to be unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).<br />
<br />
Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. [[Article 6 GDPR#1|Article 6(1) GDPR]] detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.<br />
<br />
A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (APD), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.<br />
<br />
Firstly, there existed a clear imbalance of power between data controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives. <br />
<br />
Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. [[Article 7 GDPR#4|Article 7(4) GDPR]], which defines the conditions for consent, specifically states that “''utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract''”. As such, the “consent” upon which the data controller seeks to rely is invalid.<br />
<br />
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.<br />
<br />
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.<br />
<br />
The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].<br />
<br />
In response to the complaint Meta IE submitted, among others points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The company stated that it “''does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use''” (Para 41).<br />
<br />
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with [[Article 60 GDPR#3|Article 60(3) GDPR]]. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with [[Article 60 GDPR#4|Article 60(4) GDPR]], to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.<br />
<br />
=== Holding ===<br />
Issuing its Binding Decision, the EDPB decided on the admissibility of the objections raised by the DPAs. For each issue, the EDPB determined whether the objection can be considered a “''relevant and reasoned objection''” within the meaning of [[Article 4 GDPR#24|Article 4(24) GDPR]]. The EDPB identified five issues in the case at hand, addressing each one in turn before issuing the Binding Decision.<br />
<br />
''Please note: When describing Issues 1-3, it is necessary to explain the proposals in the Irish DPA’s Draft Decision, in order to provide the context for the EDPB decision.''<br />
<br />
<br />
<u>Issue 1 – On Whether the LSA (DPC) Should Have Found an Infringement for Lack of Appropriate Legal Basis/Unlawful Data Processing</u><br />
<br />
This issue concerns whether Meta IE can rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “''processing is necessary for the performance of a contract to which the data subject is a party''”.<br />
<br />
In its Draft Decision, the DPC – taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b) – acknowledged that “''consideration of the meaning of the term ‘contract’ within a data protection context is required''”. However, the DPC also asserted that an assessment of the terms “''necessary''” and “''performance''” is also required, and they “''do not have competence to consider substantive issues of contract law, and, accordingly'' [their] ''analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service''” (DPC - 87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “''reflected in the terms of the precise contract between those parties''” (DPC - 95). The DPC explained that, in their view, “''the core of the service offered is premised on the delivery of personalised advertising''” (DPC - 106) and proposed to conclude that “''Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising''” (DPC - 116).<br />
<br />
Nine DPAs objected to this proposed conclusion from the DPC, and the matter was referred to the EDPB.<br />
<br />
In its binding decision, the EDPB sought to emphasise "''the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service''" (99). With regard to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:<blockquote>"''The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model''” (108).<br />
<br />
"''The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR... Otherwise, the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not''" (112).<br />
<br />
"''...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR''" (119).</blockquote>Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "''Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to communicate with others''" (120). The EDPB also takes into account Article 21(2) and (3) GDPR, "''the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes.''" Because this right exists, "''the processing cannot be necessary to perform a contract'' [as the] ''subject has the possibility to opt out from it at any time, and without providing any reason''" (125).<br />
<br />
The EDPB continues, outlining the inherent risk of a finding in the DPC Decision that Meta IE can process personal data on the basis of Article 6(1)(b):<blockquote>“''...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject''" (134).<br />
<br />
"''As a result, owing to the number of users, market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the complainant and the millions of users of Instagram service in the EEA and affect the protection of hundreds of millions of people covered the GDPR''" (135).</blockquote>In light of all of the above, the EDPB directed the following:<blockquote>“''...behavioural advertising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it''" (136).<br />
<br />
"''Meta has inappropriately relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the complainant's personal data in the context of the Instagram terms of service and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Service for the purpose of behavioural advertising. Meta IE has consequently infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by unlawfully processing personal data''” (137).</blockquote>Accordingly, the EDPB instructed the DPC to “''alter Finding 2 of its Draft Decision, which concludes that Meta IE may rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] in the context of its offering of the Instagram Terms of Use, and to include an infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]]''” (Para 137).<br />
<br />
<br />
<u>Issue 2 – On whether the LSA’s Draft Decision includes sufficient analysis and evidence to conclude that Meta IE is not obliged to rely on consent to process the Complainant’s personal data</u><br />
<br />
In its Draft Decision, the DPC sought to consider whether clicking the “Agree to Terms” button constitutes or should be considered consent for the purposes of the GDPR. According to the DPC, this question consists of two parts, “''first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes''” (DPC - 34).<br />
<br />
On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “''as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing''” (DPC - 46).<br />
<br />
Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “''inherently problematic''”, and “[no] ''one ground has normative priority over the others''” (DPC - 51). <br />
<br />
However, six DPAs raised objections to this proposed finding by the DPC. In its binding decision, the EDPB stated:<blockquote>“''The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under [[Article 6 GDPR]] if it is appropriate for the processing at stake''" (107).<br />
<br />
“[The DPC] ''cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve''” (202).</blockquote>As a result, the EDPB instructed the DPC to remove its proposed finding regarding consent as a basis for lawful processing. The EDPB also decided that the DPC shall carry out a new investigation into Meta IE’s processing operations in its Instagram service to determine if it processes special categories of personal data (Article 9 GDPR), and complies with the relevant obligations under the GDPR (Para 203).<br />
<br />
<br />
<u>Issue 3 – On the Potential Additional Infringement of the Principle of Fairness</u><br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] principle of fairness. The DPC decided not to follow the objection, as the “''principle of fairness was not examined during the course of this inquiry and, consequently, Meta IE was not afforded the opportunity to be heard in response to a particularised area of wrongdoing''” (DPC - 200). The matter was referred to the EDPB, who determined as follows:<blockquote>"''the principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too''" (224).<br />
<br />
"''the concept of fairness stems from the EU Charter of Fundamental Rights''" (225).<br />
<br />
“''Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject…'' [it] ''underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights''” (225, 226).<br />
<br />
"''The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights''” (234).</blockquote>Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to “''adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement''” (235).<br />
<br />
<br />
<u>Issue 4 – On the potential additional infringement of the principles of purpose limitation and data minimisation</u> <br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised an objection to the DPC’s draft decision, on account of Meta IE’s failure to comply with the purpose limitation and data minimisation principles (239). <br />
<br />
The Italian DPA argued that the DPC should not have confined its assessment to only the purpose of personalised advertising (while the Instagram service would actually be composed of several processing activities pursuing several purposes). Accordingly, the fact Meta IE inappropriately based its multifarious processing activities only on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] entails an infringement of the purpose limitation and data minimisation principles (240). Furthermore, “''the failure to specify and communicate the purposes of the processing to the data subject creates a risk of artificially expanding the types of processing or the categories or personal data considered necessary for the performance of a contract under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], which would nullify the safeguards afforded to data subjects under data protection law''” (241). In response, the DPC stated that it did not consider that the Italian DPA’s objection to be relevant or reasoned. <br />
<br />
In contrast, the EDPB stated that it did consider the Italian DPA’s objection to be “''relevant''” as it related to specific parts of the DPC’s Draft Decision and the DPC could have made a finding of an infringement of the principles of purpose limitation and data minimisation. However, the EDPB found that the objection did not sufficiently demonstrate that there is a “''substantial and plausible''” risk to the fundamental rights and freedoms of data subjects. Therefore, while the objection is relevant, it is “not reasoned” so as to satisfy [[Article 4 GDPR#24|Article 4(24) GDPR]] (Para 252). <br />
<br />
<br />
<u>Issue 5 – On Corrective Measures Other than Administrative Fines</u><br />
<br />
In its Draft Decision, the DPC proposed the imposition of an order to bring processing in compliance with Articles 5(1)(a), 12(1) and 13(1) GDPR within three months of the date of notification of any final decision. This concerned the DPC’s finding that Meta had breached its transparency obligations under the GDPR, a conclusion which was not objected to by any DPAs and thus was not referred to the EDPB.<br />
<br />
However, under the [[Article 60 GDPR]] process, a range of objections were made to the proposed order to bring Meta’s processing activities into compliance. These objections proposed: the imposition of corrective measures other than administrative fines (see “Issue 6” below and EDPB decision paras 255, 256); a temporary ban on processing (255); measures to remedy the infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] (Para 257); and to delete any unlawfully processed data (259).<br />
<br />
The EDPB considered the objections raised in accordance with [[Article 4 GDPR#24|Article 4(24) GDPR]], assessing whether they are “relevant” and “reasoned”. The EDPB also considered the need for any corrective measures applied by a supervisory authority to be “''appropriate, necessary and proportionate in view of ensuring compliance with the regulation''” (Article 58(2) GDPR) (Para 280). <br />
<br />
Having considered the objections, the EDPB instructed the DPC to include in its final decision an order for Meta IE to bring its data processing for behavioural advertising into compliance with [[Article 6 GDPR#1|Article 6(1) GDPR]] within 3 months (290). In addition, the EDPB notes that the order should be modified to reflect the EDPB’s finding that Meta IE is not entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for this data processing (291). Furthermore, the EDPB instructed the DPC to amend its order regarding transparency obligations to include data processed for the purpose of behavioural advertising, and not just data processed pursuant to Article 6(1)(b) (Para 291).<br />
<br />
<br />
<u>Issue 6 – On the determination of the administrative fine</u><br />
<br />
The EDPB considered the DPC’s assessment of the criteria in [[Article 83 GDPR#2|Article 83(2) GDPR]] in deciding whether to impose an administrative fine for the infringement of its transparency obligations under the GDPR (Paras 293 – 312). The EDPB also noted the objections raised by five DPAs, requesting a “''significantly higher administrative fine with reference to the established infringements''” (313). The EDPB found these objections to be relevant and reasoned in accordance with [[Article 4 GDPR#24|Article 4(24) GDPR]] and, after conducting its own assessment of the factors under [[Article 83 GDPR#2|Article 83(2) GDPR]], found that the proposed fine “''is not effective, proportionate and dissuasive, in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of doing business''” (Para 364).<br />
<br />
Therefore, the EDPB instructed the DPC to “''set out a significantly higher fine amount for the transparency infringements identified, in comparison with the upper limit for the administrative fine envisaged in the Draft Decision''” (366).<br />
<br />
Furthermore, following a range of further objections by DPAs to the administrative fine proposed by the DPC, the EDPB instructed the DPC to impose an administrative fine for the additional infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] (440), and to take into account the additional infringement of the principle of fairness in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in its adoption of corrective measures (446).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
BindingDecision4/2022onthedisputesubmittedby the<br />
<br />
Irish SAon MetaPlatformsIrelandLimitedand itsInstagram<br />
service(Art.65GDPR)<br />
<br />
<br />
<br />
<br />
<br />
Adopted on 5December 2022<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
AdoptedTableof contents<br />
<br />
<br />
1 Summaryofthe dispute.................................................................................................. 5<br />
<br />
2 The right togoodadministration...................................................................................... 9<br />
<br />
3 Conditionsfor adopting a binding decision........................................................................ 9<br />
<br />
3.1 Objection(s)expressedby severalCSA(s)inrelationtoa Draft Decision.......................... 9<br />
3.2 The IESA finds the objections totheDraftDecision not relevantor reasoned anddoes not<br />
<br />
follow them.....................................................................................................................10<br />
3.3 Admissibilityofthe case..........................................................................................10<br />
<br />
3.4 Structure ofthe Binding Decision.............................................................................11<br />
<br />
4 Onwhether the LSA should have foundaninfringement for lackofappropriate legalbasis.....11<br />
<br />
4.1 Analysisbythe LSA inthe Draft Decision...................................................................11<br />
4.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................14<br />
<br />
4.3 Positionofthe LSA onthe objections........................................................................19<br />
<br />
4.4 Assessment ofthe EDPB..........................................................................................20<br />
4.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................20<br />
<br />
4.4.2 Assessment onthe merits................................................................................24<br />
<br />
5 Onwhether the LSA’sDraftDecisionincludes enoughanalysis andevidence toconclude that<br />
MetaIE isnot obligedtorelyonconsent toprocessthe complainant’spersonaldata....................39<br />
<br />
5.1 Analysisbythe LSA inthe Draft Decision...................................................................39<br />
<br />
5.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................40<br />
5.3 Positionofthe LSA onthe objections........................................................................44<br />
<br />
5.4 Assessment ofthe EDPB..........................................................................................45<br />
<br />
5.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................45<br />
<br />
5.4.2 Assessment onthe merits................................................................................48<br />
6 Onthe potentialadditionalinfringement ofthe principle offairness....................................54<br />
<br />
6.1 Analysisbythe LSA inthe Draft Decision...................................................................54<br />
<br />
6.2 Summaryofthe objectionraised bythe CSA ..............................................................55<br />
6.3 Positionofthe LSA onthe objection .........................................................................56<br />
<br />
6.4 Analysisofthe EDPB...............................................................................................56<br />
<br />
6.4.1 Assessment ofwhether the objectionwasrelevant andreasoned..........................56<br />
<br />
6.4.2 Assessment onthe merits................................................................................58<br />
7 Onthe potentialadditionalinfringement of theprinciples of purpose limitationanddata<br />
<br />
minimisation.......................................................................................................................63<br />
7.1 Analysisbythe LSA inthe Draft Decision...................................................................63<br />
<br />
<br />
<br />
2<br />
Adopted 7.2 Summaryofthe objectionraised bythe CSAs.............................................................63<br />
<br />
7.3 Positionofthe LSA onthe objection .........................................................................64<br />
<br />
7.4 Analysisofthe EDPB...............................................................................................64<br />
<br />
7.4.1 Assessment ofwhether the objectionwasrelevant andreasoned..........................64<br />
8 Oncorrective measuresother thanadministrative fines.....................................................66<br />
<br />
8.1 Analysisbythe LSA inthe Draft Decision...................................................................66<br />
<br />
8.2 Summaryofthe objectionsraisedbythe CSAs ...........................................................67<br />
<br />
8.3 Positionofthe LSA onthe objections........................................................................69<br />
8.4 Assessment ofthe EDPB..........................................................................................69<br />
<br />
8.4.1 Assessment ofwhether the objectionswere relevant andreasoned.......................69<br />
<br />
8.4.2 Assessment onthe merits................................................................................71<br />
<br />
9 Onthe determinationofthe administrative fine................................................................77<br />
9.1 Onthe determinationofthe administrative fine for the transparencyinfringements.......77<br />
<br />
9.1.1 Analysisbythe LSA inthe Draft Decision............................................................77<br />
<br />
9.1.2 Summaryofthe objectionsraisedbythe CSAs ....................................................82<br />
<br />
9.1.3 Positionofthe LSA onthe objections.................................................................85<br />
9.1.4 Assessment ofthe EDPB...................................................................................86<br />
<br />
9.2 Onthe determinationofanadministrative fine for further infringements......................95<br />
<br />
9.2.1 Analysisbythe LSA inthe Draft Decision............................................................95<br />
9.2.2 Summaryofthe objectionsraisedbythe CSAs ....................................................96<br />
<br />
9.2.3 Positionofthe LSA onthe objections...............................................................101<br />
<br />
9.2.4 Analysisofthe EDPB......................................................................................101<br />
<br />
10 Binding Decision......................................................................................................113<br />
<br />
11 Finalremarks..........................................................................................................116<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3<br />
AdoptedTheEuropeanDataProtectionBoard<br />
<br />
<br />
<br />
Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European<br />
Parliamentandofthe Council of27 April2016 onthe protectionofnaturalpersonswithregardtothe<br />
processing ofpersonal dataandonthe freemovement ofsuchdata,andrepealingDirective95/46/EC<br />
1<br />
(hereinafter“GDPR”) ,<br />
<br />
Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as<br />
amendedby theDecision ofthe EEA joint Committee No154/2018 of 6 July 2018 , 2<br />
<br />
HavingregardtoArticle 11 andArticle22 of itsRulesof Procedure (hereinafter“EDPBRoP”) , 3<br />
<br />
<br />
Whereas:<br />
<br />
(1) The main role of the European Data ProtectionBoard (hereinafter the “EDPB”) is to ensure the<br />
consistent applicationof the GDPRthroughoutthe EEA.Tothiseffect,it follows from Article60 GDPR<br />
that the lead supervisory authority (hereinafter “LSA”) shall cooperate with the other supervisory<br />
<br />
authoritiesconcerned(hereinafter“CSAs”)inanendeavourtoreachconsensus, thattheLSA andCSAs<br />
shall exchange all relevant information with each other, and that the LSA shall, without delay,<br />
communicatethe relevantinformation onthe mattertothe other supervisory authoritiesconcerned.<br />
<br />
The LSA shall without delaysubmit a draft decision to the other CSAs for their opinion and take due<br />
account oftheir views.<br />
<br />
(2) Where any of the CSAs expressed a reasoned and relevant objection on the draft decision in<br />
<br />
accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the<br />
relevantandreasonedobjection or considers thattheobjection isnot reasonedandrelevant,theLSA<br />
shall submit this mattertothe consistency mechanism referredtoinArticle 63 GDPR.<br />
<br />
(3)PursuanttoArticle65(1)(a)GDPR,theEDPBshallissueabindingdecision concerningallthematters<br />
<br />
which are the subject of the relevant and reasoned objections, in particular whether there is an<br />
infringement ofthe GDPR.<br />
<br />
(4)The binding decision of theEDPBshall be adoptedby atwo-thirds majorityofthe membersofthe<br />
<br />
EDPB, pursuant toArticle 65(2) GDPR inconjunction withArticle 11(4) EDPB RoP, within one month<br />
after the Chair of the EDPB and the competent supervisory authority have decided that the file is<br />
complete. The deadline may be extendedby a further month, taking into account the complexity of<br />
<br />
the subject-matter upon decision of the Chair of the EDPB on own initiative or at the request of at<br />
least one thirdof the membersofthe EDPB.<br />
<br />
(5)InaccordancewithArticle65(3)GDPR,if,inspite ofsuchanextension, theEDPBhasnotbeenable<br />
<br />
toadopt a decision within the timeframe,it shall do so withintwoweeks following the expiration of<br />
the extensionby a simple majorityof itsmembers.<br />
<br />
(6)InaccordancewithArticle 11(6)EDPB RoP, onlythe Englishtext ofthe decisionisauthentic asit is<br />
the languageofthe EDPBadoptionprocedure.<br />
<br />
<br />
<br />
<br />
1<br />
2OJL119,4.5.2016,p.1.<br />
References to “Member States”madethroughout this decision shouldbeunderstoodas references to “EEA<br />
MemberStates”.<br />
3EDPBRules ofProcedure,adoptedon25May2018.<br />
<br />
4<br />
Adopted HAS ADOPTED THEFOLLOWINGBINDINGDECISION<br />
<br />
<br />
1 SUMMARYOF THE DISPUTE<br />
<br />
<br />
1. This document contains a Binding Decision adopted by the EDPB in accordance with<br />
Article65(1)(a) GDPR.Thedecisionconcerns thedispute arisenfollowing a draftdecision (hereinafter<br />
<br />
“DraftDecision”)issuedbythe Irishsupervisory authority(“DataProtectionCommission”, hereinafter<br />
the “IESA”,alsoreferredtointhis contextasthe “LSA”)andthe subsequent objections expressed by<br />
a number of CSAs (“Österreichische Datenschutzbehörde” hereinafter the “AT SA”; “ Der<br />
<br />
HamburgischeBeauftragtefürDatenschutzundInformationsfreiheit” alsoon behalfofother German<br />
SAs 4, hereinafter the “DE SAs”;“AgenciaEspañola de Protección de Datos”,hereinafter the “ESSA”;<br />
“Office of the Data Protection Ombudsman”, hereinafter the “FI SA”; “Commission Nationale de<br />
<br />
l'Informatique et des Libertés", hereinafter the “FR SA”; “Hungarian National Authority for Data<br />
Protection and Freedom of Information, hereinafter “HU SA”; “Garante per la protezione dei dati<br />
personali", hereinafter the “IT SA”; “Autoriteit Persoonsgegevens”, hereinafter the “NL SA”;<br />
<br />
“Datatilsynet”, hereinafter the “NO SA”; and “Integritetsskyddsmyndigheten”, hereinafter the “SE<br />
SA”).<br />
<br />
<br />
2. The DraftDecisionatissue relatestoa“complaint-basedinquiry” whichwascommencedbythe IESA<br />
on 20 August 2018 into the Instagram social media processing activities (hereinafter “Instagram<br />
<br />
service”) of Facebook IrelandLimited, a company established in Dublin, Ireland. The company has<br />
subsequently changedits name to “Meta PlatformsIrelandLimited” andhereinafter it is referredto<br />
as“MetaIE”.Any referencetoMetaIEinthis Binding Decisionmeansa referencetoeither Facebook<br />
<br />
IrelandLimitedor MetaPlatformsIrelandLimited,asappropriate.<br />
<br />
3. The complaint was lodged on 25 May 2018 with the Belgian supervisory authority (“Autorité de<br />
<br />
protection des données”), hereinafter the “BE SA” by a data subject who requested the non-profit<br />
NOYB-EuropeanCenterfor DigitalRights(hereinafter,“NOYB”)torepresentthemunderArticle80(1)<br />
GDPR(bothhereinafterreferredtoasthe“Complainant”).TheComplainantallegeda violationofthe<br />
<br />
right to data protection and especially infringements of “all the particular requirementsset out in<br />
Article4(11),Article6(1)(a),Article7and/or Article9(2)(a)oftheGDPR”,byarguingthatthecontroller<br />
<br />
relied on a “forced consent”, as well as alleging misrepresentations of the controller with regardto<br />
consent and the legal basis for the processing, and consequently, an infringement of Article 5(1)(a)<br />
GDPR 5.The complaint articulateditsrequests into a request toinvestigate,and a request to impose<br />
6<br />
correctivemeasures .<br />
<br />
<br />
<br />
4Objections raised on behalf of theHamburg Commissioner forData Protectionand Freedom of Information,<br />
the Bavarian StateOfficefor Data ProtectionSupervision, theBerlinCommissionerfor Data Protection and<br />
<br />
FreedomofInformation,theBrandenburgCommissionerforDataProtectionandFreedomofInformation,the<br />
Federal Commissionerfor Data Protection and Freedom of Information, the State Commissioner for Data<br />
ProtectioninLowerSaxonyandtheStateCommissionerforDataProtectionNorthRhine-Westphalia.<br />
5Complaint,paragraphs2.2.5.and2.3.2.<br />
6 Within its request to investigatein paragraph 3.1 of theComplaint, theComplainant requested that a full<br />
investigationbemadeto determine“which processingoperations the controllerengages in, in relation to the<br />
data subject”, “for which purpose they are performed”, “on which legal basis for each specific processing<br />
<br />
operationthecontrollerrelieson”,andtoacquire“acopyofanyrecordsofprocessingactivities”.Thecomplaint<br />
alsorequested“that the results of this investigation[be] madeavailableto [them]”. As regards therequest to<br />
<br />
<br />
5<br />
Adopted4. On31 May2018,the BESA transferredthe complaint totheIESA. The IESA statedinits“Schedule to<br />
the DraftDecision” 7thatitwassatisfied thattheIESA isthe LSA,withinthe meaningof theGDPR,for<br />
MetaIE,ascontroller, for the purpose ofthe cross-border processing of personal datain the context<br />
of theInstagramservice.<br />
<br />
<br />
5. The following table presents a summary timeline of the events part of the procedure leading tothe<br />
<br />
submission of the mattertothe consistency mechanism:<br />
<br />
Thescope andlegalbasisofthe inquirywereset outinthenotice<br />
20.08.2018 ofcommencementofinquiry thattheIESA sent tothe partieson<br />
<br />
20August 2018.TheIESA commencedtheinquiry andrequested<br />
information from thisdate.<br />
InquiryReport stage:<br />
20.08.2018-07.04.2021 • the IESA commenced workonthe draft inquiry report<br />
<br />
• the IESA preparedadraftinquiryreportandissued it to<br />
Meta IE andto the Complainant to allow them to make<br />
<br />
submissions inrelationtothe draftinquiry report;<br />
• MetaIE provided its submissions in relationto the draft<br />
<br />
inquiry report;<br />
• The Complainant provided its submissions in relation to<br />
the draftinquiry report;<br />
<br />
• Meta IE andthe Complainant were furnished with each<br />
other’ssubmissions andthe finalreport wasprovided to<br />
<br />
the decision-maker;<br />
• The IESA issued a copyof itsfinalinquiry report toMeta<br />
<br />
IEandthe Complainant.<br />
• The IE SA issued a letter to Meta IE and to the<br />
Complainant to confirm the commencement of the<br />
<br />
decision-making stage.<br />
The IE SA issued a Preliminary Draft Decision (hereinafter “the<br />
23.12.2021<br />
Preliminary Draft Decision”)(including a Schedule) to Meta IE<br />
andtothe Complainant.<br />
The Complainant provided submissions on the Preliminary Draft<br />
04.02.2022 Decision to the IE SA (“Complainant’s Preliminary Draft<br />
<br />
Submissionsdated4February2022” ).<br />
Meta IE made submissions on the Preliminary Draft Decision to<br />
<br />
the IESA (“Meta IE’sPreliminary DraftSubmissions”).<br />
The IE SA shared its Draft Decisionwith the CSAs in accordance<br />
01.04.2022<br />
withArticle60(3) GDPR.<br />
<br />
<br />
<br />
<br />
imposecorrectivemeasures,morespecifically,thecomplaintrequestedinparagraph3.2thattheSA“stopany<br />
processing operationsthat are based on invalid consent by the data subject”, and in paragraph3.3 that an<br />
“effective, proportionateanddissuasivefine”beimposed.<br />
7IESAScheduletotheDraftDecisionof1April2022inthematterofTSA(throughNOYB)vMeta PlatformsLtd<br />
(formerlyFacebookIrelandLimited)inrespectoftheInstagramService,paragraphs58-72.<br />
8This documentismistakenlydated“11.06.2020”.<br />
<br />
6<br />
<br />
Adopted Between SeveralCSAs (AT,DE,ES,FI,FR,HU,IT,NL,NO,andSESAs)raised<br />
objections in accordancewithArticle60(4)GDPR.<br />
<br />
28 and29.04.2022<br />
<br />
The IE SA issued a Composite Response setting out its replies to<br />
01.07.2022<br />
such objections and shared it with the CSAs (hereinafter,<br />
“Composite Response”). The IE SA requestedthe relevant CSAs<br />
to confirm whether, having considered the IE SA’s position in<br />
<br />
relation to the objections as set out in the Composite<br />
Memorandum,the CSAs intended tomaintaintheir objections.<br />
<br />
In light of the arguments put forward by the IE SA in the<br />
Composite Response, the DE, ES, FI, HU, NL, NO, and SE SAs),<br />
<br />
confirmed to the IE SA that they maintain their remaining<br />
objections .<br />
<br />
The IE SA invited Meta IE to exercise its right to be heard in<br />
08.07.2022 respect of the objections (and comments) that the IE SA<br />
<br />
proposed to refer to the EDPB under Article 65(1) GDPR along<br />
with the IE SA’s Composite Response and the communications<br />
<br />
receivedfrom the CSAs in replytothe Composite Response.<br />
Meta IE furnished the requested submissions (“Meta IE Article<br />
09.08.2022 65 Submissionsof9August2022”).<br />
<br />
<br />
The IE SA referred the matter to the EDPB in accordance with<br />
11.08.2022 Article 60(4) GDPR, thereby initiating the dispute resolution<br />
<br />
procedure under Article65(1)(a).<br />
<br />
<br />
<br />
6. The IE SA triggered the dispute resolution process in the Internal Market Information system<br />
(hereinafter“IMI”) on 11 August 2022 inaccordancewithArticle 60(4)GDPR.<br />
<br />
<br />
7. The EDPBSecretariatassessed the completeness of the file on behalf of the Chair of the EDPBin line<br />
<br />
withArticle11(2) EDPBRoPinorder toensure thatallthe necessarydocuments wereincluded inthe<br />
file.<br />
<br />
<br />
8. The EDPB Secretariatcontactedthe IESA on 23 and27 September 2022, asking for the transmission<br />
via IMIof specified documents pertaining to the investigationconducted by the IE SA . The request<br />
<br />
<br />
9ResponseoftheDESAs toCompositeResponsedated11July2022;ResponseoftheESSAto IESAComposite<br />
<br />
Responsedated8July2022;ResponseoftheFI SAto CompositeResponsedated8July2022;Responseofthe<br />
HU SAto CompositeResponsedated7July2022; ResponseoftheNLSA to CompositeResponsedated5July<br />
2022;ResponseoftheNO SAto CompositeResponsedated11July2022;ResponseoftheSE SAto Composite<br />
Responsedated8July2022<br />
10TheInternalMarketInformation(IMI)istheinformationandcommunicationsystemmentionedinArticle17<br />
oftheEDPBRules ofProcedure.<br />
11Thefollowingdocumentswererequested:<br />
<br />
Letter ofDPCto NOYBof23/11/2018outliningthescopeoftheinquiry.<br />
NOYB's replytoDPCof03/12/2018outliningproceduralconcerns<br />
<br />
<br />
7<br />
Adopted was made to allow the EDPB to come to a fully informed decision on the objections raised by some<br />
CSAs onthescope andconductofthe investigation.Fromthe schedule tothe DraftDecision,theEDPB<br />
Secretariat concluded that both Meta IE and the Complainant were given access to the documents<br />
requestedandinvited the IESA toconfirm thiswasindeed thecase.<br />
<br />
<br />
9. The IE SA declined the request, as it considered that the materialalready provided as sufficient to<br />
<br />
enable theEDPBtodeterminetheobjections referredtoit, asthe draft decisionprovidesinformation<br />
about the scope of the inquiry commenced for the purpose of examining the complaint, the<br />
procedural steps taken in the inquiry, the information that was collected during the course of the<br />
inquiry process, the allegations that were put to the data controller, the submissions made by the<br />
<br />
parties to the inquiry and the assessments and views of the IE SA. Further, the IE SA expressed its<br />
concern over the possibility of the EDPB concluding its decision on the basis of materialwhich was<br />
never put to the controller concerned as part of the formulation of any allegation of potential<br />
<br />
wrongdoing.Finally, the IESA underlined that,inaccordancewithArticle11(2) ofthe EDPBRoP,they<br />
would provide documentsthe Boarddeems necessary.<br />
<br />
<br />
10. A matter of particular importance that was scrutinised by the EDPB Secretariat wasthe right to be<br />
heard,asrequiredbyArticle 41(2)(a)ofthe CharterofFundamentalRights.Furtherdetailson thisare<br />
provided in Section2 ofthis Binding Decision.<br />
<br />
<br />
11. On 5 October 2022, the decision on the completeness of the file was taken, andit was circulatedby<br />
the EDPBSecretariattoallthemembers ofthe EDPB.<br />
<br />
<br />
12. TheChair ofthe EDPBdecided,incompliance withArticle65(3)GDPRinconjunctionwithArticle11(4)<br />
EDPBRoP, to extendthe default timeline for adoption of one month by a further month on account<br />
<br />
of thecomplexity ofthe subject-matter<br />
<br />
<br />
<br />
<br />
<br />
DPC's replytoNOYBof16/01/2019<br />
DPClettertoMeta of30/01/2019outliningviewsonthescope;<br />
Meta IEresponsetoDPCof05/02/2019,raisingproceduralquestions;<br />
DPC's responsetoMeta of08/02/2019;<br />
Email exchangesbetweenDPCandMetaon08/02and15/02/2019regardingscopeandproceduralissuesraised<br />
byNOYB;<br />
Meta IE’s Submissionsof 22/02/2019includingMeta Submissionof28/09/2018(markedupcopy,ofwhichparts<br />
Meta consideredoutofscopeofcomplaint);<br />
<br />
DPClettertoNOYBof28/03/2019whichincludedanupdateonthescope;<br />
Letter fromNOYBtotheIESAdated19April2019whichincludedfurthersubmissionsonthescope<br />
NOYB's lettertoDPCof24/02/2020raisingproceduralissues;<br />
DPC's replytoNOYBof23/03/2020;<br />
DraftInquiryreportof20/05/2020;<br />
DPClettertoNOYB of20/05/2020;<br />
NOYB's responsetoDPCof03/06/2020;<br />
NOYBsubmissionsontheDraftInquiryReportof19/08/2020;<br />
Meta IE’s SubmissionsontheDraftInquiryReportof22/06/2020;<br />
<br />
FinalInquiryreportof18January2021;<br />
NOYB’s SubmissionsonthePreliminaryDraftDecisioninIN-18-08-05dated11June2021;<br />
NOYB’s submissiontotheIESAcontainingtheGallupstudyinattachment.<br />
<br />
<br />
<br />
8<br />
<br />
Adopted 2 THE RIGHT TOGOOD ADMINISTRATION<br />
<br />
<br />
13. TheEDPBissubject toArticle41 oftheEUCharterofFundamentalRights,inparticularArticle41(right<br />
togoodadministration).This isalsoreflectedin Article11(1)EDPBRoP.Furtherdetailswere provided<br />
inthe EDPBGuidelines on Article65(1)(a)GDPR 12.<br />
<br />
<br />
14. The EDPB Decision “shall be reasoned and addressed to the lead supervisory authority and all the<br />
supervisory authorities concerned and binding on them” (Article 65(2) GDPR). It is not aiming to<br />
<br />
address directly anythird party. However, asa precautionarymeasure to address the possible need<br />
for the EDPBtooffer the righttobe heardatthe EDPBleveltoMetaIE,the EDPBassessed if MetaIE<br />
was offered the opportunity toexercise its right tobe heard in relationto the procedure led by the<br />
LSA andthesubject matterofthe dispute tobe resolvedbythe EDPB.Inparticular,theEDPBassessed<br />
<br />
ifallthe documents containingthe mattersoffactsandlaw used bythe EDPBtotake itsdecisionhad<br />
beenpreviously sharedwithMetaIE.<br />
<br />
<br />
15. The EDPBnotes thatMeta IEhas receivedthe opportunity to exercise itsright tobe heard regarding<br />
allthedocuments containingthe mattersoffactsandoflawconsidered bythe EDPBinthecontext of<br />
this decision and provided its writtenobservations 1, which have been shared withthe EDPB by the<br />
<br />
LSA.<br />
<br />
16. Considering that Meta IE has been already heard by the IE SA on all matters of facts and of law<br />
<br />
addressed by the EDPB in its decision, the EDPB is satisfied that the Article 41 of the EU Charter of<br />
FundamentalRightshas beenrespected.<br />
<br />
<br />
17. TheEDPBconsidersthattheComplainantisnot likelytobe adverselyaffectedbythisBindingDecision,<br />
andconsequently does not meetthe conditions tobe grantedaright tobe heardby the EDPBin line<br />
with Article 41 of the EU Charter of Fundamental Rights, applicable case law, and Article 11 of the<br />
<br />
EDPBRoP. This is without prejudice toany right tobe heardor other relatedrights the Complainant<br />
mayhave before the competentnationalsupervisory authority(/-ies).<br />
<br />
<br />
3 CONDITIONSFOR ADOPTING A BINDINGDECISION<br />
<br />
<br />
18. The generalconditionsfor theadoptionof abinding decision bytheEDPBareset forthinArticle60(4)<br />
andArticle 65(1)(a)GDPR 1.<br />
<br />
<br />
3.1 Objection(s) expressed by several CSA(s) in relationto a DraftDecision<br />
<br />
19. The EDPB notes that severalCSAs (AT, DE, ES, FI, FR, HU, IT, NL, NOandSE SAs) raised objections to<br />
the DraftDecisionvia IMI.Theobjections were raisedpursuant toArticle 60(4)GDPR.<br />
<br />
<br />
<br />
<br />
12<br />
EDPB Guidelines 3/2021on theapplication of Article65(1)(a) GDPR, adopted on 13April 2021 (versionfor<br />
13blicconsultation)(hereinafter,“EDPBGuidelinesonArt.65(1)(a)”),paragraphs94-108.<br />
In particular, Meta IE Preliminary Draft Submissions dated 4 February 2022, Meta IE Article65 Submissions<br />
dated9August2022.<br />
14AccordingtoArt.65(1)(a)GDPR,theEDPBwillissuea bindingdecisionwhena supervisoryauthorityhasraised<br />
a relevantandreasonedobjectiontoa draftdecisionoftheLSAandtheLSAhas notfollowedtheobjectionor<br />
theLSAhas rejectedsuchanobjectionasbeingnotrelevantorreasoned.<br />
<br />
9<br />
<br />
Adopted 3.2 The IE SA finds the objections to the DraftDecision not relevantor reasoned and<br />
<br />
does not follow them<br />
<br />
20. On 1 July 2022, the IESA provided to the CSAs ananalysis of the objections raised bythe CSAs inthe<br />
Composite Response.<br />
<br />
<br />
21. The IE SA concluded that it would not follow the objections, as it did not consider them “relevant”<br />
<br />
and/or “reasoned”,withinthe meaningofArticle 4(24)GDPRforthe reasonsset out inthe Composite<br />
Response andbelow 15.<br />
<br />
<br />
3.3 Admissibility of the case<br />
<br />
22. The case at issue fulfils the elements listed by Article 65(1)(a) GDPR, since several CSAs raised<br />
objections toadraftdecision oftheLSA (theIESA)withinthedeadline providedbyArticle60(4)GDPR,<br />
<br />
and the IE SA has not followed objections or rejected them for being, in its view, not relevant or<br />
reasoned.<br />
<br />
<br />
23. The EDPBtakesnote of MetaIE’sposition that the currentArticle 65 GDPRdispute resolution should<br />
<br />
be suspended due to pending preliminary ruling proceedings before the Court of Justice of the EU<br />
(hereinafter,“CJEU”) 16.MetaIE refersin particulartocases C-252/21 and C-446/21 . Following its<br />
assessment, the EDPBdecidestocontinueitsproceedingson thisArticle65 GDPR dispute resolution,<br />
<br />
as there is no explicit legal basis for a stay of the dispute resolution procedure in EU law, nor are<br />
existing CJEU rulings on the matter conclusive for the situation of the EDPB 19. Also, the EDPB takes<br />
<br />
into consideration the data subjects’ right to have their complaints handled within a “reasonable<br />
period”(Article 57(1)(f) GDPR),andtohave their case handledwithina reasonable time byEU bodies<br />
(Article 41 Charter).Moreover,ultimatelythereareremediesavailable tothe affectedpartiesin case<br />
20<br />
of adiscrepancy betweenthe EDPBBinding DecisionandCJEU rulingsin the aforementionedcases .<br />
<br />
<br />
24. Considering the above, inparticularthatthe conditions of Article65(1)(a) GDPRaremet,the EDPBis<br />
competent to adopt a binding decision, which shall concern allthe matterswhichare the subject of<br />
<br />
<br />
<br />
15TheIESAletterto theEDPBSecretariatdated11August2022.<br />
16Meta IEArticle65Submissions,paragraphs3.4-3.8.<br />
17Requestfora preliminaryrulingof22April2021,Meta PlatformsandOthers,C-252/21(hereinafter‘C-252/21<br />
<br />
18erlandesgerichtDüsseldorfrequest’).<br />
Requestfora preliminaryrulingof20July2021,Schrems,C-446/21(hereinafter‘C-446/21Austrian<br />
ObersterGerichtshofrequest’).<br />
19C-234/89Judgement of theCourt of Justiceof 28 February 1991, Delimitis, C-234/89, ECLI:EU:C:1991:91;C-<br />
344/98 Judgement of theCourt of Justiceof 14December 2000, Masterfoods, C-344/98, ECLI:EU:C:2000:689.<br />
<br />
These cases concerned proceedings beforethe national courts, where the parties faced the risk of being<br />
confronted with a conflicting decision of the national judgethat could be seen as de facto nullifying the<br />
Commission decision – a power which is retained by the CJEU. The current disputeresolutionprocedure<br />
concernstheadoptionofanadministrativedecision,whichcanbesubjecttofulljudicialreview.<br />
20In casean action forannulment is brought against theEDPB decision(s) and found admissible, theGeneral<br />
<br />
Court/CJEUhastheopportunitytoinvalidatethedecisionoftheEDPB.Inaddition,andiftheGeneralCourt/CJEU<br />
wereto deliveranyjudgmentinthetimebetweentheadoptionoftheEDPB’s Art.65decisionandtheadoption<br />
theIESA’s finaldecision,theIESAmayultimatelydecidetorevisethefinalnationaldecisionittakesfollowing<br />
the EDPB's binding decision - if the CJEU’s rulings givecauseto do so - in accordancewith theprincipleof<br />
cooperation as elaborated by theCJEU in theC-453/00Judgement of theCourt of Justiceof 12 January2004,<br />
Kühne&HeitzNV, ECLI:EU:C:2004:17.<br />
<br />
<br />
<br />
10<br />
Adopted the relevantandreasonedobjection(s), i.e.whetherthere isaninfringement ofthe GDPRor whether<br />
the envisagedactioninrelationtothe controller or processor complieswiththe GDPR 21.<br />
<br />
<br />
25. The EDPBrecallsthat itscurrent Decision is without anyprejudice toany assessments the EDPBmay<br />
be called upon to make in other cases, including with the same parties, taking into account the<br />
<br />
contentsof therelevant draftdecision and theobjections raised bythe CSA(s).<br />
<br />
<br />
3.4 Structure of the Binding Decision<br />
<br />
26. For eachof the objections raised, the EDPB decides on their admissibility, by assessing first whether<br />
they can be considered as a “relevant and reasoned objection” within the meaning of Article 4(24)<br />
22<br />
GDPRasclarifiedinthe Guidelines on the conceptof a relevantandreasonedobjection .<br />
<br />
27. Where the EDPB finds that anobjection does not meet the requirements of Article 4(24) GDPR, the<br />
<br />
EDPBdoes not takeanyposition onthe meritof anysubstantialissues raisedbythat objectionin this<br />
specific case.TheEDPBwillanalysethemeritsofthesubstantialissues raisedbyallobjections itdeems<br />
23<br />
relevantand reasoned .<br />
<br />
<br />
4 ON WHETHER THE LSA SHOULD HAVE FOUNDAN INFRINGEMENT<br />
<br />
FOR LACK OF APPROPRIATE LEGAL BASIS<br />
<br />
<br />
4.1 Analysis by the LSA inthe DraftDecision<br />
<br />
28. The IESA concludes thattheGDPR,the jurisprudence andthe EDPBGuidelinesdo not preclude Meta<br />
<br />
IE from relying on Article 6(1)(b) GDPR as a legal basis to carry out the personal data processing<br />
activitiesinvolved in the provision of its service tousers, including behavioural advertising insofar as<br />
thatforms a core partof the service 2.Finding 2 reads“Ifind the Complainant’scase is not made out<br />
<br />
that the GDPR does not permit the reliance by Meta Ireland on 6(1)(b) GDPR in the context of its<br />
offeringofTermsofUse 25”<br />
<br />
<br />
29. The IESA statesthatit does not have competence toconsider substantive issues ofcontractlaw and,<br />
accordingly, its analysis is limited tothe specific contract enteredintoby the complainant andMeta<br />
26<br />
IEin respectof the Instagramservice .<br />
<br />
27<br />
30. The IESA understands the complainant’sallegationsas : being that,firstly,theyweregivena binary<br />
choice: i.e. either acceptthe InstagramTermsof Use andthe associated DataPolicy byselecting the<br />
<br />
<br />
21<br />
Art. 65(1)(a) and Art. 4(24) GDPR. Some CSAs raised comments and not per se objections, whichwere,<br />
therefore,nottakenintoaccountbytheEDPB.<br />
22EDPB Guidelines 9/2020 ontheconcept of relevant and reasoned objection, version 2 adopted on 9 March<br />
2021,(hereinafter,“EDPBGuidelinesonRRO”).<br />
23SeeEDPBGuidelinesonArt.65(1)(a),paragraph63(“TheEDPBwillassess,inrelationtoeachobjectionraised,<br />
<br />
whethertheobjectionmeetstherequirementsofArticle4(24)GDPRand,ifso,addressthemeritsoftheobjection<br />
inthe bindingdecision.”)<br />
24DraftDecision,paragraphs112and115.<br />
25DraftDecision,Finding2,p.40.<br />
26DraftDecision,paragraph84.<br />
27<br />
DraftDecision,paragraph10.<br />
<br />
<br />
11<br />
Adopted “accept”button,ordeletingtheirInstagramaccount ,lackofclarityonwhichspecific legalbasisMeta<br />
<br />
IErelies onfor eachprocessing operation 29,andtheir concernon MetaIE’srelianceon Article6(1)(b)<br />
todeliver the InstagramTermsof Use 30.<br />
<br />
<br />
31. While the IE SA acknowledges that the EDPB considers in its Guidelines 2/2019 31 that, as a general<br />
<br />
rule, processing for online behaviouraladvertising is not necessary for the performance of acontract<br />
for online service under Article 6(1)(b) GDPR 32, in this particular case, having regardto the specific<br />
<br />
terms of the contract andthe nature of the service provided and agreedupon by the parties, IE SA<br />
concluded thatMetaIEmayinprinciple relyonArticle 6(1)(b)aslegalbasisofthe processing ofusers’<br />
<br />
data necessary for the provision of its service, including through the provision of behavioural<br />
advertisinginsofar asthisforms acorepartofthatserviceofferedtoandacceptedbyusers 33. Further,<br />
<br />
the IE SA states that while the examples provided in any form of EDPB guidance are helpful and<br />
instructive, theyare not necessarily conclusive of the position in any specific case andindeed do not<br />
34<br />
purport tobe .<br />
<br />
<br />
32. The IE SA disagrees with what it defines as a “strict threshold of ‘impossibility’ in the assessment of<br />
necessity” proposed by the complainant and the EDPB . By “impossibility”, IE SA refers to the<br />
<br />
argument put forward that a particular term of a contract (here, behavioural advertising) is not<br />
necessary to deliver an overall service or contract 36. The IE SA is of the view that “it is not for an<br />
<br />
authority such as the Commission, tasked with the enforcement of data protection law, to make<br />
assessmentsasto whatwillorwillnot maketheperformanceofa contractpossibleor impossible” and<br />
that the generalprinciples set out in the GDPR andexplained by the EDPB in the guidelines must be<br />
<br />
appliedon a case-by-case basis 37. TheIE SA considers thatArticle 6(1)(b)GDPRcannot be interpreted<br />
as requiring that it is impossible to perform the contract without the data processing operations in<br />
<br />
question 38.<br />
<br />
<br />
33. TheIESA referstoMetaIE’spositionthatinthespecific contextoftheInstagramservice,personalised<br />
advertising mayconstitute a distinguishing feature of said service which is an “exact rationale” and<br />
<br />
one of the “essential elementsof the Terms of Use” for which the ordinary user would reasonably<br />
expect their personal data to be processed so as to receive the Instagram service as advertised 39.<br />
<br />
Further, the IE SA refers to Meta IE’ssubmission regarding whether the necessity test encompasses<br />
an impossibility threshold, and Meta IE’sargument that were impossibility anaspect of necessity, it<br />
<br />
<br />
<br />
<br />
<br />
28<br />
DraftDecision,paragraph11.<br />
29DraftDecision,paragraph17.<br />
30DraftDecision,paragraph77.<br />
31EDPB Guidelines2/2019ontheprocessingofpersonaldataunderArticle6(1)(b)GDPRinthecontextofthe<br />
<br />
provision of onlineservices to data subjects Version 2.0, adopted on 8 October 2019 (hereinafter, “EDPB<br />
Guidelines 2/2019onArticle6(1)(b)GDPR”).<br />
32DraftDecision,paragraph113.<br />
33DraftDecision,paragraph113.<br />
34<br />
DraftDecision,paragraph108.<br />
35DraftDecision,paragraphs107and112.<br />
36DraftDecision,paragraph107<br />
37DraftDecision,paragraph108.<br />
38<br />
DraftDecision,paragraphs107-109and112.<br />
39DraftDecisionparagraph109.<br />
<br />
<br />
<br />
12<br />
Adopted would not,inanycase operateasa“blanket prohibition”on relying onArticle(1)(b) GDPRasthe legal<br />
40<br />
basis for the processing inthis context .<br />
<br />
<br />
34. The IESA considers personalised advertisinga corepart oftheservice offered toandacceptedbythe<br />
users, having regardtothe specific termsofthe contractandthe nature of the service provided and<br />
agreedupon by Meta IE and the user 41. The IE SA points out that the nature of the service being<br />
<br />
offeredtoInstagramusersis setout intheTermsofUse whichdescribe theInstagramserviceasbeing<br />
“personalised”andconnectsuserswithbrands, including bymeansofproviding “relevant”advertising<br />
42<br />
andcontent .<br />
<br />
<br />
35. The IESA considers thisasthe Instagramserviceisadvertisedinthe TermsofUse asbeing predicated<br />
onpersonalised advertising,anyreasonableuser wouldunderstand andexpectthatthisis partofthe<br />
<br />
core bargainthatis being struckwithMeta IE,evenif theymight prefer thatthe market would offer<br />
them betteralternativechoices 43.<br />
<br />
<br />
36. The IE SA considers that as personalised advertising forms part of the core bargain struck between<br />
Meta Ireland and Instagram users, any processing necessary for the delivery of such advertising is<br />
44<br />
deemedtofall within thescope ofArticle 6(1)(b) GDPR .<br />
<br />
<br />
37. The IE SA thus concludes that MetaIE mayinprinciple rely on Article6(1)(b) GDPRasa legalbasis of<br />
the processing of users’ datanecessaryfor the delivery ofa service basedon behaviouraladvertising<br />
45<br />
of thekind provided for under the contractbetweenMetaIEand Instagram’susers .<br />
<br />
38. The IE SA clarified that, having regard to the scope of the complaint and its inquiry, the above<br />
<br />
conclusion ought not tobe construed as an indication that all processing operations carried out on<br />
users’ personal dataarenecessarily coveredbyArticle 6(1)(b) GDPR 46.<br />
<br />
<br />
39. The IESA alsonotesthatotherprovisions ofthe GDPRsuchastransparencyacttostrictlyregulatethe<br />
<br />
manner inwhich thisservice istobe deliveredandthe information thatshould be giventousers and<br />
decides to address it separately in its Draft Decision .The IE SA considers that there have been<br />
48<br />
significant failings oftransparencyin relationtotheprocessing .<br />
<br />
40. The IE SA considers that these failings of transparency, having regard to the specific terms of the<br />
<br />
contract andthe nature of the service provided and agreedupon by the parties, do not, in principle<br />
prevent Meta IEfrom relying on Article 6(1)(b) GDPRasa legalbasis of the processing of users’ data<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
40DraftDecisionparagraph109.<br />
41<br />
DraftDecision,paragraph104.<br />
42DraftDecision,paragraph104.<br />
43DraftDecision,paragraph105.<br />
44DraftDecision,paragraph105.<br />
45<br />
46DraftDecision,paragraph111.<br />
DraftDecision,paragraph114.<br />
47DraftDecision,paragraph111.<br />
48DraftDecision,p.71.<br />
<br />
<br />
<br />
13<br />
Adopted necessary for the provision of the Instagram service, including throughthe provision of behavioural<br />
49<br />
advertising insofar as thisforms acore part ofthatservice offered toandacceptedby users .<br />
<br />
<br />
4.2 Summary of the objections raised by the CSAs<br />
<br />
41. The AT, DE, ES, FI, FR, HU, NL, NO and SE SAs object to Finding 2 of the draft decision and the<br />
assessment leadingup toit.<br />
<br />
<br />
42. The AT, ES, FI,HU,NL, NOand SE SAs 50 consider that,theIE SAshouldhavefoundaninfringement<br />
51<br />
ofArticle 6(1)(b)oftheGDPR,inline withthe EDPB’sinterpretationofthisprovision . The DEandFR<br />
SAs arguethatthe IESA should have found aninfringement ofArticle 6(1)GDPR . 52<br />
<br />
<br />
43. TheDESAs,intheirobjection, furtherarguethattheIESAshouldfindaninfringementofArticle5(1)(a)<br />
GDPR and make use of corrective powers of Article 58(2)(f) and (i) GDPR and order to erase the<br />
<br />
unlawfully processedpersonaldata,impose abanof therespectiveprocessing ofdatafor the purpose<br />
of behavioural advertising until a valid legal basis is in place and impose an administrative fine<br />
53<br />
pursuant toArticle 83 GDPR .<br />
<br />
<br />
44. The FI SA, in itsobjection, also arguesthatthe finding thatMetaIEwasnot entitledtorelyon Article<br />
6(1)(b) GDPR asa legalbasis for all the processing operations in the scope of the Instagram Service<br />
should leadtotheconclusion thatcorrectivepowerspursuant toArticle58(2)GDPRmustbeexercised<br />
<br />
to bring the processing operations of Meta IE intocompliance withthe GDPR 54. Furthermore, the FI<br />
SA considers that this additional infringement should be properly reflected in the amount of the<br />
<br />
administrative fine imposed pursuant toArticle83 GDPR 55.<br />
<br />
<br />
45. The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also<br />
affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative<br />
56<br />
fine .<br />
<br />
<br />
46. The HU SA, inits objection, arguesthatinlight of the infringement,the legalconsequences of Article<br />
58(2) (d) (order to bring processing operations into compliance) GDPR should be applied, and the<br />
controller should be instructedtoindicateanother alternativelegalbasis . 57<br />
<br />
<br />
47. The NOSA, initsobjection, alsoarguesthattheIESA should takeconcretecorrectivemeasures.More<br />
<br />
specifically, theNOSAconsiders thattheIESA should orderMetaIEtodeletepersonaldataprocessed<br />
under Article6(1)(b) GDPR,unlessthose datawerealsocollectedfor otherpurposes witha validlegal<br />
<br />
basis, aswell asorder MetaIE toidentify a valid legalbasis for future online behaviouraladvertising<br />
<br />
<br />
<br />
49DraftDecision,paragraph113.<br />
50AT SAObjection, pp. 1-7;ES SAObjectionpp. 1-3;FI SAObjection pp. 2-7;HU SAObjectionpp. 2-4;NLSA<br />
<br />
Objection,pp.1-12;NOSAObjection,pp.1-9;SESAObjection,pp.2-4.<br />
51EDPBGuidelines02/2019onArticle6(1)(b)GDPR.<br />
52DESAs Objection,pp.2-7,FRSAObjection,pp.2-7.<br />
53DESAs Objection,p.10.<br />
54<br />
55FI SAObjection,paragraph23.<br />
FI SAObjection,paragraph26.<br />
56FRSAObjection,paragraph50.<br />
57HUSAObjection,p.3.<br />
<br />
<br />
<br />
14<br />
Adopted or abstain from such processing activities and impose an administrative fine against Meta IE for<br />
58<br />
unlawfully processing personaldatain the contextof online behaviouraladvertising .<br />
<br />
<br />
48. The AT,DE,ES,FI, FR,HU,NL,NOandSE SAs put forwardseveralfactualandlegalargumentsforthe<br />
proposed change in legalassessment . Specifically they argue that Meta IE cannot rely on Article<br />
<br />
6(1)(b) GDPRasa legalbasis toprocessanInstagramuser’sdatafor behavioural advertising.<br />
<br />
<br />
49. Inaddition, in the context of their objection, the AT and FR SAs arguethat the factualbackground of<br />
theDraftDecisiondoesnotincludeallrelevantfacts.Theyrequestamendingthefactualbackground<br />
toinclude adefinition of“behaviouraladvertising” 60.TheATSAsuggestsmentioning alsothetechnical<br />
<br />
possibilities Meta IEuses to conduct it, such ascollecting datafrom other groupservices, third-party<br />
websites,apps,cookiesor similarstoragetechnologiesplacedontheuser’scomputerormobile device<br />
<br />
and linking that data withthe user’s Instagram account 61. The AT SA alsosuggestsincluding the fact<br />
thaton 25 May2018 MetaIE switcheditslegalbasistoprocessdata for behaviouraladvertising from<br />
62<br />
consent tocontractualperformance .<br />
<br />
63<br />
50. TheDEandNL SAs question thevalidityofthecontractbetweenMetaIEandtheInstagramservice’s<br />
user togroundthesaidprocessing onArticle6(1)(b) GDPRinlightofthe transparencyissues identified<br />
64<br />
by the IE SA . The DE SAs question whether the parties reachedan agreement if the user did not<br />
know that they would enter into a contract, because Meta IE did not clearly communicate in a<br />
65<br />
transparentmanner that the use of itsservices would inthe future be based on a contract .TheNL<br />
SA arguesthat,asa generalrule, both partiesmust be awareof the substance of a contractin order<br />
towillinglyenterinto it 66andconsiders that“theestablishedserious lackoftransparencyonbehalfof<br />
<br />
thecontroller,leads, atthe veryleast, to a reasonable doubt whetherdatasubjectshave indeed been<br />
able toenterinto a contractwiththecontrollerboth willingly and sufficientlyinformed" 67.TheDEand<br />
<br />
NL SAs therefore considered that Meta IE’s statement that it relies on Article 6(1)(b) GDPR, in<br />
combination with documents with general descriptions of the service provided, and the IE SA’s<br />
<br />
reference to the controller’s right to choose its own legal basis to process data are insufficient to<br />
acceptthe performanceof a contractasalegalbasis 68.<br />
<br />
<br />
<br />
<br />
58NOSAObjection,p.9.<br />
59AT SAObjection,pp.3-6;DESAs Objection,pp.2-9;ESSAObjection,pp.1-3;FI SAObjection,pp.3-7;FRSA<br />
Objection, pp. 2-4; HU SA Objection, pp. 2-3; NL SA Objection, pp. 2-6; NO SA Objection, pp. 2-8; SE SA<br />
<br />
60jection,pp.2-3.<br />
AT SAObjection,pp.6-7;FRSAObjection,paragraph6.<br />
61AT SAObjection,pp.6-7.<br />
62AT SAObjection,p.7.<br />
63<br />
64DESAs Objection,p.3-4;NLSAObjection,pp.3-5.<br />
InFinding3,theIESAstates that“InrelationtoprocessingforwhichArticle6(1)(b)GDPRisreliedon,Articles<br />
5(1)(a), 12(1)and13(1)(c) GDPR have beeninfringed”. TheIE SAconsidered, among other, that “Meta Ireland<br />
have not provided meaningful informationas to the processing operation(s) and/orset(s) of operations that<br />
occurin the context of the Instagram service, eitheron basis of Article 6(1)(b) GDPRorany otherlegal basis.<br />
<br />
Indeed,Iwouldgosofarastosaythatitisimpossiblefortheusertoidentifywithanydegreeofspecificitywhat<br />
processing is carried out onwhat data, on foot ofthe specifiedlawful bases, in orderto fulfil these objectives”<br />
(DraftDecision,par.185).<br />
65DESAs Objection,p.4.<br />
66<br />
NLSAObjection,paragraph12.<br />
67NLSAObjection,paragraph.17.<br />
68DESAObjection,pp.3-4;NLSAObjection,paragraph7.<br />
<br />
<br />
<br />
15<br />
Adopted51. The DESAscontendthattheIESA iscompetent toassess thevalidityof contractsinthecontextofthe<br />
<br />
GDPR,whichis aprerequisite for controllerstobase the processing ofpersonal dataonArticle 6(1)(b)<br />
GDPR 69. Would that not be the case, the assessment of Article 6(1)(b) GDPR would practically be<br />
70<br />
deducted from Supervisory Authorities’ tasks provided for in Article 57(1)(a) GDPR . The DE andNL<br />
SAs argue that the IE SA should assess whether a valid contract is in place as required under Article<br />
6(1)(b) GDPR 7.<br />
<br />
<br />
52. Without prejudice toany argumentsmade on the existence ofa valid contractabove,the AT, DE,ES,<br />
72<br />
FI,FR, HU,NL,NOandSE SAs arenot satisfied bythe assessment ofnecessity inthe DraftDecision .<br />
They assert that the data processingfor the delivery ofpersonalisedadvertisingis objectively not<br />
<br />
necessaryfortheperformanceofMeta IE’scontractwiththedatasubjecttodelivertheInstagram<br />
service and it is not an essentialor core element of it. To highlight the unnecessity of behavioural<br />
<br />
advertising toperform the contractwiththe Instagramuser,theAT,DE,NLandSE SAs arguethatthis<br />
contract of providing personalised advertisement is a contract between Meta IE and a specific<br />
advertiser, inwhich Meta IE would presumably have this obligationtowards the advertisers, yet not<br />
<br />
towards Instagram users that are not partyto this contract 73. The DE SAs support this assertion by<br />
pointing out that thereis no obligation tooffer personalised advertising to the user, andcontractual<br />
74<br />
sanctions for thefailure toprovide it,asitcanbe seenfrom the termsof use .The AT,DE,HU,FI,FR,<br />
HU, NOand SE SAs consider, while referring tothe EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR,<br />
<br />
that the business models tooffer “free” servicesand in return generate income by behavioural and<br />
personalised advertisement, inter alia, to support the service, cannot be necessary to perform a<br />
75<br />
contract and fail to comply with data protection regulations . The DE, FR and HU SAs also cite the<br />
EDPB Guidelines 8/2020 tounderscore that processing cannot be rendered lawful by Article 6(1)(b)<br />
GDPR simply because such advertising indirectly funds the provision of the service and that while<br />
<br />
personalisation of content, may, in certain circumstances, constitute an intrinsic and expected<br />
element of certainonline services, Article 6(1)(b) GDPR in the context of targeting of social media<br />
<br />
users ishardly applicable76.The AT,ESandSE SAs arguethatadvertisementscanstillbe displayed on<br />
Instagramusing alternativemethodstobehaviouraladvertising not involving profiling andtracking 7.<br />
<br />
The SE SA adds thatsome degreeof targetingforincreased relevanceis possible, such as geography,<br />
languageandcontext 78.<br />
<br />
<br />
53. Inaddition, theAT,ES,FI,FR,HU,NOandSE SAsargue,alsowhile referringtoEDPBGuidelines2/2019<br />
on Article6(1)(b) GDPR,thattheIE SA should have consideredthe EDPB’sargumentthatbehavioural<br />
<br />
<br />
<br />
69DESAs Objection,p.3.<br />
70DESAs Objection,p.3.<br />
71<br />
72DESAs Objection,p.3;NLSAObjection,paragraph11.<br />
AT SAObjection, p. 3;DE SAs Objection, pp 4-7;ES SAObjection, pp. 1-2;FI SAObjection, pp. 3-5;FR SA<br />
Objection, pp. 3-4; HU SA Objection, pp. 1-3; NL SA Objection, pp. 4-8; NO SA Objection, pp. 5-6; SE SA<br />
Objection,p.3.<br />
73AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraphs12and19:SESAObjection,p.3.<br />
74<br />
DESAs Objection,p.5.<br />
75EDPB Guidelines 2/2019 on Article6(1)(b) GDPR. AT SA Objection, p. 5;DE SAs Objection, pp. 6-7;HU SA<br />
Objection,p.3;FI SAObjection,paragraphs13and16;FRSAObjection,paragraphs9and11;NOSAObjection,<br />
pp.3and6-7;SESAObjection,p.3.<br />
76<br />
EDPB Guidelines 8/2020on the targeting of social media users, version 2.0, adopted on 13 April 2021,<br />
paragraph49.DESAs Objection,p.6;FRSAObjection,paragraph11;HUSAObjection,p.3.<br />
77AT SAObjectionp.4;ESSAObjection,p.2;SESAObjection,p.3.<br />
78SESAObjection,p.3.<br />
<br />
<br />
<br />
16<br />
Adopted advertisingcannot be “necessary”withinthe meaningofArticle6(1)(b) GDPRwhilea datasubject can<br />
<br />
object tothe processing of his/her personal data for direct marketing purposes at any time without<br />
anyreason, inaccordancewithArticle 21(2)GDPR 7.<br />
<br />
<br />
54. The AT, DE, FR, NO, NL and SE SAs also point out some argumentson data subjects’ expectations<br />
abouttheprocessingoftheirpersonaldataforpersonalised advertising asanecessaryelementofthe<br />
80<br />
contract entered into between users and Meta IE . The AT, DE, NL, and SE SAs contend that data<br />
subjects do not reasonably expect that their data is being processed for personalised advertising<br />
81<br />
simply because Meta IE briefly refers to it in the Instagram Terms of Use . The NO SA takes into<br />
accounthow MetaIEmarketsitsInstagramplatformtowardspotentialusers(“Asimple,fun&creative<br />
way to capture, edit & share photos, videos & messages with friends & family”) and considers that<br />
<br />
Instagram users (including those with prior knowledge of data protection, technical means for<br />
profiling or the ad tech industry) should not be deemed to reasonably expect online behavioural<br />
82<br />
advertising,especially tothe extentasit is carriedout byMetaIE .The FR andNOSAs consider that<br />
the particularly massive and intrusive nature of the processing of the users’ data cannot meet the<br />
83<br />
reasonable expectationsofthe users . The AT, NLand SE SAs alsoconsider thatthe DraftDecision is<br />
inconsistent infinding thatinformationon specific processing operationsshould have beenprovided,<br />
linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that<br />
<br />
data subjects had a perspective or expectation or were well informed that their data was being<br />
processed for behavioural advertising 84.<br />
<br />
<br />
55. In addition to the arguments made above on the existence of a valid contract and the necessity of<br />
<br />
behavioural advertising for the performance of that contract, severalSAs raise other considerations<br />
intheir objections.<br />
<br />
<br />
56. The NOSA arguesthatthe IESA’sinterpretationofArticle 6(1)(b)iscontrarytothe fairnessprinciple,<br />
since data subjects face the dilemma of approving contractualtermspossibly entailing intrusive and<br />
<br />
harmfulprocessing practices,andbeingexcludedfromservicesonwhichtheyaredefactodependent,<br />
due toa lackof realisticalternativestothem 85.<br />
<br />
<br />
57. On the risks posed by the Draft Decision, the AT, DE, ES, HU, FI, NL, NOand SE SAs explain that the<br />
proposed interpretationof Article 6(1)(b) GDPRleads toa situation where dataprotectionprinciples<br />
<br />
are either undermined or bypassed entirely with regards to data subjects using the Instagram<br />
service86 .<br />
<br />
<br />
<br />
<br />
<br />
<br />
79Seeparagraph52.ATSAObjection,p.4;ESSAObjection,p.2;FI SAObjection,paragraph19;FRSAObjection,<br />
<br />
80ragraph11;HUSAObjection,p.3,NOSAObjection,p.7;SESAObjection,p.3.<br />
ATSAObjection,p.4;DESAs Objectionp.5;FRSAObjection,paragraph9;NLSAObjection,paragraph19;NO<br />
SAObjection,pp.7-8;SESAObjectionp.3.<br />
81AT SAObjection,p.4;DESAs Objection,p.5;NLSAObjection,paragraph19;SESAObjection,p.3.<br />
82NOSAObjection,p.8.<br />
83<br />
84FRSAObjection,paragraph18;NOSAObjection,p.8.<br />
AT SAObjection,p.4;NLSAObjection,paragraph12;SESAObjection,p.3.<br />
85NOSAObjection,p.5.<br />
86AT SAObjection,p.6;DE SAs Objection,p.9;ES SAObjection,p.3; HU SAObjection,p.4;FI SAObjection,<br />
paragraphs31-33;NLSAObjection,paragraph29;NOSAObjection,p.8;SE SAObjection,p.5.<br />
<br />
<br />
<br />
17<br />
Adopted58. Specifically, the AT, DE andNO SAs point tothe conditions of consent pursuant toArticle 7 GDPR as<br />
<br />
being bypassed 87. The NL SA considers that the Draft Decision allows Meta IE to engage in online<br />
behavioural advertising in a way that bypasses informed consent of data subjects 88. The NO SA<br />
<br />
considers thatusers ‘wouldface a dilemma betweenapproving (though not by way ofvalid consent)<br />
contractualterms possibly entailing intrusive and harmful processing practices, and being excluded<br />
<br />
from services’,whichultimatelywould also‘adverselyaffect datasubjects’ freedomofexpression and<br />
information’ 8. The FI, FR and NO SAs considered that the Draft Decision poses a risk to the<br />
<br />
fundamentalrightsand freedoms of the individuals concerned, insofar asusing the legalbasis ofthe<br />
contractforthe processing ofthepersonaldatafor personalised advertising,wouldpreventEuropean<br />
90<br />
users ofthe social networktohave control over theirdata .<br />
<br />
<br />
59. Further,the AT SA sees therisk materialiseasin itsview Article25(2) GDPR(privacybydefault)is not<br />
applied, “since Meta Ireland – at least in its contract – declares that behavioural advertising is<br />
91<br />
‘necessary’for thecontractualperformance” .<br />
<br />
<br />
60. The DESAs argue theDraftDecision allowsMeta IEto“bypass the requirementsofa valid legalbasis<br />
for the processing that cannot be based on contract performance” . The NL SA considers the Draft<br />
93<br />
Decisionlowers thethreshold for legalityofdataprocessing onthe basis ofArticle 6(1)(b) severely .<br />
The NO SA considers thatthe DraftDecisionerodes the lawfulness principle, as in the DraftDecision<br />
<br />
“it is not the legislation which sets the boundaries for lawfulness under Article 5(1)(a) GDPR, but<br />
instead the individual contract”, whichis incompatible with Article 8 of the Charter of Fundamental<br />
Rightsand Article5(1)(a)GDPR 94.<br />
<br />
<br />
61. FR, HU,NL andSE SAs take the view that the DraftDecision, asit stands, sets adangerous precedent<br />
<br />
contrarytotheGDPR . TheFRSAnotesthatitcouldbeunderstoodasreflectingthecommonposition<br />
of the European supervisory authorities on this matter, since it is issued following the cooperation<br />
<br />
procedure among SAs 96. Moreover, the AT, DE, FI, HU and SE SAsraise that this interpretation of<br />
Article 6(1)(b) GDPR could essentially be used by every controller andtherefore endanger the rights<br />
<br />
of nearlyevery datasubject withinthe EEA 97.<br />
<br />
<br />
62. The DE SAs specify that the risks concern the complainant in person but it arguesthat there is alsoa<br />
significant risk asregardthe fundamentalrightsand freedoms of allMetaIE’susers in the European<br />
98<br />
Union that their personal data are processed without any legalbasis ; the FI SA adds that the risks<br />
<br />
<br />
<br />
<br />
<br />
87AT SAObjection,p.2and5;DESAs Objection,p.9;NOSAObjection,p.4.<br />
88NLSAObjection,paragraph30.<br />
89NOSAObjection,p.5.<br />
90<br />
FI SAObjection,paragraph35;FRSAObjection,paragraph34;NOSAObjection,p.8.<br />
91AT SAObjection,p.6;<br />
92DESAs Objection,p.9.<br />
93NLSAObjection,paragraph30.<br />
94<br />
NOSAObjection,pp.2and8;<br />
95FRSAObjection,paragraph35;HUSAObjection,p.3;NLSAObjection,paragraph31;SESAObjection,p.5.<br />
96FRSAObjection,paragraph35.<br />
97AT SA Objection, p 6;DE SAs Objection, p. 9;FI SAObjection, paragraph34;HU SAObjection, p. 3;SE SA<br />
<br />
Objection,p.5.<br />
98DESAs Objection,p.9.<br />
<br />
<br />
<br />
18<br />
Adopted include fundamental right andfreedom of data subjects whose personal data might be processed in<br />
99<br />
the future .<br />
<br />
63. Finally, theAT,DE,FI,NLandNOSAs explainthattheDraftDecisioncreatesaloophole, allowingMeta<br />
<br />
IE andany other controllers tomake lawful virtually anycollection and reuse of personal data by, as<br />
long astheydeclare thatit isprocessed for the performance ofa contract 100.<br />
<br />
<br />
4.3 Position of the LSA on the objections<br />
<br />
64. The IE SA considers that the objections above are not relevant and/or not reasoned for the purpose<br />
<br />
of Article60(4)GDPRanddecides not tofollow them 101.<br />
<br />
<br />
65. The IESA contends thatabroad, directcompetencein contractlawtoassessthevalidityofcontracts<br />
cannot be inferredfrom theGDPRtasksof supervisory authorities.Itarguesthat thisinference would<br />
<br />
create a very extensive power for SAs to regulate private law, without an appropriate basis in EU<br />
law 102.<br />
<br />
<br />
66. The IE SA arguesthat the core or fundamental aspects of the Terms of Use, including behavioural<br />
advertising processing, reflects the mutual expectations of the parties on contractualperformance.<br />
<br />
TheIESA contendsthatareasonableuser wouldhave hadsufficient understandingthattheInstagram<br />
service was provided on the basis of personalised advertising, based also on a “recognised public<br />
103<br />
awareness”of behaviouraladvertising asa form of processing .<br />
<br />
67. Onthe necessityoftheprocessingtoperformthecontract,theIESAconsidersthatit doesnot adopt<br />
<br />
amerelyformalapproachtoArticle6(1)(b)thatreliesonly onthetextualcontentof theTermsof Use.<br />
The IESA statesthatit does not takethe view thatallwrittencontractualtermsarenecessaryfor the<br />
<br />
performance of the contract. The IE SA contends that it focuses in its Draft Decision on the<br />
fundamentalpurpose or core function ofthe contractthatis necessaryfor itsperformance 104.<br />
<br />
<br />
68. The IESA arguesthatthe EDPBGuidelines2/2019 onArticle 6(1)(b)GDPR donot prohibit behavioural<br />
advertising processing under Article6(1)(b) GDPRif it falls withinthe core or essentialaspects ofthe<br />
<br />
service105.InrelationtoMetaIE’sprocessing of personal data,theIESA differs from the SAsin thatit<br />
considers online behavioural advertising as necessary for the performance of the contract (as<br />
106<br />
described inthe InstagramTermsofUse) betweenInstagramandthedata subject .<br />
<br />
<br />
69. The IE SA also disagrees with the interpretation of Article 21 GDPR making behavioural advertising<br />
optional andnot indispensable 107. The IE SA arguesthatArticle6(1)(b) GDPRisnot limitedtoaspects<br />
of contractual performance which are expressly mandatory and unconditional obligations of the<br />
<br />
<br />
99<br />
100I SAObjection,p.7.<br />
AT SAObjection,p.5;DESAs Objection,p.9;FI SAObjection,paragraph32;NLSAObjection,paragraphs30-<br />
31;NOSAObjection,p.2-3and7;SESAObjection,p.5.<br />
101CompositeResponse,paragraphs51,57,77,85,88,95.<br />
102CompositeResponse,paragraph51.<br />
103<br />
104CompositeResponse,paragraphs72and73.<br />
CompositeResponse,paragraphs55and56.<br />
105CompositeResponse,paragraphs84.<br />
106CompositeResponse,paragraph71.<br />
107CompositeResponse,paragraph74.<br />
<br />
<br />
<br />
19<br />
Adopted parties108. The IE SA contends that the CJEU has in the past held that processing which exceeds the<br />
most minimal level of processing possible may be regardedas necessary, where it renders a lawful<br />
<br />
objective “moreeffective”.The IE SA affirmsthat the necessityinthe context of Article6(1)(b) GDPR<br />
cannot be assessed by referenceto hypotheticalalternative forms of the Instagramservice and that<br />
109<br />
it is not therole ofSAs toimpose specific business models on controllers .<br />
<br />
<br />
70. The IE SA considers EDPB Guidelines as not binding on supervisory authorities, yet it acknowledges<br />
that they should be taken into account 11. However, the IE SA arguesthat the EDPB has not been<br />
provided with the legalpower to mandate that certaincategoriesof processing must be based on<br />
<br />
consent, tothe exclusionofanyother legalbasesfor processing. The IESA’sviewis thatsuchapower<br />
isproperlyexercisedfrom timetotimebythe EUlegislator,intheformofspecific legislativemeasures.<br />
<br />
The IE SA is therefore not satisfied that the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR canbe<br />
construedasabinding andspecific prohibition onprocessing for online behavioural advertisingonthe<br />
basis of Article 6(1)(b)GDPR. The IE SA considers that under these Guidelines, where processing for<br />
<br />
behavioural advertising is a distinguishing characteristicofthe service in question, it cansupport the<br />
business objectives and interests of the controller and be based on Article 6(1)(b) GDPR. The IE SA<br />
<br />
considers that to be the case regarding Meta IE’s processing with reference to the Instagram<br />
service111.<br />
<br />
<br />
71. The IE SA arguesthat compliance with GDPR transparencyobligations under Article 13(1)(c) GDPR<br />
involves a separateand different legalassessment tothatrequired in Article6(1)(b) GDPR.TheIE SA<br />
<br />
acknowledgesthatthe necessity test under Article 6(1)(b) GDPRmayrequire considering contractual<br />
termsandother relevantinformation, andthatthe informationprovided under Article13(1)(c)GDPR<br />
could, insome cases, inform a datasubject’sexpectationsastoacontractualservice.However,inthe<br />
<br />
present case,theIESAconsiders thatthetransparencyinfringementsitproposes for itsDraftDecision<br />
do not impactits findings on the legalbasis, as it considers thatthe expectationsand understanding<br />
112<br />
of thepartieson theTermsof Use include personalised advertising .<br />
<br />
<br />
4.4 Assessment of the EDPB<br />
<br />
<br />
4.4.1 Assessment of whether theobjections were relevant and reasoned<br />
72. The objections raised by the AT, DE, ES, FI, FR, HU, NL, NOand SE SAs concern“whether there isan<br />
infringementof theGDPR” 113.<br />
<br />
<br />
73. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe<br />
114<br />
threshold of Article 4(24) GDPR . Meta IE’sprimaryargument isthat “it isnot open to the EDPB to<br />
now decideon the lawfulness of Meta Ireland’sactualprocessing as the Objectionssuggest. Such an<br />
115<br />
assessment is not within the scope of the Inquiry as defined by the DPC .” In Meta IE’sview, “the<br />
EDPBcannotexpand thescope oftheInquiryin themannersuggested bytheCSAs throughObjections<br />
<br />
<br />
108CompositeResponse,paragraph74.<br />
109CompositeResponse,paragraph76.<br />
110<br />
111CompositeResponse,paragraph78.<br />
CompositeResponse,paragraphs82-83.<br />
112CompositeResponse,paragraph87.<br />
113EDPBGuidelinesonRRO,paragraph24.<br />
114Meta IEArticle65Submissions,paragraph2.4andAnnexI,p.65.<br />
115Meta IEArticle65Submissions,paragraph2.4.<br />
<br />
<br />
<br />
20<br />
Adopted thatarenotrelevanttothesubstanceoftheComplaint.”and“suchobjections‘oughttobedisregarded<br />
in theirentiretybytheEDPB” 116.Inthiscontext,MetaIEcitesEDPBBinding Decision2/2022, adopted<br />
<br />
on 28 July 2022 (hereinafter,“EDPBBinding Decision2/2022”), and in particular,theEDPB’sanalysis<br />
of some of the objections in thatcase, which werefound to be not relevant or reasoned, due tothe<br />
<br />
fact thatthese objections “fail[ed] to establish a direct connectionwith thespecific legaland factual<br />
contentofthe draftdecision” 117.<br />
<br />
<br />
74. Contraryto MetaIE’sposition on relevance, asdescribed above, objections canhave bearingon the<br />
“specific legal and factual content of the Draft Decision”, despite not aligning with the scope of the<br />
118<br />
inquiry asdefined by anLSA .<br />
<br />
<br />
75. In essence, Meta IE arguesthat CSAs may not, under any circumstance, express disagreement with<br />
the scope of the inquiry asdecided by the LSA by wayof anobjection. The EDPB does not share this<br />
readingof Article65 GDPR,asisexplicitly statedin theEDPBRROGuidelines 11.<br />
<br />
<br />
76. Further,MetaIEstatesthat“severalCSAsnow propose toexpand thescopeoftheInquiryevenfurther<br />
<br />
toincludemanyotherunrelatedissues.”andthatinthisregardMetaIE“agreeswiththeDPC’sposition<br />
inthe Composite Memothat theseunrelatedissues raised bythe CSAs areirrelevantto theresolution<br />
of thisInquiryand thatexpanding thescope of the Inquiryat thispoint would seriously infringe Meta<br />
<br />
Ireland’sproceduralrightsunderbothIrishandEUlaw 120.”MetaIEalsoagreeswiththeIESA’sposition<br />
in theComposite Response that“expanding the scope oftheInquiryat thispoint as theCSAs propose<br />
<br />
would seriously infringe MetaIreland’slegitimateexpectations,rightto fair procedures(including the<br />
<br />
<br />
<br />
116Meta IEArticle65Submissions,paragraph4.9.<br />
117<br />
InrespectofMeta IE’sargumentsinparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeing<br />
“relevant”,theEDPBrecallsthattheanalysisofwhethera givenobjectionmeets thethresholdsetbyArt.4(24)<br />
GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically<br />
to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat<br />
casewerenotrelevantandreasoned.Thereareseveraldifferencesbetweenthoseobjectionsandtheobjections<br />
<br />
whichareanalysedinthissection.<br />
Morespecifically,intheBindingDecision2/2022theobjectionsreferredtobyMetaIEdidnot“establishadirect<br />
connectionwiththespecificlegalandfactualcontentoftheDraftDecision”(BindingDecision2/2022paragraphs<br />
139,147,164)whereaseachCSAherehas madeseveralclearlinkswiththecontentoftheDraftDecision,asis<br />
describedinparagraph77ofthisBindingDecision.<br />
118<br />
Meta IEdoes notconsiderthatanyoftheobjectionsarereasoned,as setoutintheirrepliestoeachofthe<br />
objectionsinAnnex1.Meta IEArticle65Submissions,Annex1,pp.66-124.InrespectofMeta IE’sarguments<br />
inparagraph4.9ofitsArticle65Submissionsontheseobjectionsnotbeingreasoned,theEDPBnotes thatthe<br />
objections that werefound to benot relevant and/ornot reasoned in theBinding Decision 2/2022 did “not<br />
provide sufficiently precise and detailed legal reasoning regarding infringement of each specificprovision in<br />
<br />
question”,didnotexplainsufficientlyclearly,norsubstantiateinsufficientdetailhowtheconclusionproposed<br />
couldbereached,ordidnotsufficientlydemonstratethesignificanceoftheriskposedbytheDraftDecisionfor<br />
the rights and freedoms of thedata subjects or thefreeflow of data within theEU (BindingDecision 2/2022,<br />
paragraphs140,148,165).Here,eachCSAprovidesa numberoflegalandfactualargumentsandexplanations<br />
as towhyaninfringementforlackofappropriatelegalbasisistobeestablished,andadequatelyidentifiesthe<br />
<br />
119kposedbytheDraftDecisionifitwasadoptedunchanged(paragraphs79-81ofthisBindingDecision).<br />
“Forinstance,if theinvestigationcarriedoutbytheLSAunjustifiablyfailstocoversomeofthe issuesraised<br />
bythecomplainantorresultingfromaninfringementreportedbyaCSA,arelevantandreasonedobjectionmay<br />
beraisedbasedonthefailureoftheLSAtoproperlyhandlethecomplaintandtosafeguardtherightsofthedata<br />
subject.”EDPBGuidelinesonRRO,paragraph.27.<br />
120Meta IEArticle65Submissions,paragraph4.2.<br />
<br />
<br />
<br />
21<br />
Adopted rightto beheard)andrightsofdefence 121”.Despiteclaimingitthishasbeenexplained“clearly”inthe<br />
Composite Response, MetaIE does not demonstrate in whichmanner its proceduralrightswould be<br />
122<br />
inevitably breached by the mere fact that the EDPB finds specific objections admissible .<br />
Admissibility determines the competence of the EDPB,but not the outcome of the dispute between<br />
the LSA and the CSAs. Likewise, MetaIE does not explainhow the mere actof considering the merits<br />
123<br />
ofadmissible objections inevitablyandirreparablybreachestheproceduralrightscitedbyMetaIE .<br />
AcceptingMetaIE’sinterpretationwouldseverelylimit theEDPB possibilitytoresolve disputesarising<br />
inthe one-stop-shop, andthus undermine the consistent applicationofthe GDPR.<br />
<br />
<br />
77. The objections of the AT, DE, ES, FI, HU, FR, NL, NOandSE SAs all have a direct connection withthe<br />
<br />
LSA Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 2. All of those<br />
objections concern“whetherthereisaninfringementoftheGDPR”astheyarguethattheIE SA should<br />
have found aninfringement ofArticle 6,6(1) or (1)(b) ofthe GDPR.Asthe LSA considered thatArticle<br />
<br />
6(1)(b) of the GDPR wasnot breached, the objections entail a need of a change of the LSA decision<br />
leading toadifferent conclusion. Consequently, theEDPBfinds thatthe AT,DE,ES, FI,HU,FR,NL,NO<br />
<br />
andSE SAs objections relatingtothe infringement ofArticle 6,6(1) or 6(1)(b) GDPRarerelevant.<br />
<br />
78. As regardsthe part of the DE SAs’ objection arguing that the IE SA should find an infringement of<br />
<br />
Article5(1)(a)GDPRandimpose the erasureofunlawfully processed personaldataandthebanofthe<br />
processing of data for the purpose of behavioural advertising until a valid legalbasis is in place, the<br />
part of the FI SA objection asking that the infringement of Article 6(1) be properly reflected in the<br />
<br />
amount ofthe administrative fine, aswellasthe partofthe NOSA objectionarguingthe IESA should<br />
order MetaIE todelete personaldataprocessed under Article 6(1)(b) GDPR,aswell asorder MetaIE<br />
to identify a valid legalbasis for future online behavioural advertising or from now on abstain from<br />
<br />
such processing activities, the EDPB notes that these parts of the objections concern “whether the<br />
envisaged action in relation to the controllercomplies with the GDPR.”These partsof the objections<br />
<br />
are linked to the IE SA’s Finding 2 with regardto Article 6(1)(b) GDPR. Therefore, they are directly<br />
connected with the substance of the Draft Decision and, if followed, would lead to a different<br />
conclusion. Thus, theEDPBconsidersthatthesepartsoftheDE,FIandNOSAsobjectionsarerelevant.<br />
<br />
<br />
79. The objections of the AT,DE,ES, FI, FR, HU,NL, NOand SE SAs on the finding of an infringement are<br />
reasonedbecausetheyallinclude clarificationsand argumentson legal/factualmistakes inthe LSA’s<br />
<br />
DraftDecisionthat require amending.More specifically, the AT,DE,ES, FI,HU,FR, NL, NOandSE SAs<br />
provide detailedargumentstochallengetheDraftDecision’sconsiderationofbehaviouraladvertising<br />
<br />
as a necessary,coreor fundamentalaspect of a contractleading to the need tochange the decision<br />
and to find an infringement of Article 6(1)(b) GDPR 124. Some of them provide detailed arguments<br />
<br />
<br />
<br />
<br />
<br />
<br />
121Meta IEArticle65Submissions,paragraph4.10,whereMeta IEmakes referencetoparagraphs32-33ofthe<br />
<br />
CompositeResponse.<br />
122Meta IEArticle65Submissions,paragraph4.10.<br />
123TheEDPB fails to seehow, for instance, declaring anobjection admissiblebut rejecting it on merits could<br />
impingeontheproceduralrights ofthecontrollerinvolvedintheunderlyingcase.<br />
124AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and<br />
18,FRSAObjection,paragraphs8-9,HUSAObjection,p.3,NLSAObjection,paragraphs18-19;NOSAObjection,<br />
<br />
p. 7,SE SAObjection,pp.3.<br />
<br />
<br />
22<br />
Adopted challengingthe validityofthe contractonwhichthe use ofArticle 6(1)(b)asa legalbasisdependsand<br />
125<br />
whichthe IESA accepts .<br />
<br />
80. Some SAs recall,while referringtothe termsof the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR,<br />
<br />
that it is the fundamental and mutually understood contractual purpose, which justifies that the<br />
processing is necessary 12. This purpose is not only based on the controller’sperspective but also on<br />
<br />
a reasonable data subject’s perspective when entering into the contract and thus on “the mutual<br />
perspectivesandexpectationsofthepartiestothecontract”.TheAT,NL,andSESAscontendthatdata<br />
<br />
subjects do not reasonably expect that their data is being processed for personalised advertising<br />
simply because MetaIE briefly referstoit inthe InstagramTermsof Use 127. The FR and NOSAs also<br />
support this finding and add that data subjects cannot be presumed tobe aware of the particularly<br />
<br />
massive andintrusive natureof thisprocessing 128. SeveralSAs alsoconsider thatthe DraftDecisionis<br />
inconsistent infinding thatinformationon specific processing operationsshould have beenprovided,<br />
<br />
linkedwithaspecific or lawfulbasis, anddescribedinanunambiguousmanner,while considering that<br />
data subjects had a perspective or expectation or were well informed that their data was being<br />
129<br />
processed for behavioural advertising .<br />
<br />
81. The AT,DE,ES,FI,FR,HU,NL,NOandSE SAsobjectionsalsoidentify risks posedby theDraftDecision,<br />
<br />
in particular an interpretationof Article 6(1)(b) that could be invoked by any controller and would<br />
undermine or bypass dataprotectionprinciples, andthus endangerthe rightsof datasubjects within<br />
130<br />
the EEA .<br />
<br />
<br />
82. MetaIE’scontends thatin terms of risk, the objections must “demonstratethe likelihood of a direct<br />
negative impact of a certainsignificance of the Draft Decision on fundamental rights and freedoms<br />
under the Charter and not just any data subject rights 131.” Meta IE thus adds a condition to Article<br />
132<br />
4(24)GDPR,whichis not supported bythe GDPR .<br />
<br />
<br />
83. As regards the parts of the DE and NO SAs’ objections requesting the finding of an infringement of<br />
Article 5(1)(a)GDPR,andthe partsofthe DE, FI andNOSAs’ objectionsrequesting specific corrective<br />
<br />
measures under Article 58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the<br />
imposition of an administrative fine, a ban of the processing of personal data for the purpose of<br />
behavioural advertising, an order todelete personal data processed under Article 6(1)(b) GDPR and<br />
<br />
anordertoidentifya validlegalbasisfor future online behaviouraladvertising ortoabstainfrom such<br />
processing activities, the EDPB considers that these parts of the objections do not sufficiently<br />
<br />
elaborate the legalor factualargumentsthat wouldjustify a change in the Draft Decisionleading to<br />
the finding of an infringement of Article 5(1)(a) GDPR or to the imposition of the specific corrective<br />
<br />
<br />
125DESAs Objection,pp.3-4;NLSAObjection,paragraphs7and10-12.<br />
126ATSAObjection,p.4;DESAs Objectionpp.5-6;FRSAObjection,paragraphs9-11;NLSAObjectionparagraph<br />
<br />
18;NOSAObjection,p.7-8;SESAObjection,p.3.EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs<br />
32and33.<br />
127AT SAObjection,pp.3-4;NLSAObjection,paragraph28,30-32;SESAObjection,p.3.<br />
128FRSAObjection,paragraph18;ITSAObjection,paragraph2.6,NOSAObjection,pp.6-7.<br />
129AT SAObjection,p.4;NLSAObjection,paragraph30;SESAObjection,p.3.<br />
130<br />
Seetheirdescriptionoftherisksinparagraphs57-63above.<br />
131Meta IEArticle65Submissions,p.64.<br />
132Article1(2)GDPRprovidesthattheGDPRitself“protectsfundamentalrightsandfreedomsofnaturalpersons<br />
andinparticulartheirrighttoprotectionofpersonaldata”,whichdirectlystemsfromArticle8(1)oftheCharter.<br />
Therefore,thereis noreasontodrawa distinctionbetweenthedata subjectrightsprotectedbytheGDPRand<br />
<br />
thefundamentalrightsprotectedundertheCharterwheninterpretingArticle4(24)GDPR.<br />
<br />
23<br />
Adopted measures mentioned above. Likewise, the significance of the risk for the data subjects, which stems<br />
from theIESA’sdecisionnottoconcludeontheinfringementofArticle5(1)(a)GDPRandnottoimpose<br />
the requestedcorrectivemeasures, isnot sufficiently demonstrated.<br />
<br />
<br />
84. Considering the above, theEDPBfinds that theobjections of the AT,DE,ES,FI,FR, HU,NL,NOandSE<br />
SAs arerelevantand reasonedinaccordancewithArticle 4(24)GDPR.<br />
<br />
<br />
85. However,thepartsofthe DEandNOSAs’ objectionsconcerning theadditionalinfringement ofArticle<br />
<br />
5(1)(a) GDPR and the imposition of specific corrective measures, namely the imposition of an<br />
administrative fine, a ban on the processing of personal data for the purpose of behavioural<br />
advertising, an order to delete personal data processed under Article 6(1)(b) GDPR and anorder to<br />
<br />
identify a valid legal basis for future behavioural advertising or to abstain from such processing<br />
activitiesarenot reasonedanddo not meetthe threshold of Article4(24) GDPRSimilarly, the part of<br />
the FI SA’s objection concerning the imposition of a specific corrective measure, namely an<br />
<br />
administrative fine is not reasonedanddoes not meet the thresholdof Article4(24) GDPR.<br />
<br />
<br />
4.4.2 Assessment on the merits<br />
86. Inaccordancewith Article65(1)(a) GDPR,inthe context of a dispute resolution procedure, the EDPB<br />
<br />
shall take a binding decision concerning all the matterswhich are the subject of the relevant and<br />
reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.<br />
<br />
<br />
87. The EDPBconsiders thatthe objections found tobe relevantand reasonedinthis subsection require<br />
an assessment of whether the Draft Decision needs to be changed insofar as it rejects the<br />
Complainant’s claim that the GDPR does not permit Meta IE’sreliance on Article 6(1)(b) GDPR to<br />
133<br />
process personal datainthe context of itsoffering of the InstagramTermsof Use .When assessing<br />
the merits of the objections raised, the EDPB also takes into account Meta IE’s position on the<br />
objections andits submissions.<br />
<br />
<br />
MetaIE’sposition on theobjectionsand itssubmissions<br />
<br />
88. Initssubmissions, MetaIEarguesthattheobjectionslackmerit.MetaIEconsidersthattheyarebased<br />
134<br />
on incorrect factualassumptions and are legallyflawed . Meta IE statesthat itsreliance on Article<br />
6(1)(b) GDPRdoes not ‘bypass’ the GDPR.Norwould it,accordingtoMetaIE,jeopardise datasubject<br />
rights, be limited to individually negotiatedagreementsor be affectedby Meta IE’spurported pre-<br />
135<br />
GDPRlegalbasis for processing conductedpre-GDPR .<br />
<br />
89. Meta IE arguesthat there isa lack of factualmaterialandevidence on the issues on which the CSAs<br />
<br />
raiseobjections, including onitsrelianceonArticle6(1)(b)GDPRforthe specific processing operations<br />
it conducts in itsInstagramservice for the purposes of behaviouraladvertising 136. MetaIEnotes that<br />
in its inquiry, the IE SA “only addresses the issue of whether Meta Ireland may in principle rely on<br />
<br />
Article6(1)(b) GDPRforpurpose ofbehavioural advertising,but not theissue of whetherMetaIreland<br />
<br />
<br />
<br />
133Theseobjections beingthoseoftheAT, DE, ES, FI,FR, HU, NL, NO andSE SAs arguingthattheIESA should<br />
havefoundaninfringementofArticle6(1)(b),6(1)or6GDPR.<br />
134Meta IEArticle65Submissions,paragraph2.4.<br />
135<br />
136Meta IEArticle65Submissions,paragraph2.5.<br />
Meta IEArticle65Submissions,paragraph4.24and4.25.<br />
<br />
<br />
24<br />
Adopted may infact relyon Article6(1)(b) GDPR,which would have requireda detailedfactualassessment of<br />
<br />
allof MetaIreland’sdata processing. 13“<br />
<br />
<br />
90. At the same time, Meta IE contendsthat, toaddress the complaint, the IE SA did not have to reach<br />
any conclusions as to whether the actual processing conducted by Meta IE to deliver behavioural<br />
138<br />
advertising based on Article 6(1)(b) GDPR was lawful. Meta IE supports the IE’sposition that “it<br />
would not be appropriate to undertake substantial factualfindings for an open-ended assessment of<br />
139<br />
allprocessing operationsbyMetaIreland. ”<br />
<br />
<br />
91. MetaIEthus agreeswiththe finding the IESA reachedon MetaIE’snot being precludedfrom relying<br />
on Article 6(1)(b) GDPR for the processing of data necessary todeliver behavioural advertising upon<br />
<br />
the IESA’sreviewof theInstagramTermsofUse andthe natureofthe Instagramserviceasdescribed<br />
inthose terms 140.<br />
<br />
<br />
92. Meta IE defends that Article 6(1)(b) GDPR can be relied on as a legal basis for behavioural<br />
141<br />
advertising . Meta IE arguesthat its application requires the assessment of whether a given data<br />
processing operation, when properly investigated and analysed, is actually necessary for the<br />
142<br />
performanceof acontract .MetaIEnotesthattheprovision ofapersonalised experience,including<br />
in the form of behavioural advertising, is “core” to the Instagram Service (as per the Terms of Use<br />
143<br />
whichgovernthe contractualrelationship betweenMetaIEandInstagramusers) .<br />
<br />
93. MetaIEarguesthat the TermsofUse make clear that userswillbe shownadvertising personalisedto<br />
<br />
their interests under the heading “Connecting you with brands, products, and servicesin ways you<br />
careabout” 144.MetaIEsupports theDPC’sfinding, basedon itsreview ofthe InstagramTermsofUse<br />
<br />
andthat Instagramis“promotedassuch”, that anaverage user whoacceptsthe TermsofUse would<br />
have the expectationthat personalisation, including in the form of behavioural advertising, forms a<br />
<br />
core andintegralpartof the InstagramofService 145.MetaIEbacks thisargumentwitha referenceto<br />
a survey and a study conducted by a private entity and a digital industry association 146. Meta IE<br />
<br />
considers that its compliance with the GDPR’s transparency obligations involves a separate and<br />
different legalassessment from Article 6(1)(b) GDPR 14.MetaIE considers demonstratedin this case<br />
<br />
that Meta IE and its users have a mutual expectationthat personalisation, including in the form of<br />
behaviouralads, is core toitsTermsofUse 14.<br />
<br />
<br />
94. MetaIE recallsthat the EDPB Guidelines2/2019 onArticle 6(1)(b) GDPRdonot categoricallyprohibit<br />
149<br />
reliance on Article 6(1)(b) GDPRfor behavioural advertising .MetaIE further adds, referring tothe<br />
<br />
<br />
137Meta IEArticle65Submissions,paragraph4.23.<br />
138Meta IEArticle65Submissions,paragraph2.3.<br />
139Meta IEArticle65Submissions,paragraph4.23.<br />
140<br />
Meta IEArticle65Submissions,paragraphs2.3and4.7.<br />
141Meta IEArticle65Submissions,paragraph6.4.<br />
142Meta IEArticle65Submissions,paragraph6.7.<br />
143Meta IEArticle65Submissions,paragraphs6.13and6.17.<br />
144<br />
Meta IEArticle65Submissions,paragraph6.18.<br />
145Meta IEArticle65Submissions,paragraphs6.20and6.21.<br />
146Meta IEArticle65Submissions,paragraph6.21.<br />
147Meta IEArticle65Submissions,paragraph6.29.<br />
148<br />
Meta IEArticle65Submissions,paragraph6.29.<br />
149Meta IEArticle65Submissions,paragraph6.34.<br />
<br />
<br />
<br />
25<br />
Adopted CJEU’sHuberjudgment,that“processingbeyond themost minimalrequiredto achievetheprocessing<br />
<br />
purpose could still be deemed ‘necessary’ if it allowed the relevant processing purpose to be ‘more<br />
effectively’achieved” 150.MetaIEsubmits thateven ifArticle 6(1)(b) GDPRrequiredthe processing to<br />
<br />
be absolutely essential to perform the contract, it would be impossible to provide the Instagram<br />
Service in accordance with the Term of Use without providing behavioural advertising 151. Meta IE<br />
statesthat theEDPBmaynot dictatethe natureofthe services MetaIEprovides. MetaIE wouldview<br />
<br />
this asa violation of Article16 of the Charter onthe freedom toconduct a business, enabling service<br />
providers todetermine whatmeasurestotakein ordertoachieve theresult theyseek,basedon their<br />
<br />
resources,abilities, andcompatibilitywithotherobligationsandchallengestheymayencounter inthe<br />
exercise oftheir activity52.<br />
<br />
<br />
95. Meta IE further arguesthat its reliance on the contractual necessity legal basis does not jeopardise<br />
153<br />
datasubject rights .MetaIEconsidersthatthesewould alsobeprotectedbycontractandconsumer<br />
protection legislations in the EU Member States 15. Meta IE defends that the contractualnecessity<br />
legalbasisis notlimitedtoindividually negotiatedagreementsandcanalsobe used for standardform<br />
<br />
contracts 155. Meta IE further adds that it would be improper for CSAs and the EDPB to analyse the<br />
validity of Instagram Terms of Use under applicable laws of contract or to draw inferences from<br />
156<br />
them .Inresponse towhat MetaIE considers mischaracterisationsin certainobjections of national<br />
contractlawMetaIEprovidesexpertreportsonthevalidityofitsTermsofUsein10 MemberStates 15.<br />
<br />
<br />
96. MetaIEconcludes its argumentsin support ofits relianceon Article6(1)(b) GDPRstating thatitspre-<br />
<br />
GDPRlegalbasisfor dataprocessingdoesnot affectitsflexibilitytorelyonotherlegalbasespostGDPR<br />
ifit complies withtherelevant requirements 158.MetaIEalsodistinguishes behavioural advertisingon<br />
the Instagram Service from direct marketing pursuant to Article 21(2) GDPR and thus considers this<br />
<br />
provision not applicable tobehaviouraladvertising 159.<br />
<br />
<br />
TheEDPB’sassessment of themerits<br />
<br />
97. The EDPB considers it necessaryto begin its assessment on the meritswith a general description of<br />
<br />
the practice of behavioural advertising carried out in the context of the Instagram service before<br />
determining whether the legal basis of Article 6(1)(b) GDPR is appropriate for this practice in the<br />
present case, based on the InstagramTermsof Use and the nature of its products and features as<br />
<br />
describedinthose terms.Therequestsfor preliminaryrulingsmade tothe CJEU inthe casesC-252/21<br />
andC-446/21 towhichsome of thedocuments in thefile refer containhelpful descriptions of Meta’s<br />
<br />
<br />
<br />
<br />
<br />
150<br />
JudgementoftheCourtofJusticeof16December2008,HeinzHubervBundesrepublikDeutschland,<br />
C-524/06,ECLI:EU:C:2008:724,(hereinafter‘C-524/06Huber’),paragraphs62and66.Meta IEArticle65<br />
Submission,paragraph6.37.<br />
151Meta IEArticle65Submissions,paragraph6.38.<br />
152<br />
Meta IEArticle65Submissions,paragraph6.25.<br />
153Meta IEArticle65Submissions,paragraph6.8.<br />
154Meta IEArticle65Submissions,paragraph6.8.<br />
155Meta IEArticle65Submissions,paragraphs6.40-6.46.<br />
156<br />
157Meta IEArticle65Submissions,paragraphs6.43and6.44.<br />
Meta IEArticle65Submissions,paragraphs6.44and6.45andAnnex2.<br />
158Meta IEArticle65Submissions,paragraphs6.47-6.49.<br />
159Meta IEArticle65Submissions,paragraphs6.50-6.57.<br />
<br />
<br />
<br />
26<br />
Adopted behavioural advertising practicesin the context of its Facebook services 160. Given that behavioural<br />
advertising is also carried out in the context of the Instagram service, and given the similarities<br />
<br />
betweenthe twoservices, relying onthe sameDataPolicy 16,the EDPBconsidersthatthese casesare<br />
also useful in gaining an understanding of the practice of behavioural advertising in relationto the<br />
<br />
Instagram service. Furthermore, in the request for a preliminary ruling in case C-252/21, it is<br />
mentionedthatiftheCJEU answersthequestion 7positively (regardingthecompetenceofa Member<br />
<br />
State nationalcompetition authoritytodetermine, when assessing the balance of interests whether<br />
data processing andtheir terms comply withthe GDPR)thatthe questions 3 to5 must be answered<br />
in relation to data from the use of the group’s Instagram service. 162 In addition, Meta IE makes<br />
<br />
reference to both of these requests for preliminary rulings in its submissions, and therefore clearly<br />
considers them relevanttothis case 16.<br />
<br />
<br />
98. These requests for preliminaryrulings mention that Meta IE collectsdata on its individual users and<br />
their activitieson and off its Facebook service via numerous means such as the service itself, other<br />
<br />
servicesof the Metagroupincluding Instagram,WhatsAppandOculus, thirdpartywebsitesandapps<br />
via integratedprogramming interfacessuchasFacebookBusinessToolsor via cookies, socialplug-ins,<br />
164<br />
pixels and comparable technologies placed on the internet user’s computer or mobile device .<br />
According tothe descriptions provided, MetaIElinks these datawiththe user’s Facebookaccount to<br />
enable advertisers totailor their advertising toFacebook’s individual users based on their consumer<br />
<br />
behaviour, interests, purchasing power and personal situation. This may also include the user’s<br />
physical location to display content relevant to the user’s location. Meta IE offers its services to its<br />
<br />
<br />
<br />
<br />
160 C-252/21 Oberlandesgericht Düsseldorf request, pp. 6-7, available at:<br />
https://curia.europa.eu/juris/showPdf.jsf?text=&docid=242143&pageIndex=0&doclang=en&mode=req&dir=&<br />
<br />
occ=first&part=1&cid=644235and C-446/21 Austrian Oberster Gerichtshof request, paragraphs 2-3, 6-13, 15-<br />
23, available at<br />
https://curia.europa.eu/juris/showPdf.jsf?text=&docid=247308&pageIndex=0&doclang=EN&mode=lst&dir=&<br />
occ=first&part=1&cid=766249;seealso thereferences to theserequests fora preliminary ruling in theAT SA<br />
Objectionp.1-2.andMetaIEArticle65Submission,paragraphs3.4-3.9.<br />
161<br />
SeethesimilaritiesoftheInstagramandFacebookservicesdescribedintheData Policy.TheInstagramData<br />
Policy refers to both “Facebook settings”and“Instagram settings”(“This policydescribes the informationwe<br />
process to support Facebook, Instagram, Messengerand other products and features offered by Facebook<br />
(Facebook Products orProducts). You can find additional tools andinformationin the FacebookSettings and<br />
Instagram Settings.”) SectionI of this policy refers to the“Facebook products”when describing thekinds of<br />
<br />
information collected for the processing. Instagram Data Policy of 22.05.2018, annex 2 of the Instagram<br />
Complaint.Similarly,accordingtoInstagramTermsofUse“InstagramispartoftheFacebookCompanies,which<br />
sharetechnology,systems,insights,andinformation-includingtheinformationwehaveaboutyou (...)inorder<br />
toprovideservicesthatarebetter,safer,andmoresecure.WealsoprovidewaystointeractacrosstheFacebook<br />
CompanyProductsthatyouuse,anddesignedsystemstoachieveaseamlessandconsistentexperienceacross<br />
<br />
162FacebookCompanyProducts.”<br />
Question3 reads “Canan undertaking, such as Facebook Ireland, which operates a digital social network<br />
fundedbyadvertisingandofferspersonalisedcontentandadvertising,networksecurity,productimprovement<br />
andcontinuous,seamlessuseofallofits groupproductsinits terms of service, justifycollectingdataforthese<br />
purposesfromothergroupservicesandthird-partywebsitesandappsviaintegratedinterfacessuchasFacebook<br />
<br />
Business Tools, orvia cookiesorsimilarstorage technologiesplacedonthe internet user’s computerormobile<br />
device,linkingthosedatawiththeuser’sFacebook.comaccountandusingthem,onthegroundofnecessityfor<br />
the performanceofthecontract underArticle6(1)(b)oftheGDPRoronthe groundofthepursuitoflegitimate<br />
interestsunderArticle6(1)(f)oftheGDPR?”<br />
163Meta IEArticle65Submissions,paragraphs3.2-3.9.<br />
164C-252/21OberlandesgerichtDüsseldorfrequest,pp.6-7.<br />
<br />
<br />
<br />
27<br />
Adopted users free of chargeand generatesrevenue through this personalised advertising thattargetsthem,<br />
inaddition tostaticadvertising thatis displayed toeveryuser in thesame way.<br />
<br />
<br />
99. TheEDPBconsidersthatthesegeneraldescriptionssignalbythemselvesthecomplexity,massive scale<br />
andintrusiveness ofthe behaviouraladvertisingpracticethatMetaIEconductsthroughthe Facebook<br />
<br />
service, as well as off the Facebook service itself, through third party websites and apps which are<br />
connected to Facebook.com via programming interfaces (“Facebook Business Tools”), including the<br />
Instagram service 165. Furthermore, among the aspects described in the Instagram Terms of Use is<br />
<br />
“Providing consistent and seamless experiencesacross other Facebook Company Products.” which<br />
involves “shar[ing] technology,systems, insights, and information-including the information we have<br />
<br />
about you.” It istherefore clear thatpersonal datais shared betweenFacebook companies (”We use<br />
data from Instagramand otherFacebook Company Products,as wellas from third-partypartners,to<br />
show you ads(...)”<br />
<br />
<br />
100. These are relevant facts toconsider to assess the appropriateness of Article 6(1)(b) GDPR asa legal<br />
basis for behavioural advertising and to what extent reasonable users may understand and expect<br />
<br />
behaviouraladvertisingwhentheyaccepttheInstagramTermsofUseandperceive itasnecessaryfor<br />
Meta IE to deliver its service66. Accordingly, the EDPB further considers that the IE SA could have<br />
<br />
addedtoitsDraftDecisiona descriptionofbehaviouraladvertising thatMetaIEconductsthroughthe<br />
Instagram service to appropriately substantiate its reasoning leading to its acceptance of Article<br />
6(1)(b) GDPRasa legalbasis for thatpracticein accordancewiththe IESA’sduty tostatethe reasons<br />
167<br />
for anindividual decision .<br />
<br />
101. Notwithstanding the EDPB’s considerations above, the EDPB considers that there is sufficient<br />
<br />
information in the file for the EDPB to decide whether the IE SA needs to change its Draft Decision<br />
insofar asitrejectsthecomplainant’sclaim thattheGDPRdoesnotpermitMetaIE’srelianceonArticle<br />
<br />
6(1)(b) GDPRtoprocess personaldatain thecontextof itsoffering ofthe Instagramservice,basedon<br />
itsTermsof Use.<br />
<br />
<br />
102. As described above in section 4.1., the IE SA concludes in Finding 2 of its Draft Decision that the<br />
Complainant’scasewasnotmadeout thattheGDPRdoesnotpermitthereliancebyMetaIEonArticle<br />
6(1)(b) GDPRinthe contextof itsoffering of TermsofUse, neither Article6(1)(b) GDPRnor anyother<br />
<br />
provision ofthe GDPRprecludesMetaIEfrom relyingonArticle6(1)(b) GDPRasalegalbasistodeliver<br />
<br />
<br />
16C-252/21 Oberlandesgericht Düsseldorf request, pp. 6-7. Facebook Business Tools is also mentioned in<br />
<br />
166tagram’sDataPolicy.<br />
Inthesamevein,theAdvocateGeneralalsoprovidesa descriptionofbehaviouraladvertisinginhisOpinion<br />
on the case C-252/21 Oberlandesgericht Düsseldorf request, see Opinion of the Advocate General on 20<br />
September2022),ECLI:EU:C:2022:704,paragraphs9and10.<br />
167SeeEDPBGuidelinesonArt.65(1)(a)GDPR,paragraph84andEDPBGuidelines2/2022ontheapplicationof<br />
Article60GDPR(Version1.0,Adoptedon14March2022),para.111(stating:“[…]everydecisionthatisaimed<br />
atlegalconsequencesneedstoincludeadescriptionofrelevantfacts,soundreasoningandaproperlegal<br />
<br />
assessment.Theserequirementsessentiallyservethepurposeoflegalcertaintyandlegalprotectionofthe<br />
partiesconcerned.Appliedtotheareaofdataprotectionsupervisionthismeansthatthecontroller,processor<br />
andcomplainantshouldbeabletoacknowledgeallthereasonsinordertodecidewhethertheyshouldbring<br />
thecase totrial. Havingregardtothedecisionmakingprocesswithinthecooperationmechanism,CSAs<br />
likewiseneedtobeinthe positiontodecideonpossiblytakingactions(e.g.agreetothedecision,providetheir<br />
viewsonthesubjectmatter)”).SeealsobyanalogyC-50/12PJudgementoftheCourtofJusticeof26<br />
<br />
November2013,KendrionNVvEuropeanCommission,ECLI:EU:C:2013:771.<br />
<br />
<br />
28<br />
Adopted a service, including behavioural advertising insofar as that forms a core part of the service8. TheIE<br />
<br />
SA considers that, having regardto the specific terms of the contract and the nature of the service<br />
provided and agreedupon by the parties, Meta IE mayin principle rely on Article 6(1)(b) GDPR asa<br />
<br />
legal basis of the processing of users’ data necessary for the provision of its Instagram service,<br />
including throughtheprovision ofbehaviouraladvertisinginsofar asthisformsacorepartofitsservice<br />
<br />
offeredtoand acceptedbyits users 169. TheIE SA considers the core of theservice offeredby MetaIE<br />
ispremisedonthedeliveryofpersonalised advertising 170.TheIESAconsiders areasonableuser would<br />
171<br />
understand andexpect this having readthe Termsof Use . MetaIE supports this conclusion of the<br />
IESA 172.<br />
<br />
<br />
103. Toassess these claimsof the IESA andMetaIE,the EDPBconsiders it necessaryto recallthe general<br />
<br />
objectives that the GDPRpursues, which must guide its interpretation,togetherwiththe wording of<br />
itsprovisions and itsnormative context 173.<br />
<br />
<br />
104. The GDPR develops the fundamentalright tothe protection of personal datafound in Article 8(1) of<br />
<br />
the EU Charter of Fundamental Rights and Article 16(1) of the TFEU, which constitute EU primary<br />
law 174.AstheCJEU clarified,“anEUact mustbe interpreted,asfaras possible, in such a wayasnot to<br />
<br />
affectits validityand inconformitywithprimarylaw as a whole and, in particular,with theprovisions<br />
oftheCharter.Thus,ifthewordingofsecondaryEUlegislation isopentomorethanoneinterpretation,<br />
<br />
preference should be given to the interpretation which rendersthe provision consistent with primary<br />
law ratherthantotheinterpretationwhichleadstoitsbeing incompatiblewithprimarylaw” 175.Inthe<br />
faceofrapidtechnologicaldevelopments andincreasesinthescale ofdatacollectionandsharing,the<br />
<br />
GDPRcreatesa strongand more coherentdata protectionframeworkinthe Union, backedbystrong<br />
enforcement,andbuilt ontheprinciple thatnaturalpersonsshould havecontroloftheirownpersonal<br />
<br />
data 176.Byensuringa consistent,homogenous andequivalent highlevelofprotectionthroughoutthe<br />
EU, the GDPR seeks to ensure the free movement of personal data within the EU 177. The GDPR<br />
<br />
acknowledgesthattherighttodataprotectionneedstobe balancedagainstotherfundamentalrights<br />
and freedoms, such as the freedom to conduct a business, in accordance with the principle of<br />
<br />
proportionality andhas these considerations integratedinto itsprovisions 178. The GDPR,pursuant to<br />
EU primary law, treatspersonal data as a fundamental right inherent to a data subject and his/her<br />
179<br />
dignity,andnot asacommoditydatasubjectscantradeawaythroughacontract .TheCJEUprovided<br />
<br />
<br />
<br />
168DraftDecision,paragraphs112and115.Finding2reads:“IfindtheComplainant’scaseisnotmadeoutthat<br />
theGDPRdoesnotpermitthereliancebyMetaIrelandon6(1)(b)GDPRinthecontextofitsofferingofTermsof<br />
<br />
169.”<br />
DraftDecision,paragraph113.<br />
170DraftDecision,paragraph104.<br />
171DraftDecision,paragraph105.<br />
172Meta IEArticle65Submissions,paragraphs6.21and6.30.<br />
173<br />
Judgementof theCourtof Justiceof 1 August2022, Vyriausioji tarnybinės etikos komisija, CaseC-184/20,<br />
ECLI:EU:C:2022:601,(hereinafter‘C-184/20Vyriausiojitarnybinėsetikoskomisija’),paragraph121.<br />
174Recitals1and2GDPR.<br />
175JudgementoftheCourtofJusticeof21June2022,Liguedesdroitshumainsv.Conseildesministres,C817/19,<br />
<br />
ECLI:EU:C:2022:491, (hereinafter ‘C-817/19 Liguedes droits humains'), paragraph 86;andudgement of the<br />
CourtofJusticeof2February2021,Consob,C-481/19,ECLI:EU:C:2021:84,paragraph50andthecase-lawcited.<br />
176Article1(1)(2)andRecital6and7GDPR.<br />
177Article1(3)andRecitals9,10and13GDPR.<br />
178<br />
Recital4GDPR.<br />
179EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph54.<br />
<br />
<br />
<br />
29<br />
Adopted additionalinterpretativeguidancebyassertingthatthe fundamentalrightsofdatasubjectstoprivacy<br />
180<br />
andthe protectionoftheir personal dataoverride,asa rule, acontroller’seconomic interests .<br />
<br />
<br />
105. The principle of lawfulness of Article 5(1)(a) andArticle 6 GDPRis one of the main safeguardstothe<br />
protection of personal data. It follows a restrictive approach wherebya controller may only process<br />
<br />
the personal data of individuals if it is able to rely on one of the bases found in the exhaustive and<br />
restrictivelists of thecases inwhichthe processing ofdatais lawfulunder Article6 GDPR 181.<br />
<br />
<br />
106. Theprinciple oflawfulnessgoeshandinhandwiththeprinciplesoffairnessandtransparencyinArticle<br />
5(1)(a)GDPR.The principle of fairness includes, inter alia,recognising the reasonable expectationsof<br />
<br />
the data subjects, considering possible adverse consequences processing may have on them, and<br />
having regard to the relationship and potential effects of imbalance between them and the<br />
<br />
controller 182.<br />
<br />
183<br />
107. The EDPB agreeswiththe IESA and MetaIE thatthere is no hierarchybetweenthese legalbases .<br />
However,thisdoes not meanthata controller,asMetaIEinthe presentcase, hasabsolute discretion<br />
<br />
tochoose thelegalbasis thatsuitsbetteritscommercialinterests.Thecontroller mayonlyrelyonone<br />
ofthe legalbases establishedunder Article6 GDPRifit isappropriatefor theprocessing atstake 184.A<br />
<br />
specific legalbasis willbe appropriateinsofar asthe processing canmeet itsrequirements set bythe<br />
GDPRand fulfil the objective of the GDPRtoprotect the rightsand freedoms of naturalpersons and<br />
185<br />
in particulartheir righttothe protectionof personaldata .The legalbasis willnot be appropriateif<br />
its applicationto a specific processing defeatsthis practicaleffect “effet utile” pursued by the GDPR<br />
and Article 5(1)(a) andArticle 6 GDPR 186.These criteria stem from the content of the GDPR andthe<br />
<br />
interpretationfavourabletotherightsofdatasubjectstobe giventheretodescribedinparagraph104<br />
above 187.<br />
<br />
<br />
108. The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for<br />
<br />
complying with the Regulation’s principles, including the processing of data in a lawful, fair and<br />
transparentmanner,andanyobligationsderivedtherefrom 188.Thisobligationappliesevenwherethe<br />
<br />
<br />
180<br />
Judgement of the Court of Justice of 13 May 2014, Google Spain SL, C-131/12, ECLI:EU:C:2014:317,<br />
paragraphs97and99.<br />
181Judgementof theCourtof Justiceof 11 December 2019, TK v Asociaţia deProprietari blocM5A-ScaraA, C<br />
708/18,ECLI:EU:C:2019:1064,(hereinafter‘C708/18TKvAsociaţiadeProprietari'),paragraph37.<br />
182<br />
183See, Recital39GDPRandEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs11and12.<br />
DraftDecisionparagraph48andMeta IEArticle65Submissionparagraph5.10.<br />
184As mentionedintheEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph18,theidentificationofthe<br />
appropriatelawful basis is tied to the principles of fairness and purposelimitation. It will be difficult for<br />
<br />
controllerstocomplywiththeseprinciplesiftheyhavenotfirstclearlyidentifiedthepurposesoftheprocessing,<br />
orifprocessingofpersonaldatagoesbeyondwhatisnecessaryforthespecifiedpurposes.SeealsoSection6of<br />
this BindingDecisiononthepotentialadditionalinfringementoftheprincipleoffairness.<br />
185C708/18 TK v Asociaţia deProprietari, paragraph 37.<br />
186See C-524/06Huber, paragraph 52 on theconcept of necessity being interpreted in a mannerthat fully<br />
<br />
reflects theobjectiveof Directive95/46). On theimportanceof considering thepractical effect (effet utile)<br />
soughtbyEUlawinits interpretation,seealsoforinstance:C-817/19Liguedes droitshumains,paragraph195<br />
and Judgement of the Court of Justice of 17 September 2002, Muñoz and Superior Fruiticola, C 253/00,<br />
ECLI:EU:C:2002:497,paragraph30.<br />
187<br />
Article1(1)(2)and(5)GDPR.<br />
188 Article5 (2) GDPR “Principle of accountability”of data controllers;seealso C-252/21Oberlandesgericht<br />
Düsseldorfrequest,OpinionoftheAdvocateGeneralon20September2022,ECLI:EU:C:2022:704,paragraph52.<br />
<br />
<br />
<br />
30<br />
Adopted practical application of GDPR principles such as those of Article 5(1)(a) and Article (5)(2) GDPR is<br />
<br />
inconvenient or runs counter to the commercial interests of Meta IE and its business model. The<br />
controller is alsoobliged tobe able todemonstratethatit meetsthese principles andany obligations<br />
derivedtherefrom,such asthatit meetsthe specific conditions applicable toeachlegalbasis 18.<br />
<br />
<br />
109. The first condition to be able to rely on Article 6(1)(b) GDPR as a legal basis to process the data<br />
<br />
subject’s data is that a controller, in line with its accountabilityobligations under Article 5(2) GDPR,<br />
has to be able to demonstrate that (a)a contract exists and (b) the contract is valid pursuant to<br />
190<br />
applicable nationalcontractlaws .<br />
<br />
110. Boththe IE SA and Meta IE consider that the Terms of Use make up the entire agreement between<br />
<br />
the InstagramuserandMetaIE andthatthe Data Policyissimply acompliance document settingout<br />
information tofulfil the GDPRtransparencyobligations 191. The IE SA thus considers thatthe contract<br />
192<br />
for which theanalysis based onArticle 6(1)(b) GDPRtakesplace,is the TermsofUse .<br />
<br />
<br />
111. The IE SA and Meta IE argue that the GDPR does not confer a broad and direct competence to<br />
supervisory authoritiestointerpret or assess the validityof contracts 193.<br />
<br />
<br />
112. TheEDPBagreesthatSAsdonot haveunder theGDPRabroadandgeneralcompetenceincontractual<br />
matters.However,theEDPBconsidersthatthesupervisory tasksthatthe GDPR bestowsonSAsimply<br />
<br />
a limitedcompetencetoassess acontract’sgeneralvalidityinsofar asthisis relevanttothe fulfilment<br />
of their tasks under the GDPR.Otherwise,the SAs would see their monitoring andenforcement task<br />
<br />
under Article 57(1)(a) GDPR limited to actions such as verifying whether the processing at stake is<br />
necessary for the performance of a contract (Article 6(1)(b) GDPR), and whether a contract with a<br />
processor under Article 28(3)GDPRanddataimporter under Article 46(2)GDPRincludes appropriate<br />
<br />
safeguardspursuant totheGDPR.PursuanttotheIESA’sinterpretation,theSAswouldthusbe obliged<br />
toalwaysconsider a contractvalid, evenin situations where it is manifestly evident that it is not, for<br />
<br />
instance because there is no proof of agreement betweenthe two parties, or because the contract<br />
does not comply with its Member State’srules on the validity, formation or effect of a contract in<br />
194<br />
relationtoachild .<br />
<br />
113. As theDE andNL SAs 195argue,the validityof the contractfor the InstagramservicebetweenMetaIE<br />
<br />
andthe complainant is questionable, giventhe strong indications thatthe Complainant wasunaware<br />
ofenteringintoa contract,and(astheIE SA establisheswithitsFinding 3 ofitsDraft Decision)serious<br />
<br />
transparency issues in relation to the legal basis relied on. In contract law, as a general rule, both<br />
parties must be aware of the substance of the contract and the obligations of both parties to the<br />
<br />
contractinorder towillingly enterinto suchcontract.<br />
<br />
<br />
<br />
<br />
<br />
189EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph26.<br />
190EDPBBindingDecision2/2022,paragraph84.<br />
191DraftDecision,paragraphs72and73.<br />
192<br />
193DraftDecision,paragraph73.<br />
CompositeResponse,paragraph51;DraftDecision,paragraph95,Meta IEArticle65Submissions,paragraph<br />
6.43.<br />
194Article8(3)GDPR.<br />
195DESAs Objection,p.4andNLSAObjection,paragraph11.<br />
<br />
<br />
<br />
31<br />
Adopted114. Notwithstanding thepossible invalidity ofthe contract,theEDPB,referstoitsprevious interpretative<br />
<br />
guidance on this matter to provide below its analysis on whether behavioural advertising is<br />
objectively necessaryfor Meta IE toprovide its Instagram service tothe user based on its Terms of<br />
196<br />
Use andthe natureof the service .<br />
<br />
197<br />
115. The EDPBrecalls that for the assessment of necessity under Article 6(1)(b) GDPR,“[i]t is important<br />
to determinethe exact rationale ofthe contract, i.e. itssubstance and fundamentalobjective, asit is<br />
198<br />
against thisthat it will be testedwhetherthedata processing is necessaryfor its performance” .As<br />
the EDPBhaspreviously stated,regardshould be giventotheparticular aim, purpose, or objective of<br />
theservice and,for applicabilityofArticle6(1)(b) GDPR,itisrequiredthatthe processing isobjectively<br />
<br />
necessaryfor apurpose andintegraltothe delivery ofthatcontractualservice tothe datasubject 199.<br />
<br />
<br />
116. Moreover,the EDPB notesthat the controller should be able tojustify the necessityof its processing<br />
byreferencetothefundamentalandmutuallyunderstoodcontractualpurpose.Thisdepends notonly<br />
<br />
onthecontroller’sperspective,but alsoonareasonabledatasubject’sperspective whenenteringinto<br />
the contract 200.<br />
<br />
<br />
117. The IE SA accepts the EDPB’s position that, as a general rule, processing of personal data for<br />
201<br />
behavioural advertising is not necessary for the performance of a contract for online services .<br />
However, the IE SA considers that in this particular case, having regardto the specific terms of the<br />
<br />
contract and the nature of the Instagram service provided and agreedupon by the parties, Meta IE<br />
mayin principle rely on Article 6(1)b) GDPRtoprocess the user’sdata necessary for the provision of<br />
itsservice, including throughthe provision ofbehaviouraladvertising insofar asthisforms acore part<br />
<br />
of thatservice offeredtoandacceptedby users 202.<br />
<br />
<br />
118. The IE SA views behavioural advertising as “the core of both Meta Ireland’sbusiness model and the<br />
bargainstruckbetweenMetaIrelandand Instagram users ” 20.Insupport ofthis consideration, theIE<br />
<br />
SA refers to the ”first and sixth clauses” of “the specific contract entered into between Meta IE and<br />
Instagramusers” 20.The IE SA considers thatfrom the textofthese “clauses” it is “clearthatthe core<br />
205<br />
of theservice offered byMeta Irelandis premised on the deliveryofpersonalised advertising. ”The<br />
IESAconsiders thatthisposition issupportedbythefactthat“theTermsofUsedescribetheInstagram<br />
<br />
service as being ‘personalised’ and connects users with brands, including by means of providing<br />
‘relevant’ advertising and content.” Based on this, the IE SA is of the view that “It is clear that the<br />
<br />
Instagram service is advertised as offering a 'personalised' experience, including by way of the<br />
advertisingit deliversto users 20.”The IE SA considers thatasthe Instagramservice is“advertised”in<br />
<br />
its Terms of Use “as being predicated on personalised advertising (...) any reasonable user would<br />
<br />
<br />
196<br />
EDPBGuidelines2/2019onArticle6(1)(b)GDPR.<br />
197SeeBindingDecision2/2022,paragraph89.<br />
198WP29Opinion6/2014onthenotionoflegitimateinterests,p.17<br />
199EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph30.<br />
200<br />
SeeBindingDecision2/2022,paragraph90.<br />
201EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph52.DraftDecision,paragraph113.<br />
202DraftDecision,paragraph113.<br />
203DraftDecision,paragraph102andFinding2.<br />
204<br />
DraftDecision,paragraph103.<br />
205DraftDecision,paragraph104.<br />
206DraftDecision,paragraph104.<br />
<br />
<br />
<br />
32<br />
Adopted expectand understand thatthisis partof thecorebargain that isbeing struck(...)”butacknowledges<br />
207<br />
that“usersmay preferthatthemarket offeralternativechoices .”<br />
<br />
<br />
119. On thisissue, the EDPBrecallsthatthe concept of necessity hasits ownindependent meaning under<br />
EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU<br />
instrument,inthiscase,the GDPR 20.Accordingly,theconceptofnecessityunder Article6(1)(b)GDPR<br />
<br />
cannot be interpretedin a way that undermines this provision and the GDPR’sgeneralobjective of<br />
protecting the right to the protection of personal data or contradictsArticle 8 of the Charter 209. On<br />
<br />
the processing of data in the Facebook services, Advocate General Rantos supports a strict<br />
interpretationofArticle6(1)(b)GDPRamongotherlegalbases,particularlytoavoidanycircumvention<br />
210<br />
of the requirement for consent . Given the similarities between the Facebook and Instagram<br />
services, as explained above in paragraph97, and the fact thatthis case mayconcernthe legalbasis<br />
211<br />
for processing of personaldatafor theInstagramservice .<br />
<br />
120. As the IE SA states in its Draft Decision, “Instagram is a global online social network service which<br />
<br />
allows registeredusersto communicate with other registered users through messages, audio, video<br />
calls and video chats, and by sending images and video files 212.” Meta IE promotes among its<br />
<br />
prospective andcurrentusers the perception thatthe mainpurpose of the Instagramservice andfor<br />
which it processes its users’ data is to enable them to share content and communicate with others.<br />
<br />
MetaIE presentsits Instagramserviceon its “About”page ofits website asa platform which “give[s]<br />
people the power to build communityand bring[s] the world closer together 213.” At the beginning of<br />
<br />
itsTermsof Use, MetaIE presentsits mission for the Instagramservice as“To bring you closer to the<br />
people and things you love 214.” The description of the aspects of the service includes “Offering<br />
personalizedopportunitiesto create,connect,communicate.”<br />
<br />
<br />
121. The fact thatthe Termsof Use do not provide for any contractualobligationbinding MetaIE tooffer<br />
<br />
personalised advertising to the Instagram usersand any contractualpenaltyif Meta IE fails to do so<br />
shows that, at least from the perspective of the Instagram user, this processing is not necessary to<br />
215<br />
perform the contract .Providingpersonalised advertisingtoitsusers maybe anobligationbetween<br />
<br />
<br />
207DraftDecision,paragraph105.<br />
208Seeparagraphs 103-104 aboveon theprinciples guiding theinterpretationof theGDPR and its provisions.<br />
The CJEU also stated inHuber that “what is at issue is a concept [necessity] which has its own independent<br />
<br />
meaninginCommunitylawandwhichmustbeinterpretedinamannerwhichfullyreflectstheobjectiveofthat<br />
Directive, [Directive95/46],aslaiddowninArticle1(1)thereof”.C-524/06Huber,paragraph52.<br />
209Article1(2)GDPR.<br />
210C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,<br />
<br />
ECLI:EU:C:2022:704, paragraph51. (TheEDPB refers to theAdvocateGeneral’s Opinionin its Binding Decision<br />
as anauthoritativesourceofinterpretationtounderlinetheEDPB’s reasoningontheprocessingofdata inthe<br />
FacebookService,withoutprejudicetothecase-lawthattheCJEUmaycreatewithitsfuturejudgmentsonthe<br />
Cases C-252/21andC-446/21).<br />
211Paragraph97andfootnote161ofthisBindingDecision.<br />
212<br />
DraftDecision,paragraph5.<br />
213https://about.instagram.com/<br />
214BoththeIESAandMeta IEconsidertheInstagramTermsofUseasconstitutingtheentirecontractbetween<br />
Meta IEandtheInstagramusers(seeparagraphs92,110and118ofthisBindingDecision).<br />
215<br />
TheInstagramTerms ofUseareformulatedinone-sidedtermsasfollows:“TheseTermsofUse governyour<br />
useofInstagramandprovideinformationabouttheInstagramService(...).“Whileunderthefirstheadingofthe<br />
Terms of Use(“The InstagramService”), Instagram announces that it “provide[s]“theInstagram service. After<br />
describing theaspects of theserviceandreferencing theData Policy, theInstagram Terms of Useincludea<br />
<br />
<br />
<br />
33<br />
Adopted MetaIEand thespecific advertisersthatpay for MetaIE’stargeteddisplayoftheir advertisementsin<br />
the Instagram service to Instagram users, but it is not presented as an obligation towards the<br />
<br />
Instagramusers.<br />
<br />
<br />
122. Nor does MetaIE’sbusiness model ofoffering services, at nomonetarycost for the user togenerate<br />
income bybehaviouraladvertisementtosupport itsInstagramservicemakethisprocessing necessary<br />
<br />
to perform the contract. Under the principle of lawfulness of the GDPR and its Article 6, it is the<br />
business model which must adapt itselfand comply withthe requirementsthat the GDPRsetsout in<br />
generalandfor eachof the legalbasesand not the reverse.Asthe Advocate GeneralRantosstressed<br />
<br />
recently in his opinion on Meta IE’s processing in Facebook, based on Article 5(2) GDPR, it is the<br />
controller (Meta IE) in this case who is responsible for demonstrating that the personal data are<br />
216<br />
processed inaccordancewiththe GDPR .<br />
<br />
123. As the EDPBprovided in itsguidance, “Assessing what is ‘necessary’involves a combined,fact-based<br />
<br />
assessment ofthe processing‘fortheobjectivepursued and of whetheritisless intrusivecomparedto<br />
other options for achieving the same goal’. If there are realistic, less intrusive alternatives, the<br />
<br />
processingisnot‘necessary’.Article6(1)(b)willnotcoverprocessing which isusefulbutnot objectively<br />
necessary for performing the contractualservice or for taking relevant pre-contractualsteps at the<br />
requestofthe data subject,evenif it isnecessaryfor thecontroller’sotherbusiness purposes. 21”<br />
<br />
<br />
124. On the question of whether here there are realistic, less intrusive alternatives to behavioural<br />
218<br />
advertising that make this processing not “necessary” , the EDPB considers that there are. The AT<br />
and SE SAs mention as examplescontextualadvertising based on geography, language andcontent,<br />
whichdonotinvolve intrusive measuressuchasprofiling andtrackingofusers 219.Inhis recentopinion<br />
<br />
on Facebook, Advocate General Rantos also refers to the Austrian Government’s “pertinent”<br />
observation that in the past, Meta IE allowed Facebook users to choose between a chronological<br />
<br />
presentationandapersonalised presentationof newsfeedcontent,which, inhis view, provesthatan<br />
alternativemethodis possible 220. Byconsidering the existence ofalternativepracticestobehavioural<br />
<br />
advertising thataremore respectfulofthe Instagramusers’righttodataprotection, theEDPB,asthe<br />
Advocate General did in relation to Facebook users, aims to assess if this processing is objectively<br />
<br />
<br />
sectionwhichisheadedwith“YourCommitments”.WhileInstagramitselfonly“offers”variousservices,itmakes<br />
clear that theInstagram Terms of Useunilaterallyimposeduties andobligations on theuser. Otherwise, the<br />
usermayfacesuspensionorterminationoftheiraccount,asdescribedunder“ContentRemovalandDisabling<br />
<br />
orTerminatingYourAccount”oftheInstagramTerms ofUse.No(contractual)sanctionsappeartoapplyinthe<br />
event thatMeta IEfailstoprovideorpoorlyperformsoneormoreoftheseservices.<br />
216C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,<br />
ECLI:EU:C:2022:704,paragraph52.<br />
217EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph25.<br />
218In Schecke, theCJEU held that, when examining thenecessity of processingpersonaldata, thelegislature<br />
<br />
needed to take into account alternative, less intrusive measures. Judgement of the Court of Justice of 9<br />
November2010,VolkerundMarkusScheckeGbR,C-92/09andC93/09,ECLI:EU:C:2010:662,(hereinafter‘Case<br />
C-92/09andC93/09Schecke’),paragraph52.This was repeated by theCJEUintheRīgas casewhereitheld that<br />
“As regardstheconditionrelatingtothenecessity ofprocessingpersonaldata,itshouldbeborneinmindthat<br />
<br />
derogationsandlimitationsinrelationtotheprotectionofpersonaldatamustapplyonlyinsofarasis strictly<br />
necessary”. Judgement of theCourt of Justiceof 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības<br />
policijas pārvaldev Rīgas pašvaldības SIA‘Rīgas satiksme’, C13/16,ECLI:EU:C:2017:336,parag30..<br />
219AT SAObjection,p.5;SESAObjection,p.3.<br />
220C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,<br />
ECLI:EU:C:2022:704,footnote80.<br />
<br />
<br />
<br />
34<br />
Adopted necessary to deliver the service offered, as perceived by the Instagramuser whose personal data is<br />
processed, and not todictate the nature of Meta IE’s service or impose specific business models on<br />
<br />
controllers, as Meta IE and the IE SA respectively argue 22. The EDPB considers that Article 6(1)(b)<br />
GDPR does not cover processing which is useful but not objectively necessary for performing the<br />
222<br />
contractualservice,even ifit is necessaryfor the controller’sotherbusiness purposes .<br />
<br />
<br />
125. The EDPBconsiders thatthe absolute right available todatasubjects, under Article 21(2)(3) GDPRto<br />
object to the processing of their data (including profiling) for direct marketing purposes further<br />
supports its consideration that, as a generalrule, the processing of personal data for behavioural<br />
<br />
advertising is not necessaryto perform a contract.The processing cannot be necessary toperform a<br />
contractif adata subject has the possibility toopt out from it atany time,andwithout providing any<br />
<br />
reason.<br />
<br />
126. The EDPB finds that a reasonable user cannot expect that their personal data is being processed for<br />
<br />
behaviouraladvertising simply becauseMetaIEbrieflyreferstothisprocessing in itsInstagramTerms<br />
of Use (which MetaIEandthe IE SA consider asconstituting the entiretyofthe contract),or because<br />
<br />
ofthe“widercircumstances”or“recognisedpublic awarenessofthisformofprocessing” derivedfrom<br />
its “widespreadprevalence ofOBA processing” to which the IE SA refers 22. Behaviouraladvertising,<br />
asbriefly described inparagraph98 above, isa set of processing operations ofpersonal dataof great<br />
<br />
technical complexity, which has a particularly massive and intrusive nature. In view of the<br />
characteristicsofbehaviouraladvertising,coupledwiththeverybriefandinsufficient informationthat<br />
<br />
Metaprovides about it in the InstagramTermsof Use andDataPolicy (a separatedocument thatthe<br />
IESAandMetaIEdonotevenconsider partofthecontractualobligations),theEDPBfindsit extremely<br />
difficult toargue thatanaverageuser canfully graspit,be awareof itsconsequences and impact on<br />
<br />
their rights to privacy and data protection, and reasonably expect it solely based on the Instagram<br />
Termsof Use. The EDPB recallsits Guidelines 2/2019 on Article6(1)(b) GDPR,inwhich it arguesthat<br />
<br />
the expectations of the average data subject need to be consider in light, not only of the terms of<br />
service but also the way this service is promoted to users 22. Advocate General Rantos expresses<br />
<br />
similar doubts where he says in relationto Facebook behavioural advertising practices“Iam curious<br />
as to what extenttheprocessing might correspond to the expectationsof an average user and, more<br />
generally, what ‘degree of personalisation’ the user can expect from the service he or she signs up<br />
225<br />
for” and adds in a footnote that he does not “believe that the collection and use of personal data<br />
outside Facebook are necessary for the provision of the services offered as part of the Facebook<br />
226<br />
profile” .<br />
<br />
127. The EDPB notes that the mission of the Instagram service, as expressed in its Terms of Use, is<br />
<br />
formulated in a vague and broad manner (“To bring you closer to the people and things you love.”)<br />
When using the Instagram service, a user is primarily confronted with the possibility of viewing<br />
<br />
<br />
<br />
221Meta IEArticle65Submissions,paragraph6.25andCompositeResponse,paragraph76.Ontherelevanceof<br />
this OpinionforassessingInstagram’srelianceonArticle6(1)(b)GDPR,seeparagraph97ofthisBindingDecision.<br />
222EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph25.<br />
223<br />
224CompositeResponse,paragraphs72and73.<br />
EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph57.<br />
225C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,<br />
ECLI:EU:C:2022:704,paragraph56.<br />
226Ibid,footnote81.OntherelevanceofthisOpinionforassessingInstagram’srelianceonArticle6(1)(b)GDPR,<br />
seeparagraph97ofthisBindingDecision.<br />
<br />
<br />
<br />
35<br />
Adopted photographs andvideos by people or organisationsthat theyfollow, as wellas sharing such content<br />
withtheirfollowers. Thisis acknowledgedbythe IE SA whichprovidesthe following descriptionofthe<br />
<br />
Instagram service in its Draft Decision: “Instagram is a global online social network service which<br />
allows registeredusersto communicate with other registered users through messages, audio, video<br />
calls andvideo chats,and bysendingimages and video files 22.”<br />
<br />
<br />
128. Based on the considerations above, the EDPB considers that the main purpose for which users use<br />
<br />
InstagramandacceptitsTermsofUse istosharecontentandcommunicatewithothers,nottoreceive<br />
personalised advertisements.<br />
<br />
<br />
129. Meta IE infringed its transparencyobligations under Article 5(1)(a), Article 12(1) and Article 13(1)(c)<br />
GDPR by not clearly informing the complainant and other users of the Instagram Service specific<br />
<br />
processing operations, thepersonaldataprocessed inthem,thespecific purposes theyserve, andthe<br />
legal basis on which each of the processing operations relies, as the IE SA concludes in its Draft<br />
Decision 228. The EDPB considers that this fundamental failure of Meta IE to comply with its<br />
<br />
transparencyobligations contradictsthe IESA’sfinding thatInstagram userscouldreasonably expect<br />
online behaviouraladvertising asbeing necessaryfor the performanceof their contract(asdescribed<br />
229<br />
inthe InstagramTermsof Use)withMetaIE .<br />
<br />
130. The EDPBrecallsthat “controllersshould make sure to avoid anyconfusion as to what the applicable<br />
<br />
legalbasis is” andthatthis is“particularlyrelevantwheretheappropriatelegal basis isArticle6(1)(b)<br />
GDPRand a contractregardingonlineservicesisenteredintobydatasubjects”,because “[d]epending<br />
<br />
on the circumstances, data subjects may erroneously get the impression that they are giving their<br />
consent in line with Article 6(1)(a) GDPR when signing a contract or accepting termsof service” 23.<br />
Article6(1)(b) GDPRrequires theexistence, validityof acontract,andthe processing being necessary<br />
<br />
toperform it.These conditions cannot be metwhere one of theParties(in thiscase the datasubject)<br />
is not provided withsufficient informationtoknow thattheyaresigning a contract,theprocessing of<br />
<br />
personal data that it involves, for which specific purposes and on which legal basis, and how this<br />
processing is necessaryto perform the services delivered. These transparencyrequirements are not<br />
only anadditionalandseparateobligation,asthe IESA seemstoimply, but also anindispensable and<br />
231<br />
constitutive partof the legalbasis .<br />
<br />
<br />
131. The risks to the rights of data subjects derived from this asymmetry of information and an<br />
inappropriate relianceon this legalbasis arehigher in situations suchas inthe present case,in which<br />
the Complainant and other Instagram users face a “take it or leave it” situation resulting from the<br />
<br />
standardcontract pre-formulated by Meta IE andthe lackof few alternative services in the market.<br />
The EU legislator hasregularlyidentified and aimedtoaddress withmultiple legalinstruments these<br />
<br />
risks andtheimbalance betweenthepartiestoconsumer contracts.Forexample,Directive93/13/EEC<br />
<br />
<br />
<br />
<br />
<br />
227<br />
DraftDecision,paragraph5.<br />
228DraftDecision,paragraphs184and185andFinding3,whichreads“InrelationtoprocessingforwhichArticle<br />
6(1)(b)GDPRisreliedon,Articles5(1)(a),12(1)and13(1)(c)GDPRhavebeeninfringed.”<br />
229DraftDecision,paragraph105andFinding2.<br />
230EDPBBindingDecision1/2021,paragraph214andEDPBGuidelines2/2019onArticle6(1)(b),paragraph20.<br />
231<br />
DraftDecision,paragraph111.<br />
<br />
<br />
36<br />
Adopted on unfair termsinconsumer contracts 232mandates,asthetransparencyobligationsunder the GDPR,<br />
233<br />
the use of plain, intelligible language in the terms of the contracts offered to consumers . This<br />
Directiveeven provides that where there is a doubt about the meaning of a term,the interpretation<br />
most favourable tothe consumer shall prevail 234.Processing ofpersonal datathatisbasedon whatis<br />
<br />
deemedtobeanunfairtermunder thisDirectivewillgenerallynot beconsistent withthe requirement<br />
under Article 5(1)(a)GDPRthatthe processing islawfuland fair 23.<br />
<br />
<br />
132. AdvocateGeneralRantosconcludesinreferencetoMetaIEthatthefactthatanundertakingproviding<br />
<br />
a social network enjoys a dominant position in the domestic market for online social network for<br />
privateusers “doesplay arole intheassessment ofthefreedomofconsentwithin themeaning ofthat<br />
provision, which it is for the controller to demonstrate, taking into account, where appropriate, the<br />
<br />
existenceofa clearimbalance ofpowerbetweenthedata subjectand the controller,anyrequirement<br />
for consent to theprocessing of personaldata other thanthose strictlynecessaryfor the provision of<br />
<br />
the servicesin question, the need for consent to be specific for each purpose of processing and the<br />
needtopreventthewithdrawalofconsentfrom being detrimentaltouserswho withdrawit 236.”Inline<br />
<br />
withthe logic of this argument,the EDPBconsiders that the dominant position of MetaIE also plays<br />
an important role in the assessment of Meta IE’sreliance on Article 6(1)(b) GDPR for its Instagram<br />
service and its risks to data subjects, especially considering how deficiently Meta IE informs the<br />
<br />
Instagramusersofthe datait strictlyneeds toprocesstodeliver the service.<br />
<br />
<br />
133. Giventhat the mainpurpose for whicha user uses Instagramservice is toshare andreceive content,<br />
andcommunicate with others 237,and thatMetaIE conditions their use tothe user’s acceptanceofa<br />
<br />
contract andthe behavioural advertising theyinclude, the EDPB cannot see how a user would have<br />
the option of opting out of a particularprocessing which is partof the contractasthe IE SA seemsto<br />
argue 23.Theusers’ lackof choice in thisrespect would ratherindicate thatMetaIE’srelianceon the<br />
<br />
contractualperformance legal basis deprives users of their rights, among others, to withdraw their<br />
consent under Articles6(1)(a) and7 and/or to object tothe processing of their databased on Article<br />
<br />
6(1)(f) GDPR.<br />
<br />
<br />
134. The EDPB agreeswiththe AT, DE, ES, FI, FR, HU, NL, NOandSE SAsthat there is a risk thatthe Draft<br />
Decision’s failure to establish Meta IE’sinfringement ofArticle 6(1)(b) GDPR, pursuant tothe IE SA’s<br />
interpretationof it, nullifies thisprovision andmakeslawful theoreticallyanycollection andreuse of<br />
239<br />
personal data in connection with the performance of a contract with a data subject . Meta IE<br />
currentlyleaves the complainant and other users of the Instagramservice witha single choice. They<br />
<br />
may either contract awaytheir right to freely determine the processing of their personal data and<br />
<br />
<br />
232A contractual term that has not been individually negotiated is unfairunder theDirective93/13/EEC “if,<br />
contrarytotherequirementofgoodfaith,itcausesasignificantimbalanceintheparties’rightsandobligations<br />
arisingunderthecontract,tothedetrimentoftheconsumer”Article3(1).<br />
233<br />
Articles4(2)and5Directive93/13/EEC.<br />
234Article5Directive93/13/EEC.<br />
235EDPBGuidelines2/2019onArticle6(1)(b)GDPR,footnote10.<br />
236C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,<br />
ECLI:EU:C:2022:704, Conclusion, paragraph78 (4). On therelevanceof this Opinion forassessing Instagram’s<br />
<br />
relianceonArticle6(1)(b)GDPR,seeparagraph97ofthisBindingDecision<br />
237Seeparagraphs127-128ofthisBindingDecision.<br />
238CompositeResponse,paragraph69.<br />
239AT SAObjection,pp.5-6;DESAs Objection,p.9;ESSAObjection,p.3;FI SAObjectionparagraphs31-35;FR<br />
SAObjection,paragraphs34-35;HUSAObjection,p.4;NL SAObjection,paragraphs30-31;NOSAObjection,<br />
<br />
p. 8;SE SAObjection,p.5.<br />
<br />
37<br />
Adopted submit toitsprocessing for the obscure, andintrusive purpose of behaviouraladvertising,whichthey<br />
can neither expect, nor fully understand based on the insufficient information Meta IE provides to<br />
them. Or, they maydecline accepting Instagram Terms of Use and thus be excluded from a service<br />
<br />
thatenablesthemtocommunicate,sharecontentwithandreceivecontent from millionsofusersand<br />
for whichtherearecurrentlyfew realisticalternatives. Thisexclusionwouldthus alsoadverselyaffect<br />
<br />
their freedom of expression andinformation.<br />
<br />
135. This precedent could encourage other economic operatorstouse the contractualperformance legal<br />
<br />
basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that<br />
some controllers argue some connection between the processing of the personal data of their<br />
consumers and the contractto collect,retainandprocess asmuch personal datafrom their users as<br />
<br />
possible and advance their economic interests at the expense of the safeguards for data subjects.<br />
Some of the safeguards from whichdata subjects would be deprived due to aninappropriate use of<br />
Article 6(1)(b) GDPR as legal basis, instead of others such as consent (Article 6(1)(a) GDPR) and<br />
<br />
legitimate interest (Article 6(1)(f) GDPR), are the possibility to specifically consent to certain<br />
processing operations and not to othersand tothe further processing of their personal data (Article<br />
<br />
6(4)GDPR);theirfreedom towithdrawconsent (Article7 GDPR);theirrighttobe forgotten(Article17<br />
GDPR);and the balancing exercise of the legitimateinterests of the controller againsttheir interests<br />
or fundamental rightsandfreedoms (Article 6(1)(f) GDPR).As a result,owing tothe number of users<br />
<br />
of the Instagramservice,the marketpower, andinfluence ofMeta IEand itseconomically attractive<br />
business model, the risks derivedfrom the currentfindings ofthe DraftDecisioncould gobeyond the<br />
Complainant andthe millions of usersof Instagramserviceinthe EEAandaffect theprotectionofthe<br />
240<br />
hundreds of millions of people coveredbythe GDPR .<br />
<br />
136. TheEDPBthusconcurswiththeobjections oftheAT,DE,ES,FI,FR,HU,NL,NOandSESAs 241toFinding<br />
<br />
2 of the Draft Decision in that the behaviouraladvertising performedby Meta IE in the context of<br />
theInstagramserviceisobjectivelynotnecessaryfortheperformanceofMetaIE’sallegedcontract<br />
with datausersfortheInstagramserviceandisnotanessentialorcoreelementofit.<br />
<br />
<br />
137. Inconclusion, theEDPBdecides thattheMetaIEhas inappropriatelyreliedonArticle 6(1)(b) GDPRto<br />
<br />
process thecomplainant’spersonaldatainthe contextofInstagramTermsofUse andthereforelacks<br />
a legalbasis toprocess these datafor thepurposes ofbehavioural advertising.MetaIE hasnot relied<br />
onany otherlegalbasistoprocess personaldatain thecontext ofthe InstagramTermsofUse for the<br />
<br />
purposes of behavioural advertising. Meta IE has consequently infringed Article 6(1) GDPR by<br />
unlawfully processing personal data. The EDPB instructs the IE SA to alter its Finding 2 of its Draft<br />
Decision which concludes thatMeta IEmay relyon Article 6(1)(b) GDPR inthe contextof its offering<br />
<br />
<br />
<br />
240In theDraft Decision, theIE SAquotes Meta IE’s submissions dated 28September 2018, inwhichit states<br />
<br />
that it “provides the Instagram service to hundreds of millions of users across the European region.”Draft<br />
Decision, paragraph 223. In its submissions onthePreliminary Draft Decision, Meta IE stated that thecorrect<br />
figureformonthlyactiveaccountsfortheInstagramServiceasof31August2018(thedateofcommencement<br />
of the Inquiry)is approximately , whileclarifying that this numberrepresents activeaccounts on<br />
Instagramratherthanuniqueusers andthus doesnotrepresentthenumberofuniqueusers.Thisfiguredoes<br />
notincludeUK-basedaccountsasMetaIEconsideredaccountsinthatterritorywerenotrelevantfortheInquiry.<br />
TheIE SA does not sharethis view, on thegrounds that theGDPRwas applicablein theUK at thedateof the<br />
<br />
241plaint.Meta IE’sReponsetothePreliminaryDraftDecision,paragraph14.13.DraftDecision,paragraph223.<br />
AT SAObjection,pp.4-5;DESAs Objection,p.5-6,ESSAObjection,p.2,FI SAObjection,paragraphs16and<br />
18,FRSAObjection,paragraphs8-9,HUSAObjection,p.3,NLSAObjection,paragraphs18-19;NOSAObjection,<br />
p. 7,SE SAObjection,pp.3.<br />
<br />
38<br />
Adopted of the Instagram Terms of Use and to include an infringement of Article 6 (1) GDPR based on the<br />
shortcomings thatthe EDPBhasidentified.<br />
<br />
<br />
<br />
5 ON WHETHER THE LSA’S DRAFT DECISION INCLUDESENOUGH<br />
<br />
ANALYSIS ANDEVIDENCE TOCONCLUDE THAT METAIE ISNOT<br />
<br />
OBLIGEDTORELY ON CONSENT TOPROCESSTHE COMPLAINANT’S<br />
<br />
PERSONAL DATA<br />
<br />
<br />
5.1 Analysis by the LSA inthe DraftDecision<br />
<br />
138. The IESA concludes asamatteroffact,initsDraftDecisionthatMetaIEdidnot rely, anddidnot seek<br />
242<br />
torely,onthe complainant’sconsent toprocesspersonaldatain connectionwiththeTermsofUse<br />
andis not legallyobligedtorelyon consent todo so 24.<br />
<br />
<br />
139. The IE SA acceptsthatMetaIE never sought to obtainconsent from users throughthe clicking ofthe<br />
“Agreeto Terms”button,based alsoon MetaIE’sconfirmationthereto 244.<br />
<br />
<br />
140. TheIESA distinguishes betweenagreeingtoacontract(whichmayinvolve theprocessing ofdata)and<br />
<br />
providing consent to personal data processing specifically for the purposes of legitimising that<br />
personaldataprocessing under theGDPR 245.TheIESA observes that,asnotedbythe EDPB,theseare<br />
entirelydifferent conceptswhich “havedifferent requirementsandlegal consequences” 246.<br />
<br />
<br />
141. The IESA alsoemphasises that thereis no hierarchybetweenthe legalbasis thatcontrollers mayuse<br />
247<br />
to process personal data under the GDPR . The IE SA further arguesthat neither Article 6(1) GDPR<br />
nor any other provision in the GDPR require that the processing of data in particular contexts must<br />
necessarily be based on consent 248. The IE SA argues the GDPR does not provide that the specific<br />
<br />
nature and content of a contract, freelyentered into by two parties, requires a higher categoryor<br />
“default” legal basis. The IE SA includes reference to the EDPB Guidelines 2/2019 on Article 6(1)(b)<br />
<br />
GDPR whichassert that where data processing is necessary to perform a contract, consent is not an<br />
appropriatelawful basison whichtorely 249.<br />
<br />
<br />
142. The IE SA considers Article 7 GDPR andits conditions do not in andof themselves indicate the legal<br />
basis on which a controller should rely on in a particular context. The IE SA contends that these<br />
<br />
conditions would only be relevant where the controller relies upon consent as the legal basis for its<br />
processing, whichit views asnot being the case for the processing of databy MetaIEinquestion 25.<br />
<br />
<br />
<br />
<br />
<br />
242DraftDecision,paragraphs43and60.<br />
243DraftDecision,paragraphs59-60.<br />
244DraftDecision,paragraphs40and42,aswellas56.<br />
245<br />
246DraftDecision,paragraph52.<br />
DraftDecision,paragraph47.<br />
247DraftDecision,paragraphs48-50.<br />
248DraftDecision,paragraph50.<br />
249DraftDecision,paragraph52.<br />
250DraftDecision,paragraph57.<br />
<br />
<br />
<br />
39<br />
Adopted 5.2 Summary of the objections raised by the CSAs<br />
<br />
143. The AT,DE,ES,FI,FRandNL SAsobject tothe assessment inthe DraftDecisiononconsent, leadingto<br />
<br />
Finding 1 of the IE SA25. These SAs put forwardseveral factualandlegalargumentsfor the changes<br />
theypropose tothe DraftDecision.<br />
<br />
<br />
144. The SE SA holds that ifthe EDPBweretofindthat theprocessing canrely onArticle6(1)(b) GDPR,the<br />
<br />
investigationneedstoencompass whetherspecialcategoriesofpersonal datapursuanttoArticle9(1)<br />
GDPRareprocessed, since the performance ofacontractis not anexemption pursuant toArticle9(2)<br />
GDPR.Since the SE SA presents itsobjection as being contingent on whetherthe EDPB finds thatthe<br />
<br />
data processing in Instagram, basedon itsTerms of Use, can relyon Article 6(1)(b) GDPR 252andthe<br />
EDPBfindsthatMetaIEinappropriatelyreliedonArticle6(1)(b)GDPR(see aboveinSection4.4.2),the<br />
<br />
SE SA objectionis no longerapplicable.<br />
<br />
<br />
Argumentson thefinding ofthe LSA thatMetaIEis not legallyobliged torelyon consent<br />
<br />
145. TheAT,DEandNL SAsconsider thattheIESA hasnotincluded enoughanalysis,evidence andresearch<br />
in the DraftDecision toconclude thatMetaIE is not legallyobliged torely onconsent toprocess the<br />
253<br />
complainants’ data .<br />
<br />
146. The AT SA points out that the IE SA limits its facts and its legal assessment to the generalquestion<br />
<br />
whether Article 6(1)(b) GDPR canbe used aslegalbasis, specifically for behavioural advertising. The<br />
Draft Decisiondoes not clarify which data categoriesare being used for behavioural advertising and<br />
<br />
where Meta IE relies on Articles 6(1)(a) and 6(1)(b) GDPR for behavioural advertising. Also<br />
unaddressed is, if and to which extent Meta IE relies on Article 9(2)(a) GDPR for behavioural<br />
<br />
advertisingasfarassensitive dataareconcernedandwhetherMetaIErespectedtheGDPRconditions<br />
(for example,Article7GDPR)whenobtainingtheconsentpursuant toArticle6(1)(a)andArticle9(2)(a)<br />
GDPR. The AT SA argues that the Draft Decision did not address the part of the complaint on the<br />
<br />
differences between“consent”and“contractualperformance”andregardingArticle9 GDPR 254.<br />
<br />
<br />
147. EventhoughtheDESAssharetheIESA’sfinding thatMetaIEdidnotrelyonconsent for theprocessing<br />
of dataasdescribedin theInstagramTermsof Use,the DESAs objectsagainstthe IE SA’sassessment<br />
<br />
that in the specific case at issue Meta IE was not legally obliged to obtain consent from the<br />
Complainant 25. TheDE SAsfurther add, alsoin relationtothe potentialuse of Article6(1)(f) GDPRas<br />
a legalbasis, that further investigations on the specific processing activities, purposes and their risks<br />
<br />
for rights and freedoms of the Complainant would be necessary to conclude an assessment on the<br />
applicable legalbasis25.<br />
<br />
<br />
148. The NL SA notes itsview thatthereis lackof anysubstantive investigationintowhat kind of personal<br />
257<br />
data is being processed besides relying on information submitted by the controller . The NL SA<br />
<br />
<br />
251AT SAObjection,p.9-11;DESAObjection,p.2-9;ESSAObjection,p.2-3;FI SAObjection,paragraphs36-44;<br />
FRSAObjection,paragraphs21-31;NLSAObjection,paragraphs20-27.<br />
252SESAObjection,p.3-4.<br />
253<br />
254AT SAObjection,p.10;DESAObjection,p.7-9;NLSAObjection,paragraph21.<br />
AT SAObjection,p.10.<br />
255DESAs Objection,p.7-8.<br />
256DESAs Objection,p.8-9.<br />
257NLSAObjection,paragraph25.<br />
<br />
<br />
<br />
40<br />
Adopted considers that thereare clearindications that consent is legallyrequiredfor (partsof) the processing<br />
<br />
operationsof the controller,and thatthe IESA couldthus draw adifferent conclusion on the basis of<br />
further inquiries andanalysis258. The NL SA considers that the DraftDecision should be amendedifa<br />
259<br />
further inquiry bythe IESA establishes thattherelianceon consent asa legalgroundismandatory .<br />
<br />
149. Inaddition, the DE andFR SAs consider thateven if MetaIEhad reliedon consent, it would not have<br />
<br />
met the requirements of Article 7(1) GDPR asbeing “freely given”, as it is conditional on the use of<br />
their services asa whole (“take it or leave it”). Nor would consent meet the requirements of Article<br />
<br />
7(2)GDPRsince, asthe IE SA finds, informationon theprocessing ofdataasdescribedinthe Termsof<br />
Use, is not provided in a concise, transparent, intelligible and easily accessible form, using clear and<br />
260<br />
plainlanguage .<br />
<br />
<br />
Argumentson thepossible breachoftheobligation to relyon consent to processspecialcategoriesof<br />
personaldata(Article9 GDPR)<br />
<br />
150. TheAT,DE,ES,FI,FRandNLSAs consider thattheIESAshould haveidentifiedandseparatelyassessed<br />
<br />
anyprocessing ofspecialcategoriesofpersonal dataunder Article9GDPRinthe contextofInstagram<br />
Termsof Use 26.The DESAs conclude that MetaIEprocesses the complainant’sspecialcategoriesof<br />
262<br />
datainbreachofArticle9(1)GDPR .TheAT,ES,FI,FRandNLSAs taketheview thattheIESAshould<br />
broaden the scope of its investigation and examine whether the conditions for the processing of<br />
specialcategoriesof personaldatahave been metby MetaIE 263.<br />
<br />
<br />
151. The AT, ES, FI, FR andNL SAs consider thatthe factualbackground of the DraftDecision misses facts<br />
<br />
on whether Meta IE relies on Article 9(1)(a) GDPR to process special categoriesof personal data for<br />
the purpose of behaviouraladvertising andwhether MetaIErespectsthe requirementsof the GDPR,<br />
264<br />
such asthose of Article7, inobtaining consent tothatend .<br />
<br />
<br />
152. The FR and NL SAs argue that the data that Meta IE processes may include special categories of<br />
personal data under Article 9 GDPR 26. The DE SAs contend that nothing indicates that Meta IE<br />
266<br />
excludes these categoriesofdatafrom its processing for advertisingpurposes .<br />
<br />
153. The FR SA notes thatInstagramusers canprovide various sensitive data about themselves, including<br />
<br />
their sexual orientation, religious views and political opinions in the description of their profile. The<br />
FR SA considers thatthe IESA cannot simply statethatithasno evidence thatMetaIE processessuch<br />
<br />
data in the context of the Instagram service. Inorder todeal with the complaint, the FR SA asks for<br />
<br />
<br />
<br />
258<br />
NLSAObjection,paragraph25.<br />
259NLSAObjection,paragraph25.<br />
260DESAs Objection,p.8;FRSAObjection,paragraphs24-29.<br />
261AT SAObjection,p.9-10;DESAs Objection,p.7;ES SAObjection,p.2-3;FI SAObjection,paragraphs36-38,<br />
<br />
41;FRSAObjection,paragraphs30-31;NLSAObjection,paragraphs24-26.<br />
262DESAs Objection,p.7,10.<br />
263AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraphs41-42;FRSAObjection,paragraph<br />
31;NLSAObjection,paragraph25.<br />
264<br />
AT SAObjection,p.9;ESSAObjection,p.2-3;FI SAObjection,paragraph41;FRSAObjection,paragraph30;<br />
NLSAObjection,paragraph25.<br />
265FRSAObjection,paragraph30;NLSAObjection,paragraph24.<br />
266DESAs Objection,p.7.<br />
<br />
<br />
<br />
41<br />
Adopted further investigation,in particularitasks the LSA toexaminewhether sensitive dataare processedby<br />
267<br />
the controller and,if so, whetherone ofthe conditions ofArticle 9(2)GDPRismet inthis case .<br />
<br />
<br />
154. The NL SA argues that there is strong indication that some data processed in the context of the<br />
Instagram service actuallybelongs toa specialcategoryof data considering “photographsand other<br />
<br />
images that are, or were, potentiallyprocessed with use of facial recognition technology and other<br />
artificial intelligence technologies in the context of Facebook services”68. The NL SA highlights that<br />
<br />
according tothe CJEU ruling in case C-136/17 the mereindexing of certaindata could alreadysuffice<br />
toconclude thatArticle9 GDPRapplies 26.<br />
<br />
<br />
155. The DE and NL SAs recall that only consent may be used in this context among the exceptions that<br />
Article9 (2)GDPRlaysdowntothegeneralprohibition ofprocessing specialcategoriesofdata 27.The<br />
<br />
FI SA recallsthatthe performance ofa contractisnot anexceptionpursuant toArticle9(2) GDPR 271.<br />
<br />
<br />
Argumentson othertypesofdatarequiring consent<br />
<br />
156. TheNLSA identifiesasanotherindicator contradictingtheIESA’sconclusionthatthereisnoobligation<br />
toseek consent the fact that the controller processes a significant amount of personal datathat has<br />
<br />
beencollectedthroughcookies for online advertising purposes and oflocationdata 27.<br />
<br />
<br />
Risks<br />
<br />
157. Ontherisks posed bytheDraftDecision,the DESAsconsider that,asthesubject ofthe complaintwas<br />
<br />
the processing as described in the Instagram Terms of Use there is also a significant risk for the<br />
fundamental rights and freedoms of all Instagram users in the European Union that their personal<br />
273<br />
data, including data of special categories are processed without any legal basis . The AT SA also<br />
considers thatthe compliance ofMetaIE withthe GDPRruleson the processing of specialcategories<br />
ofdatagoesbeyond thecase atstakeandaffectshundreds ofmillions ofdatasubjectswithintheEEA,<br />
<br />
asMetaIEis the provider of the biggestmedia networkinthe world 274.<br />
<br />
<br />
158. The AT,DE,FI,FRandNL SAsarguethatthe IESA’sconclusion thatconsent is not requiredaffectsthe<br />
rightsofdatasubjects andtheir controlover theirpersonal data 275.<br />
<br />
<br />
159. The AT SA argues that the first risk is that the data subject’s right to lodge a complaint with a<br />
<br />
supervisory authority pursuant to Article 77(1) GDPR becomesineffective because the IE SA did not<br />
handle the complaint in its entire scope, including sensitive data pursuant to Article 9 GPDR. The AT<br />
<br />
<br />
<br />
<br />
<br />
<br />
267FRSAObjection,paragraph30.<br />
268NLSAObjection,paragraph25.<br />
269NLSAObjection,paragraphs26.<br />
270<br />
DESAs Objection,p.7;NLSAObjection,paragraph24.<br />
271FI SAObjection,paragraph40.<br />
272NLSAObjection,paragraphs22-23,27.<br />
273DESAs Objection,p.9.<br />
274<br />
AT SAObjection,p.9.<br />
275ATSAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;FRSAObjection,paragraph34;<br />
NLSAObjection,paragraphs30-31.<br />
<br />
<br />
<br />
42<br />
Adopted SA argues that this is not in line with the CJEU ruling in case C-311/18, which provides that the<br />
276<br />
supervisory authoritymust handle complaints withalldue diligence .<br />
<br />
<br />
160. The FR SA arguesthat the DraftDecision poses a risk tothe fundamental rightsandfreedoms of the<br />
individuals concerned, according to Article 4(24) GDPR, insofar as the legal basis of contractual<br />
performance toprocessthe personal dataofInstagramuserstosend them targetedadvertisingdoes<br />
<br />
not allow the Europeanusers tohave controlover thefate of their data 277.TheFR SA alsonotes that<br />
since the DraftDecisionwillbe takenat theendof acooperationprocedure andmade public, it could<br />
<br />
be interpreted as reflecting the common position of the European supervisory authorities on this<br />
issue, andsetting aprecedent for acceptingthatacompany mayuse the legalbasisof the contractto<br />
<br />
process itsusers’ datafor targetedadvertisingpurposes whensuch processing isparticularlymassive<br />
andintrusive 278.<br />
<br />
<br />
161. The NLSA specifies theprotectionsfrom whichthe datasubjectswould be depriveddue totheIESA’s<br />
conclusion thatconsent is not required, such asthe right todataportability(Article 20(1) GDPR);the<br />
<br />
possibility tospecifically consent tocertainprocessing operations andnot toothersandtothefurther<br />
processing of personal data (Article 6(4) GDPR); the freedom to withdraw consent (Article 7 GDPR)<br />
279<br />
andthe subsequent right tobe forgotten .<br />
<br />
<br />
162. TheAT,DE,FIandNLSAsnote asanadditionalriskthatsensitive personaldatafallingwithinthe scope<br />
of Article9 GDPRis processedwithout meeting therequirementsof Article9(2) GDPR 280.<br />
<br />
<br />
163. The FI SA highlights that the will of the legislator has been to protect the Article 9 GDPR special<br />
categorydatawitha duty ofcare andifthere is anyreasonable doubt thatMetaIE hasno legalbasis<br />
<br />
for processing operations of such sensitive data of the Instagram users, the said claim needs to be<br />
properly investigated or otherwise the lack of investigation would negatively affect hundreds of<br />
281<br />
millions ofInstagramuserswithintheEEAandundermine theirrighttoprivacyanddataprotection .<br />
<br />
<br />
164. The NL SA underlines the risk that allowing the bypassing of legal provisions requiring consent to<br />
process datacreateslegaluncertaintythathampersthe freeflow of personaldatawithinthe EU 282.<br />
<br />
<br />
165. TheNL SA alsoarguesthatnotassessing theprocessing inasufficiently thoroughmannercould create<br />
a precedent for controllers to exclude from their privacy policies or terms of service processing<br />
<br />
operationsthatmustbebasedonconsent.Thiswouldrisk leavingdatasubjectswithareduceddegree<br />
of transparency 28.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
276<br />
AT SAObjection,p.10-11.<br />
277FRSAObjection,paragraph34.<br />
278FRSAObjection,paragraph35.<br />
279NLSAObjection,paragraph33.<br />
280<br />
281AT SAObjection,p.11;FI SAObjection,paragraph43;DESAs Objection,p.9;NLSAObjection,paragraph33.<br />
FI SAObjection,paragraph43.<br />
282NLSAObjection,paragraph33.<br />
283NLSAObjection,paragraph30.<br />
<br />
<br />
<br />
43<br />
Adopted 5.3 Position of the LSA on the objections<br />
<br />
166. The IESA considers theobjections not reasonedanddoes not follow them 284.<br />
<br />
<br />
167. The IE SA argues that the scope of the inquiry is appropriate and relatesto the issues raised in the<br />
complaint. It also argues that finding of additional infringements which have not been fully<br />
<br />
investigatedor put to the controller would impose a risk of procedural unfairness by depriving the<br />
controller of itsrighttobe heardin response toaparticularisedallegationof wrongdoing 285.<br />
<br />
<br />
168. The IE SA notes that it hasdiscretion to determinethe frameworkof the inquiry, taking into account<br />
<br />
the scope of the writtencomplaint aslodged. The IE SA arguesthat it would not have been possible<br />
to assess each discrete processing operation by Meta IE, without first resolving the fundamental<br />
dispute between the parties on the interpretationof Article 6(1) GDPR. The IE SA considers that it<br />
<br />
would have beeninappropriate and disproportionate for it toundertake anopen-ended assessment<br />
of all of Meta IE’s processing operations related to the Instagram Terms of Use to handle the<br />
286<br />
complaint .<br />
<br />
169. The IESA arguesthatitsanalysis of Article6(1)(b) GDPRdoes not preclude the possibility thatcertain<br />
<br />
discrete processing operations by Meta IE mayfall outside the scope of Article 6(1)(b) GDPR. The IE<br />
SA finds it reasonable andpracticaltosetthe scope of theinquiry, focusing onthe principledissues of<br />
287<br />
dispute, which itconsiders asnot prejudicing the operationof more specific data protectionrules .<br />
<br />
<br />
170. The IESA considers that thereference toArticle 9 GDPRprocessing by MetaIE isanelement of what<br />
it viewsasthe Complainant’sfundamentalallegation,i.e.thattheagreementtotheTermsof Usewas<br />
a form ofGDPRconsent toprocessing ofpersonal data,including consent tothe processing of special<br />
<br />
categoriesof data. The IE SA argues that since the scope of its inquiry addresses this issue, it is not<br />
necessaryfor ittoalsoconduct anindiscriminate andopen-ended assessment ofMetaIE’sprocessing<br />
288<br />
thatmayotherwise fallwithin thescope of Article9 GDPR .<br />
<br />
171. The IE SA notes that under Irish national law, there would be a very significant risk of procedural<br />
<br />
unfairness to Meta IE if the IE SA assumed, without any further factualexamination, that Meta IE<br />
unlawfully processes specialcategoriesof personaldata 289.<br />
<br />
<br />
172. According totheIESA, the CSAs objectingtothe DraftDecisionintendtomaximise the complainant’s<br />
rightsbyrequiring consent-based processing for certainprocessing operationsandthus prioritising it<br />
<br />
over other legalbasis. The IESA considers thatveryextensive dataprotectionrightsalsoapply under<br />
the GDPRwhere theprocessing is basedon Article 6(1)(b) or Article6(1)(f) GDPR.The IESA contends<br />
<br />
that the variationin the extent of data subject rights and protections, depending on the applicable<br />
legal basis, is an inherent element of the legislative scheme of the GDPR. The IE SA considers that<br />
Article 6 GDPR does not provide thatthe “appropriate”datasubject rightsdetermine the legalbasis<br />
<br />
for processing. The IE SA notes that separate tothe user’s acceptance of the Terms of Use, Meta IE<br />
<br />
<br />
284<br />
285CompositeResponse,paragraphs36and48.<br />
CompositeResponse,paragraph97.<br />
286CompositeResponse,paragraph26.<br />
287CompositeResponse,paragaraph27.<br />
288CompositeResponse,paragraph28.<br />
289CompositeResponse,paragraphs32-33.<br />
<br />
<br />
<br />
44<br />
Adopted relies on different “acts” of consent for specific aspects of the service, including personalised<br />
advertising basedon users’ off-Instagramactivities.Inthis regard,theIESA statesthatthe complaint<br />
<br />
in this case was about the agreement to the Terms of Use and the processing it entails once<br />
accepted 290.<br />
<br />
<br />
173. The IE SA arguesthat the objections are inconsistent withthe principle of legalcertainty, ascitedin<br />
<br />
Recital7 GDPR. The IE SA indicates that it is not satisfied that the GDPR requires the limitation of<br />
processing for thepurposes ofbehaviouraladvertisingtosituationswhereprocessing isbasedondata<br />
subject consent 29. The IE SA contends that interpretative approach of the CSAs raising objections<br />
<br />
would result in the arbitraryapplicationofmore restrictive dataprotectionrules for reasons thatare<br />
not found in the GDPR. The IE SA also states that this approach does not take due account of the<br />
<br />
extensive data protectionrightswhich apply toalllegalbases under theGDPR.The IESA assertsthat<br />
it is not open tothe supervisory authoritiestocreateadditional binding limitationson the applicable<br />
legal basis for the processing of data for behavioural advertising. The IE SA states that it is the<br />
292<br />
legislator,not the supervisory authorities, whichhasdefined the conditions for lawfulprocessing .<br />
<br />
<br />
5.4 Assessment of the EDPB<br />
<br />
<br />
5.4.1 Assessment of whether theobjections were relevant and reasoned<br />
174. The EDPBresponds toMetaIE’sprimaryargumentstothe contraryin Section4.4.1above 29.<br />
<br />
<br />
175. The AT,DE,ES, FI, FR andNL SAsobjectionsanalysedinthis sectionhave a directconnection withthe<br />
Draft Decision and refer to a specific part of the Draft Decision, i.e. Finding 1. The AT, DE, ES, FI, FR<br />
<br />
andNLSAs arguethattheIESAhasnot carriedout enoughinvestigationandlegalanalysis intheDraft<br />
Decisiontoconclude thatMetaIEisnot legallyobligedtorelyonconsent toprocessthe complainants’<br />
294<br />
data . According to these CSAs, the IE SA should have identified and separately assessed any<br />
<br />
<br />
290CompositeResponse,paragraphs46.<br />
291CompositeResponse,paragraph47.<br />
292<br />
CompositeResponse,paragraph47.<br />
293Meta IEarguesthat“ObjectionswhichraisematterswhicharenotwithintheDefinedScopeofInquiryarenot<br />
‘relevantandreasoned’withinthemeaningofArticle4(24)GDPR”andsuchobjections“oughttobedisregarded<br />
intheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove.Seeparagraphs<br />
73-75ofthisBindingDecisionabove.Inparticular,theEDPBrecallsthattheanalysisofwhethera givenobjection<br />
<br />
meets thethresholdsetbyArt.4(24)GDPRiscarriedoutona case-by-casebasis.Morespecifically,incontrast<br />
to the objections referred to by Meta IE that did not “establisha direct connectionwith the specificlegal and<br />
factual content of the Draft Decision”(Binding Decision2/2022paragraphs 139, 147, 164) here, each CSAhas<br />
madeseveralclearlinkswiththecontentoftheDraftDecision,asisdescribedinparagraphs143,145-147and<br />
150-151ofthisBindingDecision.Moreover,whiletheobjections referencedbyMeta IEinparagraph4.9ofits<br />
<br />
Article65submissions werefound not to berelevant and/or reasoned intheBindingDecision 2/2022 as they<br />
did “not provide sufficiently precise and detailed legal reasoning regarding infringement of each specific<br />
provisioninquestion”,didnotexplainsufficientlyclearly,norsubstantiateinsufficientdetailhowtheconclusion<br />
proposedcould bereached, or didnot sufficiently demonstratethesignificanceof theriskposed bytheDraft<br />
DecisionfortherightsandfreedomsofthedatasubjectsorthefreeflowofdatawithintheEU(BindingDecision<br />
<br />
2/2022,paragraphs140,148,165),asregardstheobjections analysedinthis section,theAT, DE, FI,FR andNL<br />
SAs providea numberof legal and factual arguments and explanations as to why an infringement forlack of<br />
appropriatelegalbasisistobeestablished,andadequatelyidentifytheriskposedbytheDraftDecisionifitwas<br />
adoptedunchanged(paragraphs145-165ofthisBindingDecision).<br />
294AT SAObjection,p.9;DESAs Objection,pp.8-9;ESSAObjection,pp.2-3;FI SAObjection,paragraphs36-37;<br />
FRSAObjection,paragraph30;NLSAObjection,paragraph21.<br />
<br />
<br />
<br />
45<br />
Adopted processing ofspecial categoriesofpersonal datain InstagramTermsof Use 29.The NL SA arguesthat<br />
<br />
processing operationsconcerning locationdataandthe use oftrackingtechnologieson users devices<br />
should have investigatedandassessed bythe IESA aswell 29.The AT, FI,FR andNL SAs consider that<br />
<br />
the IE SA should broaden the scope of its investigationand examine whether the conditions for the<br />
processing ofspecialcategoriesofpersonaldatahavebeenmetbyMetaIEinrelationtotheInstagram<br />
297<br />
service . The DE, FR and NL SAs argue that the data that Meta IE’sprocesses may include special<br />
categoriesofpersonaldataunder Article 9 GDPR 298.Theycontendthatnothing indicatesthatMetaIE<br />
<br />
excludes these categoriesof datafrom itsprocessing for advertising purposes. The AT,DE,ES, FI and<br />
FR SAs highlight thatthe issue falls within the remitof the complaint since the complainant allegeda<br />
potentialviolationof Article9 GDPRandshould thereforebe investigatedandassessed bythe LSA 29.<br />
<br />
The AT, DE, ES, FI and FR SAs challenge the reasoning underling the conclusion reached by the LSA.<br />
This assessment could lead to a different conclusion insofar as the IE SA would fully cover the<br />
<br />
complaint and include factsanda legalassessment on the Instagram’sservice processing operations<br />
towhich Article6(1)(a), Articles7 and9 GDPRmayapply, whichmayrevealaninfringement byMeta<br />
<br />
IE300.<br />
<br />
<br />
176. Consequently, the EDPB finds that the AT, DE, ES, FI, FR andNL SAs objections relating toFinding 1,<br />
whichstatesthatMetaIEisnot requiredtorelyonconsent todeliver theInstagramTermsofUse and<br />
301<br />
itsunderlying reasoning,are relevant .<br />
<br />
<br />
177. The AT, DE, FI, FR and NL SAs objections are reasoned because they include clarifications and<br />
argumentsonlegal/factualmistakesinthe LSA’sDraftDecisionthatrequire amending.TheAT,DE,FI,<br />
FR and NL SAs consider that the IESA should have identified and separatelyassessed any processing<br />
<br />
of special categories of personaldata under Article 9 GDPR in the context of Instagram Terms of<br />
Use 302. Inparticular, the DE, FR andNL SAs argue that the data that Meta IE processesmayinclude<br />
<br />
special categories of personal data under Article 9 GDPR and that nothing indicates that Meta IE<br />
excludes these categoriesof data from its processing for advertising purposes 303. The AT, DE, ES, FR<br />
<br />
and NL SAs recallthat only consent maybe used in this context among the exceptionsthat Article 9<br />
(2) GDPR lays down to the generalprohibition of processing special categoriesof data 304.The FI SA<br />
<br />
recalls that EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR state that the WP29 has observed that<br />
Article9(2)GDPRdoesnot recognise “necessaryfor theperformanceofa contract”asanexceptionto<br />
305<br />
the general prohibition to process special categories of data . The NL SA identifies as another<br />
<br />
<br />
295<br />
AT SAObjection,p.9;DESAs Objection,p.7;FI SAObjection,paragraph37;FRSAObjection,paragraph30;<br />
NLSAObjection,paragraph25.<br />
296NLSAObjection,paragraphs22-23and27.<br />
297AT SA Objection, p. 9; FI SA Objection paragraph41;FR SA Objection, paragraph30;NL SA Objection,<br />
<br />
298agraph25.<br />
DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25.<br />
299AT SAObjection,p.9;DE SAs Objection,p.7;ES SAObjection,p.2;FI SAObjection,p.42;FRSAObjection,<br />
paragraph30.<br />
300SeeEDPBGuidelinesonRRO,paragraph15andEDPBGuidelinesonArticle65(1)(a)GDPR,paragraphs40and<br />
<br />
Sub-sections4.2,4.2.3-4.2.5.<br />
301Seeparagraphs143,145and150ofthisBindingDecision.<br />
302AT SAObjection,p.9;DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraph25.<br />
303DESAs Objection,p.7;FRSAObjection,paragraph30;NLSAObjection,paragraphs24-25.<br />
304<br />
AT SAObjectionpp.9-10;DESAs Objection,p.7;ESSAObjection,p.2-3;FRSAObjection,paragraph31;NL<br />
SAObjection,paragraph24.<br />
305FI SAObjection,paragraph40.<br />
<br />
<br />
<br />
46<br />
Adopted indicator contradictingthe IE SA’sconclusion thatthere isno obligationto seekconsent the factthat<br />
<br />
thecontroller processesasignificant amountofpersonaldatathathasbeencollectedthroughcookies<br />
for online advertising purposes and of location data 306. The NL SA also arguesthat the IE SA should<br />
<br />
have investigated more into the safeguards that are implemented by the controller to address the<br />
specific interests of children307. Lastly, the NL SA states that the information shared by users on<br />
<br />
Instagrammaycontainpersonaldataconcerningthehealthofindividual usersandmentionstheruling<br />
of the CJEU in case C-136/17 stating that the mere indexing of certaindata could already suffice to<br />
308<br />
conclude thatArticle9 of the GDPRapplies .<br />
<br />
178. Onthe risks posed by the DraftDecision,the AT,DE,FI,FR andNL SAs explainthatthe IE SA’sFinding<br />
<br />
1 providing that consent isnot requiredputs at risk the rightsof datasubjects and their controlover<br />
their personal data 309.The AT SA mentions the risk thatthe data subject’sright tolodge a complaint<br />
<br />
with a supervisory authority pursuant to Article 77(1) GDPR becomes ineffective because the IE SA<br />
does not handle it initsentirescope, including specialcategoriesofdataunder Article9 GDPR 310.The<br />
<br />
FR SA arguesthat the Draft Decision could set a precedent for accepting the use of the contractual<br />
performance legalbasis to process users’ data for targetedadvertising purposes, which it views as<br />
311<br />
particularlymassive and intrusive . The NL SA specifies thatthe datasubjects could be deprived of<br />
the following protections derived from the use of consent: the rightto dataportability (Article 20(1)<br />
<br />
GDPR);thepossibility tospecificallyconsent tocertainprocessing operationsandnot toothersandto<br />
the furtherprocessing ofpersonal data(Article6(4) GDPR);thefreedom towithdrawconsent (Article<br />
312<br />
7 GDPR) and the subsequent right to be forgotten . The AT, DE, FI and NL SAs also note as an<br />
additional risk that special categoriesofpersonal data falling within the scope of Article 9 GDPR are<br />
processed without meeting the requirementsof Article 9 (2) GDPR 313.TheNL SA alsounderlines the<br />
<br />
data protection deficits that are foreseeable with a switch from consent tocontract legal basis and<br />
the risk that this conclusion would create legaluncertainty that hampers the free flow of personal<br />
<br />
data within the EU 314. The NL SA further adds the risk that the decision could create by setting a<br />
precedent for controllers to exclude from their privacy policies or terms of service processing<br />
<br />
operations based on consent, thus undermining the principle of transparency 31.The ES SA does not<br />
describe any riskon thisspecific topic in theirobjection316.<br />
<br />
<br />
179. On the basis of the above considerations, the EDPBfinds that the objections raised bythe AT, DE,FI,<br />
<br />
FR and NL SAs concerning the conclusions in the Draft Decision about the fact that Meta IE is not<br />
obliged to relyon consent toprocess the complainant’sdata, are relevant and reasonedobjections<br />
<br />
under Article 4(24)GDPR.<br />
<br />
<br />
<br />
<br />
306<br />
307NLSAObjection,paragraphs22-23and27.<br />
NLSAObjection,paragraph34.<br />
308NLSAObjection,paragraph26.<br />
309AT SA Objectionpp. 10-11;DE SAs Objection, p. 9;FI SAObjection, pp. 9-10;FR SAObjection, p. 7;NLSA<br />
Objection,p.9-11.<br />
310<br />
AT SAObjection,p.10.<br />
311FRSAObjection,paragraph35.<br />
312NLSAObjection,paragraph33.<br />
313AT SAObjection,p.11;DESAs Objection,p.9;FI SAObjection,paragraph43;NLSAObjection,paragraph33.<br />
314<br />
NLSAObjection,paragraphs32-33.<br />
315NLSAObjection,paragraph30.<br />
316ESSAObjection,p.3.<br />
<br />
<br />
<br />
47<br />
Adopted180. However,thepart ofthe NLSA objection asking the IESA toinclude in itsDraftDecisiontheelements<br />
concerning the need torely on consent for the placing of tracking technology on end users devices<br />
317<br />
under ePrivacylegislationfalls outside thescope of theEDPB’smandate .<br />
<br />
181. Finally, theEDPBconsidersthattheobjection raisedby theESSA regardingthepotentialinfringement<br />
<br />
of Article 9 GDPR is not sufficiently reasonedwith reference tothe significance of the risks posed by<br />
the Draft Decision at stake and, therefore, the objection of the ES SA does not meet the threshold<br />
<br />
provided for by Article4(24) GDPR.<br />
<br />
<br />
5.4.2 Assessment on the merits<br />
182. Inaccordance withArticle 65(1)(a) GDPR, inthe context of a dispute resolution procedure the EDPB<br />
<br />
shall take a binding decision concerning all the matterswhich are the subject of the relevant and<br />
reasonedobjections, inparticularwhether thereis aninfringement ofthe GDPR.<br />
<br />
318<br />
183. TheEDPBconsidersthattheobjectionsfound toberelevantandreasonedinthissubsection require<br />
anassessment of whether the DraftDecision needs to be changedon its Finding 1, which concludes<br />
thatMetaIEhas(a)notsought torelyonconsent toprocess personaldatatodeliver the TermsofUse<br />
<br />
and (b) is not legallyobliged to rely on consent in order todo so. When assessing the merits of the<br />
objections raised, the EDPB also takes into account Meta IE’s position on the objections and its<br />
<br />
submissions.<br />
<br />
MetaIE’sposition on theobjectionsand itssubmissions<br />
<br />
<br />
184. Inits submissions, MetaIE supports the IESA’s conclusion thatMeta IE does not rely on consent for<br />
the purposes of behaviouraladvertising andis not requiredtorelyon it 31.<br />
<br />
<br />
185. Meta IE states that it does not seek or rely on consent as its legalbasis for purposes of processing<br />
personal data to provide behavioural advertising, except in limited circumstances where Meta IE<br />
320<br />
separately obtains consent, yet not through users’ acceptance the Terms of Use . Meta IE claims<br />
that it explains in its DataPolicy todata subjects thatMeta IE relieson consent under Article 6(1)(a)<br />
GDPR“[f]orusing datathatadvertisersandotherpartnersprovideusabout[users’]activityoffofMeta<br />
<br />
Company Products, so we can personalise ads we show [them] on Meta Company Productsand on<br />
websites, apps and devices that use our advertising services” and that it has a separate process for<br />
<br />
obtaining this consent in amanner thatsatisfies the requirementsof Article4(11) andArticle7 GDPR<br />
andwhich is “entirelyseparate from any interactionby userswith the TermsofUse or DataPolicy, is<br />
not part of the Complaint and has not beenexamined” inthe IESA’s inquiry 321. Meta IEsubmits that<br />
<br />
the Complaint is limitedto the question of whether MetaIE seeks forcedconsent todata processing<br />
throughacceptance ofthe Termsof Use. Meta IE thenasserts that since it does not seek, obtain, or<br />
<br />
relyon consent asa legalbasis under Article 6(1)(a) GDPRtoprocess user data via acceptanceofthe<br />
<br />
<br />
<br />
317NLSAObjection,paragraphs7-8.<br />
318<br />
Theseobjections beingthoseoftheAT, DE, FI,FR andNLSAs,disagreeingwiththeIESA’s Finding1,which<br />
states thatMeta IEis notrequiredtorelyonconsenttodelivertheInstagramTermsofUseandits underlying<br />
reasoning.<br />
319Meta IEArticle65Submissions,paragraphs5.2and5.6.<br />
320Meta IEArticle65Submissions,paragraph5.4.<br />
321<br />
Meta IEArticle65SubmissionsFootnote61andparagraph6.27.<br />
<br />
<br />
48<br />
Adopted Terms of Use, the inquiry should end there and all unrelatedassertions in the objections should be<br />
322<br />
disregarded .<br />
<br />
<br />
186. Meta IE allegesthat some CSAs suggest that behavioural advertising must in all cases be based on<br />
consent, andin doing so, the CSAs suggest anapproachthatmandatesMetaIE torelyonconsent for<br />
323<br />
“itsdataprocessingfor purposesofbehaviouraladvertising (or anyotherpurpose)” .MetaIEagrees<br />
with the IE SA’s assertion that any approachlimiting the legalbasis on which a controller could rely<br />
324<br />
would not be consistent withthe principle of legalcertainty .MetaIEconsiders thatthe GDPRwas<br />
drafted in a way that protects data subjects while affording flexibility to controllers and that its<br />
applicationishighlydependent onfactsandcircumstancesunderlying therelevantprocessing andthe<br />
<br />
natureof the service providers 325. MetaIEcontends thatthe GDPRcontainsno expressreferencesto<br />
behavioural advertising and establishes no specific limitations on the available legalbasis for such<br />
<br />
processing; it is technology neutral and does not include specific derogations or rules for any one<br />
specific industry32.<br />
<br />
<br />
187. Withregardtotheconsiderationthatconsentasalegalbasisprovides moreextensive dataprotection<br />
<br />
rights, Meta IE argues that in defining the conditions for lawful processing, the EU legislature has<br />
ensured that appropriate data protection rightswould be afforded to data subjects no matter what<br />
327<br />
legalbasisis reliedon andextensive dataprotectionrightsapplytoalllegalbases .MetaIEsupports<br />
the IESA’s view thatArticle 6(1)GDPR doesnot require legalbasestobe determinedby referenceto<br />
328<br />
the applicable datasubject rightsfor eachbasis .<br />
<br />
EDPB’sassessment on themerits<br />
<br />
<br />
188. The EDPB notesthat the IE SA’s Draft Decision submitted via the Article 60 GDPR procedure results<br />
from an inquiry that the IE SA conducted based on a complaint from a data subject and Instagram<br />
329<br />
user . The BE SA forwarded this complaint to the IE SA as LSA in the case, given Meta IE’s main<br />
establishment in Ireland.<br />
<br />
<br />
189. In this complaint, the Complainant alleges that Meta IE violated Articles 5, 6, 7 and 9 GDPR. The<br />
<br />
Complainant arguesthatit is unclear to whatthe datasubject has consented when the data subject<br />
agreedtoInstagramTermsofUse andPrivacyPolicy 33. Morespecifically, the Complainant points out<br />
that it remains unclear which exact processing operations the controller chooses to base on each<br />
<br />
specific legalbasisunder Articles6 and9 GDPR 33.TheComplainant arguesthatthe Termsof Use and<br />
PrivacyPolicy alsoinclude specialcategoriesofdataunder Article9(1)GDPRbecausethedatasubject,<br />
<br />
as an Instagram user, has interactedwith various groups and individuals, which would accordingly<br />
reveal the data subject’s political affiliation, sexual orientation, health condition, etc 332. The<br />
<br />
<br />
322<br />
Meta IEArticle65Submissions,paragraph5.8.<br />
323Meta IEArticle65Submissions,paragraph5.2.<br />
324Meta IEArticle65Submissions,paragraph5.14.<br />
325Meta IEArticle65Submissions,paragraph5.15.<br />
326<br />
Meta IEArticle65Submissions,paragraph5.15.<br />
327Meta IEArticle65Submissions,paragraph5.16.<br />
328Meta IEArticle65Submissions,paragraphs5.16-5.17.<br />
329DraftDecision,paragraph3;ScheduletotheDraftDecision,paragraphs12and19.<br />
330<br />
Complaint,p.1-2.<br />
331Complaint,p.1-2.<br />
332Complaint,p.1-2.<br />
<br />
<br />
<br />
49<br />
Adopted Complainant claims that the controller also allows to target such information for advertisement 333.<br />
<br />
The Complainant considers that it would be necessary for the SA toinvestigate the concrete subject<br />
of the allegedconsent and the legalbasis for allprocessing operations andto request the record of<br />
334<br />
processing activitiesunder Article30(4)GDPR .<br />
<br />
190. Basedon the scope ofthe IE SA’sinvestigationinto this complaint,the EDPB considers thatthe IE SA<br />
<br />
decidedtolimit thescope of itsDraftDecisiontothe following legalissues:<br />
<br />
<br />
o Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be<br />
consideredconsent for thepurposes oftheGDPRand,ifso,whetheritis validconsent<br />
<br />
for the purposes ofthe GDPR.<br />
<br />
<br />
o Issue 2 – Whether Meta IE could rely on Article 6(1)(b) GDPR as a lawful basis for<br />
processing ofpersonal datainthe context ofTermsofUse and/or DataPolicy.<br />
<br />
<br />
o Issue 3 – Whether Meta IE provided the requisite information on the legal basis for<br />
processing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent<br />
335<br />
manner.<br />
<br />
<br />
191. The IESA arguesthatit hasdiscretion todetermine the frameworkofthe inquiry takinginto account<br />
the scope of the written complaint as lodged 33. The IE SA considers that it would not have been<br />
<br />
possible to undertake anassessment of eachdiscrete processing operation by Meta IE without first<br />
resolving the fundamentaldispute betweenthe partieson the interpretationof Article6(1) GDPR 337.<br />
Inrelationtothe processing ofArticle 9 GDPRcategoriesof data,the IESA considers thatthe inquiry<br />
<br />
has addressedthe fundamental issue of principle onwhich the complaint depends, andthis makesit<br />
unnecessarytoconduct anindiscriminate andopen-endedassessment ofprocessing falling withinthe<br />
338<br />
scope ofthis Article .The IESA thus concludes thatMetaIE has(a)not sought torelyon consent in<br />
order to process personal data to deliver the Terms of Use and (b) is not legally obliged to rely on<br />
339<br />
consent inorder todoso, basedonthe submissions of thePartiesandInstagramTermsofUse .The<br />
IESA warnsCSAs onthe legalrisks derivedfrom asking throughthe objections toexpandthematerial<br />
<br />
scope of the inquiry and thus cover infringements outside of the complaint and Draft Decision that<br />
the IE SA has not investigated(pursuant to itsown decision tolimit the scope of the inquiry) andput<br />
toMetaIE 340.<br />
<br />
<br />
192. The EDPBnotesthattheComplaint makesplaintheconfusion oftheInstagramuserover whichofthe<br />
<br />
user’sspecialcategoriesof dataareprocessed, for whichpurposes andonwhich basis.<br />
<br />
<br />
193. The Instagram Terms of Use themselves note in general terms “Providing our Service requires<br />
collecting and using your information. The Data Policy explains how we collect, use, and share<br />
<br />
<br />
333<br />
Complaint,p.4.<br />
334Complaint,p.7and16.<br />
335DraftDecision,paragraph30.<br />
336CompositeResponse,paragraph26.<br />
337<br />
338CompositeResponse,paragraph26.<br />
CompositeResponse,paragraph28.<br />
339DraftDecision,paragraph60;Finding1.<br />
340CompositeResponse,paragraphs30-33and35.<br />
<br />
<br />
<br />
50<br />
Adopted information across the Facebook Products” 341 (service which includes “Offering personalized<br />
<br />
opportunitiestocreate,connect,communicate,discover,andshare”and“Connectingyouwithbrands,<br />
products,andservicesinwaysyoucareabout” 342).The InstagramTermsofUse include a referenceto<br />
343<br />
a separate document “the DataPolicy” , which lists under the heading “Things you and others do<br />
andprovide”:“Datawithspecialprotections:You canchoose to provide information in your Facebook<br />
<br />
profile fields or Life Events, about your religious views, political views, who you are ‘interested in’ or<br />
your health. Thisand other information (such as racialor ethnic origin, philosophical beliefs or trade<br />
344<br />
union membership) is subject to special protectionsunder EU law” . The Data Policydescribes the<br />
purposes for which these data areprocessed in verygeneraltermssuch as“Provide,personalize and<br />
improve ourproducts” and“toselectand personalizeads, offersand othersponsored contentthatwe<br />
<br />
show you” 345 with no specific reference tothe specific processing operations and categoriesof data<br />
eachpurpose wouldcover. MetaIEthusseems toacknowledgein itsDataPolicy 346thatituses special<br />
<br />
categoriesof data for behavioural advertising purposes, without specifying the “special protections<br />
under EU law” that it would apply to such processing. Meta IE only includes a generalreference to<br />
<br />
consent amongotherlegalbasisinthe samepage 347,whichincludesalink toaseparatefacebook.com<br />
page mentioning the use of consent on data with special protection and referring to the Instagram<br />
348<br />
Settings .<br />
<br />
<br />
194. The IE SA finds that the way in which Meta IE provides, in relation to processing for which Article<br />
6(1)(b) GDPR is relied upon, this information and the lack of information on the specific processing<br />
<br />
operations, the data involved, their purposes and legal basis constitute an infringement of<br />
transparencyobligations under the GDPR(Article5(1)(a), Article12 (1), andArticle13(1)(c) GDPR) 349.<br />
The IE SA considers the complaint inthis case tobe limitedtothe Termsof Use and the processing it<br />
<br />
entailsonce accepted 350.Inthese circumstances,the IESA acceptsatfacevalue MetaIE’ssubmission<br />
on its reliance on different “acts” of consent for discrete aspectsof the service separatelyfrom the<br />
<br />
user’sacceptanceof theTermsof Use 35. The IESA does not engageintoanyfurther examinationor<br />
verificationonhow consent issought inthe caseof processing carriedout toprovide discreteaspects<br />
<br />
of the service. The IE SA also does not examine or verify whether special categoriesof data under<br />
Article 9 GDPR are processed in the context of the Instagram service and, if so, whether they are<br />
<br />
subject tothese “acts”of consent andthus effectivelytreatedoutside the scope ofthe Termsof Use<br />
<br />
<br />
341InstagramTermsofUse,Section“TheDataPolicy”.<br />
342InstagramTermsofUse,Section“TheInstagramService”.<br />
343The document is titled as “Instagram Data Policy”, howeverit is explainedinits chapeauthat “[t]his policy<br />
<br />
describes the information we process to support Facebook, Instagram, Messengerand other products and<br />
featuresofferedbyFacebook(FacebookProductsorProducts)”.<br />
344InstagramDataPolicy,Section“Thingsyouandothersdoandprovide”.<br />
345 Instagram Data Policy, Section “How do we use this information? -Provide, personalize and improve our<br />
<br />
346ducts”.<br />
Instagram Data Policy, Section “Things you andothers do and provide” and Section“How do we use this<br />
information?-Provide,personalizeandimproveourProducts”.<br />
347Data Policy,Section“Whatisourlegalbasisforprocessingdata?”.<br />
348Facebookwebsitehttps://www.facebook.com/about/privacy/legal bases.<br />
349<br />
DraftDecision,Finding3.<br />
350 The IE SA mentions in its Scheduleto the Draft Decision, paragraphs 134-135“My view is that [...] the<br />
Complaint even taken at its height quite clearly only concerns data processing arising out of the act of<br />
acceptance.Onthisbasis,Idonotacceptthattheprocessingofsensitivecategoriesofpersonaldataonthebasis<br />
<br />
ofArticle 9GDPRconsentfallswithinthescopeofthisInquiry.ThereisnoevidencethatMetaIrelandprocesses<br />
specialcategorydataatallinrespectoftheInstagramservice”.<br />
351CompositeResponse,paragraph46.<br />
<br />
<br />
<br />
51<br />
Adopted and the legalbasis of Article 6(1)(b) GDPR on which the Terms of Use purportedly rely, or whether<br />
some special categoriesof personal data, as defined by the GDPR and EU case-law 352, are treated<br />
<br />
under the InstagramTermsof Use.<br />
<br />
<br />
195. The CJEU assertedrecentlythatthe purpose ofArticle9(1)GDPRis toensure anenhancedprotection<br />
of data subjects for processing, which, because of the particular sensitivity of the data processed, is<br />
<br />
liable to constitute a particularly serious interference with the fundamental rights to respect for<br />
private life and to the protection of personal data, guaranteedbyArticles7 and 8 of the Charter 353.<br />
TheCJEU adoptsawide interpretationoftheterms“specialcategoriesofpersonaldata”and“sensitive<br />
<br />
data” that includes data liable indirectly to reveal sensitive information concerning a natural<br />
person 354. Advocate GeneralRantosreiteratesthe importance for the protectionof data subjects of<br />
<br />
Article 9 GDPR andapplies the same interpretationto the dataprocessing insocial network services<br />
for behavioural advertising bystatingthat “theprohibition on processing sensitive personaldata may<br />
include theprocessing ofdatacarriedout byan operatorof an online socialnetworkconsisting in the<br />
<br />
collectionofauser’sdatawhenhe or she visits otherwebsitesor apps or enterssuch data into them,<br />
the linking of suchdata to the user account on the social networkand the use of such data,provided<br />
<br />
thattheinformation processed,consideredin isolation or aggregated,makeitpossible toprofile users<br />
on the basis of the categories that emerge from the listing in that provision of types of sensitive<br />
personaldata” 35.<br />
<br />
<br />
196. Therefore,theGDPRandthecase-lawpayespecialattentiontotheprocessing orpotentialprocessing<br />
<br />
of special categories of personal data under Article 9 GDPR to ensure the protection of the data<br />
subjects. In this connection, the Complainant allegesin the Complaint, among others, a violation of<br />
Article 9 GDPRand expressly requeststhe IESA toinvestigateMeta IE’sprocessing operations inthe<br />
<br />
context of the Instagram service covered by this Article 356. In a subsequent submission on the<br />
Preliminary DraftDecision, the Complainant criticisesthe scope thatthe IE SA decided togive tothe<br />
<br />
Complaint anditslackofinvestigationofMetaIE’sprocessingactivitiesandallegesthattheIESAfailed<br />
to give due consideration to processing under Article 9 GDPR and other cases in which it relies on<br />
357<br />
consent .<br />
<br />
197. Inthe present case,theIESA limiteditsfactsandlegalassessment inthe DraftDecisiontothegeneral<br />
<br />
question of whether Meta IE has (a) sought to rely on consent in order to process personal data to<br />
deliver the Termsof Use and (b) if it is legallyobliged to relyon consent in order todo so. The IE SA<br />
<br />
categoricallyconcludes on these questions. At the same time, the IE SA acknowledgesa serious lack<br />
of transparency by Meta IE, as regards the information provided concerning the processing being<br />
carriedout in reliance on Article 6(1)(b) GDPR and does not clarify which data categoriesare being<br />
<br />
processed for behaviouraladvertising,if MetaIEprocesses specialcategoriesofdata,andifit does, if<br />
<br />
<br />
352<br />
SeeArticle9GDPRandC-184/20Vyriausiojitarnybinėsetikoskomisija.<br />
353C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph126.<br />
354C-184/20 Vyriausiojitarnybinės etikos komisija, paragraph127.<br />
355C-252/21 Oberlandesgericht Düsseldorf request, Opinionof theAdvocateGeneral on20 September 2022,<br />
<br />
356I:EU:C:2022:704,paragraph46.<br />
Complaint,p.1-3,7,16.<br />
357DraftDecision,paragraphs28-29;Complainant’sSubmissiononPreliminaryDraftDecisionininquiryIN-18-<br />
5-5 of 11 June2021, pp. 11-13(ina letter to theIE SAof 4 February 2022p. 2 theComplainant explains that<br />
their submissions in IN-18-5-5on facebook.com shouldbe considered as their submissions in IN-18-5-7on<br />
Instagramandallreferencesshouldbereadaccordingly).<br />
<br />
<br />
<br />
52<br />
Adopted MetaIE complies withthe conditions of Article 9 GDPRand othersrelevant tothe application of this<br />
provision (for example,Articles6(1)(a) andArticle7 GDPR).<br />
<br />
<br />
198. By deciding not to investigate, further to the Complaint, the processing of special categories of<br />
personal data in the context of the Instagram service, the IE SA leaves unaddressed the risks this<br />
<br />
processing poses for the Complainant and for Instagram users. First, there is the risk that the<br />
Complainant’sspecialcategoriesof personaldataareprocessed withinthe Instagramservice tobuild<br />
intimate profiles of them for behavioural advertising purposes without a legalbasis and ina manner<br />
<br />
not compliant with the GDPR and the strict requirements of its Article 9(2) GDPR and other GDPR<br />
provisions relevant thereto. Second, there is also the risk that Meta IE does not consider as special<br />
358<br />
categoriesof personal data (in line with the GDPR and the CJEU case-law ) certain categoriesof<br />
personaldatait processes andconsequently, thatMetaIEdoes not treatthemaccordingly.Third,the<br />
Complainant and other Instagram users whose special categoriesof are processed may be deprived<br />
<br />
of certainspecial protections derived from the use of consent, such as the possibility tospecifically<br />
consent tocertainprocessing operations andnot toothersand tothe further processing of personal<br />
<br />
data(Article 6(4)GDPR);thefreedom towithdraw consent (Article 7 GDPR)andthe subsequent right<br />
to be forgotten 359. Fourth, given the great size and dominant market share of Meta IE in the social<br />
media market, leaving unaddressed its current ambiguity in the processing of special categoriesof<br />
<br />
personal data, and its limited transparency vis-à-vis Instagram users, may set a precedent for<br />
controllers to operate in the same manner and create legaluncertaintyhampering the free flow of<br />
personal datawithinthe EU.<br />
<br />
<br />
199. The EDPB further considers, also in view of these risks to the Complainant and to other Instagram<br />
users, thatthe IE SA did not handle the Complaint withalldue diligence 36.The EDPBsees thelackof<br />
<br />
anyfurtherinvestigationintothe processing ofspecialcategoriesofpersonaldataasanomission, and<br />
in the present case finds it relevant that the Complainant allegedinfringements of Article 9 GDPR in<br />
361<br />
the Complaint . The EDPB contends that inthe present case, the IE SA should have verified on the<br />
basis of the contract and the data processing actually carried out on which legal bases each data<br />
processing operationatissue relies.<br />
<br />
<br />
200. The EDPB alsohighlights that bylimiting excessively the scope of its inquiry despite the scope of the<br />
complaint in this cross-border case and systematically considering all the objections raised by CSAs<br />
<br />
not relevantand/or reasonedandthusdenying theirformaladmissibility, the IESA asLSA inthiscase,<br />
constrains the capacityof CSAs to act and tackle the risks to data subjects in sincere and effective<br />
<br />
cooperation. Asruledby theCJEU, the LSA must exercise itscompetence withina frameworkof close<br />
cooperationwithothersupervisory authoritiesconcernedandcannot“eschewessentialdialoguewith<br />
<br />
<br />
<br />
<br />
358See C-184/20 Vyriausioji tarnybinėsetikos komisija and more recently on the processing in Facebook:<br />
C-252/21Oberlandesgericht Düsseldorf request, Opinion of the AdvocateGeneral on 20 September 2022,<br />
ECLI:EU:C:2022:704,.<br />
359<br />
Art. 17GDPR.<br />
360JudgementoftheCourtofJusticeof16July2020,DataProtectionCommissionervFacebookIrelandLimited<br />
and MaximillianSchrems, C-311/18, ECLI:EU:C:2020:559, (hereinafter ‘C-311/18, Schrems II'), paragraph109;<br />
Judgement of the Court of Justiceof 6 October2015, Schrems, C-362/14, ECLI:EU:C:2015:650, paragraph63;<br />
Judgement of the Court of Justice of 4 April 2017, European Ombudsman v Staelen, C-337/15,<br />
ECLI:EU:C:2017:256,paragraphs12,34,43,114.<br />
361<br />
Complaint,p.1-3,7,16.<br />
<br />
<br />
53<br />
Adopted 362<br />
and sincereandeffectivecooperationwiththeothersupervisoryauthoritiesconcerned” .Thelimited<br />
scope the IESA gavetotheinquiry anditsconsideration ofalltheobjections made asinadmissible for<br />
being not relevant or reasoned also impairs the EDPB’scapacityto conclude on the matterpursuant<br />
<br />
to Article 65 GDPR and thus ensure a consistent application of EU data protection law, especially<br />
considering thatthe complaint wasintroducedmore thanfour yearsago.<br />
<br />
<br />
201. As a result of the limited scope of the inquiry and the fact that the IE SA did not verify and assess in<br />
the DraftDecisionMetaIE’sprocessing ofspecial categoriesofpersonal datainitsInstagramservice,<br />
<br />
the EDPBdoes not have sufficient factualevidence on MetaIE’sprocessing operationstoenable it to<br />
make a finding on any possible infringement by Meta IE of its obligations under Article 9 GDPR and<br />
other GDPRprovisions relevantthereto.<br />
<br />
<br />
202. Inconclusion, the EDPB decides thatthe IE SA cannot categoricallyconclude at this stagethroughits<br />
Finding 1 that Meta IE isnot legallyobliged to rely on consent toprocess personal data tocarryout<br />
<br />
the personal data processing activities involved in the delivery of the Instagram Service, including<br />
behavioural advertising as set out in the Instagram Terms of Use without further investigating its<br />
<br />
processing operations, the categoriesof data processed (including to identify special categories of<br />
personal datathatmaybe processed), andthe purposes theyserve.<br />
<br />
<br />
203. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB<br />
decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its<br />
Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and<br />
<br />
complies with the relevant obligations under the GDPR, to the extent that this new investigation<br />
complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding<br />
Decision,andbasedontheresultsofthisinvestigation,issue anew draftdDecisioninaccordancewith<br />
363<br />
Article60(3) GDPR .<br />
<br />
<br />
6 ON THE POTENTIALADDITIONAL INFRINGEMENTOFTHE<br />
<br />
PRINCIPLE OF FAIRNESS<br />
<br />
<br />
6.1 Analysis by the LSA inthe DraftDecision<br />
<br />
204. TheIESA initsDraftDecisionaddresses theComplainant’sallegationsthattheunclearandmisleading<br />
nature of the InstagramTermsof Use andDataPolicy, togetherwiththe mode of acceptanceofthe<br />
<br />
Terms of Use, have made Instagram users believe that all processing operations were based on<br />
consent under Article 6(1)(a) GDPR and thus constituted a breach of the Meta IE’s transparency<br />
obligations under Articles 5(1)(a)and 13(1)(c) GDPR 364. The IE SA analyses the submissions provided<br />
365<br />
by the Meta IE and, noting the Complaint’s focus on the alleged“forced consent” , concludes that<br />
Meta IE has breached Article 5(1)(a), Article 13(1)(c) and Article 12(1) GDPR due to the lack of<br />
<br />
<br />
<br />
<br />
362JudgementoftheCourtofJusticeof15June2021,FacebookIrelandLtdvGegevensbeschermingsautoriteit,<br />
C-645/19, ECLI:EU:C:2021:483, (hereinafter ‘C-645/19 Facebook v Gegevensbeschermingsautoriteit),<br />
paragraphs53and63.<br />
363EDPBGuidelinesonArticle65(1)(a)GDPR,Section4.2.3andparagraph85.<br />
364<br />
365DraftDecision,issue3,paragraphs116-196,inparticulartheconclusioninparagraph196.<br />
Seealsoparagraph3ofthisBindingDecision<br />
<br />
<br />
54<br />
Adopted transparencyin relationtothe processing for whichArticle 6(1)(b) GDPRhasbeenreliedon 366. TheIE<br />
<br />
SA explains that,while aninfringement of Article 5(1)(a) GDPRdoes not necessarily or automatically<br />
flow from findings of infringement under Articles 12 and/or 13 GDPR, there is an important link<br />
<br />
between these provisions 367. Nevertheless, the IE SA takes the view that “[t]he factual question of<br />
whetherthedatasubject was misled asto the legalbasis isthereforepart ofthe broaderquestion as<br />
<br />
to whether there was compliance with transparency requirements and should not be considered in<br />
isolation ofthis broaderissue” 368. The IE SA points out thatArticle 5(1)(a)GDPRlinks transparencyto<br />
369<br />
the overallfairness of the activitiesof the controller and concludes on the breachofthis provision<br />
inrelationtothe infringement ofthe transparencyobligations 370.<br />
<br />
<br />
6.2 Summary of the objection raisedby the CSA<br />
<br />
<br />
205. The IT SA objects tothe scope of Finding 3 of the DraftDecision andtothe assessment leading up to<br />
it.The ITSA agreestoalargeextent withthe Draft Decision’sFinding 3 on theinfringement of Article<br />
371<br />
12(1), Article13(1)(c),andArticle5(1)(a)GDPRintermsoftransparency .However,theITSA argues<br />
thatMetaIEhasalsofailedtocomply withthemore generalprinciple offairnessunder Article5(1)(a)<br />
GDPR, which, inthe view of the IT SA, entails separate requirementsfrom those relating specifically<br />
<br />
totransparency 37.<br />
<br />
<br />
206. According to the IT SA, the relationship between Meta IE and Instagram users is markedly and<br />
significantlyunbalanced 373andaninfringement of the fairnessprinciple resulted, first ofall, from the<br />
<br />
misrepresentation of the legal basis for processing by the controller 374, considering that “Meta<br />
presenteditsserviceto usersin a misleading manner”and“withouttaking dueaccount ofusers’ right<br />
<br />
tothe protectionoftheirpersonaldata” 375. TheITSA arguesthat“thecontrollerleavesitsusersinthe<br />
dark as theyare expected to tellor actually ‘figure out’, from time to time, the possible connections<br />
376<br />
betweenpurposesought, applicable legalbasis and relevantprocessing activities” .<br />
<br />
<br />
207. Secondly, such infringementalsostemsfrom the“high-leveland all-encompassing referencetoArticle<br />
6(1)(b) GDPRas relied upon to enable the massive collection of personaldata [...]and theirreuse for<br />
<br />
multifarious,distinct purposes”,considering the“pervasiveaswellasprolongedanalysis of[theusers’]<br />
online behaviour” amounting toa disproportionate interference withtheir private lives comparedto<br />
377<br />
the pursuit of freedom of enterprise .<br />
<br />
<br />
208. The IT SA thus considers that the IE SA should have found an infringement of the fairness principle<br />
under Article 5(1)(a) GDPR, inaddition to the infringement of the transparencyobligations derived<br />
<br />
<br />
<br />
<br />
366DraftDecision,paragraphs180-196.<br />
367DraftDecision,paragraph191.<br />
368<br />
DraftDecision,paragraph25.<br />
369DraftDecision,paragraph193.<br />
370DraftDecision,paragraphs191-196andFinding3.<br />
371ITSAObjection,p.4-5.<br />
372<br />
ITSAObjection,p.5.<br />
373ITSAObjection,p.5.<br />
374ITSAObjection,p.5.<br />
375ITSAObjection,p.5.<br />
376<br />
ITSAObjection,p.6.<br />
377ITSAObjection,p.6.<br />
<br />
<br />
<br />
55<br />
Adopted from this provision, without any need for supplementary investigations 378. According to the IT SA,<br />
<br />
should the objection be followed, it would also impactthe exercise of by correctivepowers by the IE<br />
SA, i.e.themeasurestobe imposed on thecontroller in order tobring the processing into conformity<br />
379<br />
withthe GDPR .<br />
<br />
<br />
6.3 Position of the LSA on the objection<br />
380<br />
209. The IESA does not consider the ITSA objection tobe relevantandreasonedanddoes not follow it .<br />
The IE SA examines it together with the other objections relating to the scope and conduct of the<br />
<br />
inquiry andcontends thatintroducing novel issues not raisedby the Complainant or otherwise put to<br />
the partieswould represent a significant departureintermsof thescope of theinquiry 381.<br />
<br />
<br />
210. TheIESA highlightsthelegalconsequences thatwouldflow from makingmaterialchangesconcerning<br />
infringementsoutside of the Complaint andDraftDecision, namelythe likelihood thatMetaIEwould<br />
<br />
succeed in arguing before the Irish Courts that it has been denied an opportunity to be heard on<br />
additional and extraneousfindings that are adverse toit 382. The IE SA’s concernarose from the fact<br />
<br />
that,accordingtothe IESA, MetaIEwasnever invitedtobe heardinresponse toanallegationthatit<br />
hadinfringedthe fairnessprinciple set out inArticle5(1)(a)GDPR.TheIESA notes,in thisregard,that<br />
<br />
a respondent has the rightto be heardin response tothe particularsof the case being made against<br />
it and that this is a core element of a fair procedure pursuant to Irish law. The IE SA takes the view<br />
<br />
thatexpandingthe materialscopeofthe inquiryis neithernecessary,nor couldbe reconciledwiththe<br />
controller’srighttoa fair procedure 38.<br />
<br />
<br />
6.4 Analysis of the EDPB<br />
<br />
<br />
6.4.1 Assessment of whether theobjection was relevant and reasoned<br />
384<br />
211. The ITSA objectionconcerns “whetherthereisan infringementoftheGDPR” .<br />
<br />
212. The EDPBtakesnote of MetaIE’sview thatthe objections categorisedby the IE SA asrelatingtothe<br />
<br />
scope andconduct of the inquiry, among whichthe ITSA objectionregardingthe infringement ofthe<br />
fairness principle, are “irrelevant to the resolution of this Inquiry” and, if accepted, would seriously<br />
385<br />
infringe Meta IE’sproceduralrightsunder both Irish and EU law . According toMeta IE, “the EDPB<br />
cannot expand the scope ofthe Inquiryin the manner suggested bythe CSAs through Objectionsthat<br />
<br />
are not relevantto thesubstance of the Complaint” andin relationtothis MetaIEreferstothe EDPB<br />
Binding Decision2/2022 386.<br />
<br />
<br />
<br />
<br />
<br />
378ITSAObjection,p.5-6.<br />
379ITSAObjection,p.1.<br />
380CompositeResponse,paragraph36.<br />
381<br />
CompositeResponse,paragraph29.<br />
382CompositeResponse,paragraphs31-32.<br />
383CompositeResponse,paragraph35.<br />
384EDPBGuidelinesonRRO,paragraph24.<br />
385<br />
Meta IE Article65 Submissions, paragraph 4.2and paragraphs 4.10 to 4.20 regarding the right to fair<br />
procedure,aswellasMeta IEArticle65Submissions,Annex1,paragraph7.7.<br />
386Meta IEArticle65Submissions,paragraph4.9.Inparticular,Meta IEreferstoparagraphs139,140,147,148,<br />
164,and165oftheEDPBBindingDecision2/2022.<br />
<br />
<br />
<br />
56<br />
Adopted213. Meta IE further contends that the IT SA objection is not reasoned as it provides broad and<br />
387<br />
unsubstantiatedallegationswithout presentingfactsor evidence in thisregard andfailstoaddress<br />
the significance ofthe risk tofundamentalrightsandfreedomsposed by the DraftDecision 388.<br />
<br />
<br />
214. Asitwaspreviously explained,theEDPBdoesnotshare theunderstanding thatCSAsmaynot disagree<br />
389<br />
withthescope ofthe inquiry asdecidedbythe LSA bywayofanobjection .The EDPBrecallsthatan<br />
objection could go as far as identifying gaps in the draft decision justifying the need for further<br />
<br />
investigation by the LSA, for example in situations where the investigation carried out by the LSA<br />
unjustifiably fails to cover some of the issues raised by the complainant 390. In this regard, the EDPB<br />
observes that,in theircomplaint, the Complainant allegesthat the informationprovided in MetaIE’s<br />
<br />
PrivacyPolicy“isinherentlynon-transparentandunfair withinthemeaningofArticles5(1)(a)and 13(c)<br />
GDPR” 39. Inaddition, the Complainant alleges that “Asking for consent to a processing operation,<br />
<br />
whenthe controllerreliesin fact on another legalbasis is fundamentally unfair, misleading and non-<br />
transparentwithin themeaning ofArticle5(1)(a) oftheGDPR” 39.Therefore,theEDPBdisagreeswith<br />
<br />
the IE SA’s finding that assessing Meta IE’s compliance with the principle of fairness would amount<br />
addressing matters“whichfall outside ofthescope of theunderlying complaint” 39.<br />
<br />
<br />
215. The EDPB notes that the IT SA agreeswiththe IE SA’sfinding with regardtothe infringement of the<br />
394<br />
principle of transparencyunder Article5(1)(a) GDPR .Asthis finding is not subject toa dispute, the<br />
EDPBwillnot examine this matter.<br />
<br />
<br />
216. After analysing the IT SA objection, the EDPB finds that the objection is relevant, as it refers to a<br />
specific part of the Draft Decision (Finding 3 39), and if followed would lead to the conclusion that<br />
<br />
there isaninfringement of the generalprinciple of fairness under Article 5(1)(a)GDPR,in additionto<br />
the breach of the separate requirements relating to transparency under this provision 39. The<br />
<br />
<br />
<br />
<br />
<br />
387Meta IEArticle65Submissions,Annex1,paragraph7.8.<br />
388Meta IEArticle65Submissions,Annex1,paragraph7.9.<br />
389Seeparagraphs73-75ofthisBindingDecision.<br />
390<br />
EDPBGuidelinesonRRO,paragraph27.<br />
391Complaint,paragraph2.3.1.<br />
392Complaint,paragraph2.3.2.<br />
393CompositeResponse,paragraph30.<br />
394<br />
395ITSAObjection,p.4-5.<br />
ITSAObjection,p.4-5.<br />
In respect of Meta IE’s arguments in paragraph 4.9 of its Article65 Submissions on this objection not being<br />
relevant, theEDPB recalls that theanalysis of whethera given objectionmeets thethreshold set by Art. 4(24)<br />
<br />
GDPRis carriedoutonacase-by-casebasis.MetaIEreferstotheEDPB’sBindingDecision2/2022andspecifically<br />
to theparagraphswheretheEDPBestablishedthatspecificobjections raisedbytheDE SAs andNOSAinthat<br />
casewerenotrelevantandreasoned.Thereareseveraldifferencesbetweenthoseobjectionsandtheobjection<br />
oftheITSAthatis beinganalysedinthissection.<br />
Morespecifically,intheBindingDecision2/2022theobjectionsreferredtobyMetaIEdidnot“establishadirect<br />
<br />
connectionwiththespecificlegalandfactualcontentoftheDraftDecision”(BindingDecision2/2022paragraphs<br />
139,147,164)whereastheITSAobjectionheremakesseveralclearlinkswiththecontentoftheDraftDecision,<br />
byreferringtotheanalysiscarriedoutbytheIESAinrespectofthebreachofthetransparencyobligationsand<br />
to specificobservationsmadebytheLSAandexplainshowtheadditionalinfringementofArt.5(1)(a)couldbe<br />
<br />
established on that basis (see, for example, p. 6 of the IT Objection referring to paragraph 185of theDraft<br />
Decisionconcerningusersbeingleft“inthedark”).<br />
396ITSAObjection,p.5-6.<br />
<br />
<br />
<br />
57<br />
Adopted objection, if followed, would also entail the exercise of corrective powers, i.e. the measures to be<br />
397<br />
imposed on the controller inorder tobring the processing into conformitywiththe GDPR .<br />
<br />
217. The ITSA objectionis alsoreasonedbecauseitincludesseveralspecific legalandfactualargumentsin<br />
398<br />
support of finding anadditionalinfringement oftheprinciple offairnessunder Article5(1)(a)GDPR .<br />
For example,the IT SA explainsthat “[t]ransparencyand fairness are two separatenotions” andthat<br />
<br />
“transparencyrelatestoclarityoftheinformationprovided tousersvia theToSandtheprivacypolicy”,<br />
while “fairness relatesto how the controller addressed the lawfulness of the processing activities in<br />
399<br />
connection with its social networking service” . The IT SA contends that the “overall relationship<br />
betweenMetaandInstagram usersis markedly as wellas significantly unbalanced” 400. According to<br />
the IT SA, the first wayin which Meta IE hasinfringed the principle of fairness is by misrepresenting<br />
<br />
the legalbasis for processing in order to pursue its business model “without taking due account of<br />
users’ rightto theprotectionofpersonaldata” andleaving “itsusersin thedark” 401.Further, intheIT<br />
<br />
SA’s view, Meta IE has breached the fairness principle, by justifying via the broad reference to the<br />
legalbasis ofperformanceof contractamassive collectionof personaldataandtheirreuse for awide<br />
402<br />
rangeof purposes, disproportionately interfering withusers’ private life .<br />
<br />
218. The ITSA objection alsoidentifies the risks posed by the absence inthe DraftDecisionof a finding on<br />
<br />
the infringement of thefairness principle, namelysettinga dangerousprecedent for future decisions<br />
concerning otherdigitalplatform operators-more generally,other controllersbelonging tothesame<br />
<br />
business sector -andmarkedlyweakeningthesafeguardsthatmustbe provided throughtheeffective<br />
implementationof the dataprotectionframeworkon account ofthe comprehensive disregardofthe<br />
403<br />
fairness ofthe processing principle .<br />
<br />
219. Therefore, the EDPB considers that the IT SA objection is relevant and reasoned (cf. Article 4(24)<br />
<br />
GDPR).<br />
<br />
<br />
6.4.2 Assessment on the merits<br />
220. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the<br />
<br />
matterswhichare the subject of the relevantand reasonedobjections, inparticularwhether there is<br />
aninfringement ofthe GDPR.<br />
<br />
<br />
<br />
<br />
397ITSAObjection,p.1.<br />
398Seeparagraphs206-208ofthisBindingDecision.<br />
399<br />
ITSAObjection,p.5.<br />
400ITSAObjection,p.5.<br />
401ITSAObjection,p.6.<br />
402ITSAObjection,p.6.Seealsoabove,paragraphs206-208.InrespectofMeta IE’sargumentsinparagraph4.9<br />
<br />
ofits Article65Submissionsonthisobjectionnotbeingreasoned,theEDPBnotesthattheobjectionsthatwere<br />
foundtobenotrelevantand/ornotreasonedintheBindingDecision2/2022did“notprovidesufficientlyprecise<br />
and detailed legal reasoning regardinginfringement of each specific provision in question”, did not explain<br />
sufficiently clearly, nor substantiateinsufficient detail how theconclusion proposed could bereached, or did<br />
notsufficientlydemonstratethesignificanceoftheriskposedbytheDraftDecisionfortherightsandfreedoms<br />
<br />
ofthedata subjectsorthefreeflowofdatawithintheEU(BindingDecision2/2022,paragraphs140,148,165).<br />
The IT SAobjection provides, instead, a numberof legal and factual arguments andexplanations as to why a<br />
breachofthefairnessprincipleistobeestablished,andadequatelyidentifiestheriskposedbytheDraftDecision<br />
ifitwas adoptedunchanged.<br />
403ITSAObjection,p.7.<br />
<br />
<br />
<br />
58<br />
Adopted221. The EDPBconsiders thatthe objection found tobe relevant andreasoned in thissubsection requires<br />
anassessment of whetherthe DraftDecision needstobe changedinsofar as it containsno finding of<br />
<br />
infringement of the fairness principle under Article 5(1)(a) GDPR. Whenassessing the merits of the<br />
objection raised, the EDPB also takes into account Meta IE’s position on the objection and its<br />
submissions.<br />
<br />
<br />
222. The EDPBtakesnoteof MetaIE’sviewthattheITSA objection lacksmeritasit goesbeyondthe scope<br />
404<br />
of theinquiry . The EDPBalsonotes thatMetaIElinks the issue ofthe potentialinfringement ofthe<br />
principle offairness, raisedinthe ITSA objection, withthequestion ofthe competenceof CSAsor the<br />
EDPB toassess the validity of contractsinthe context of Article 6(1)(b) GDPR and, when responding<br />
<br />
tothe meritsof the ITSA objection, Meta IEreferstoits submissions on applicationof Article6(1)(b)<br />
GDPRwithrespect tostandardform contracts 405.While takingnote of MetaIE’sview onthis matter,<br />
<br />
the EDPB considers the question of Meta IE’scompliance withthe principle of fairness under Article<br />
5(1)(a) GDPRtobe distinct from the question of the choice of the appropriate legalbasis (althougha<br />
connectedone, asexplainedbelow) andproceedswithits respectiveassessment below.<br />
<br />
<br />
223. Firstly, the EDPBrecallsthatthe basic principles relating toprocessing listed inArticle 5 GDPRcan,as<br />
406<br />
such, be infringed . This is apparent from the text of Article 83(5)(a) GDPR which subjects the<br />
infringement ofthe basic principles for processing toadministrative fines ofupto20 million euros, or<br />
inthe caseof undertaking,upto4% ofthetotalworldwide annualturnover ofthe precedingfinancial<br />
<br />
year,whichever is higher.<br />
<br />
<br />
224. The EDPBunderlines thatthe principles of fairness, lawfulness andtransparency,allthree enshrined<br />
in Article 5(1)(a) GDPR, are three distinct but intrinsically linked and interdependent principles that<br />
every controller should respect when processing personal data. The link between these principles is<br />
<br />
evident from a number of GDPR provisions: Recitals39 and 42, Article 6(2) and Article 6(3)(b) GDPR<br />
referto lawfulandfair processing,while Recitals60and71GDPR,aswellasArticle13(2),Article14(2)<br />
<br />
andArticle 40(2)(a)GDPRrefertofair andtransparentprocessing.<br />
<br />
225. On the basis of the above consideration, the EDPB agreeswiththe IE SA’s view that “Article 5(1)(a)<br />
407<br />
links transparencyto the overall fairness of the activities of a controller” but considers that the<br />
principle of fairness has an independent meaning and stresses that an assessment of Meta IE’s<br />
<br />
compliance with the principle of transparency does not automatically rule out the need for an<br />
assessment ofMetaIE’scompliance withthe principle offairness too.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
404Meta IEArticle65Submissions,Annex1,paragraph7.10.Inthisrespectseeparagraphs73-75(section4.41)<br />
onthis BindingDecision.<br />
405“To the extent the IT SAObjects tothe lawfulnessofMetaIreland’sdataprocessingbasedonthenatureof<br />
<br />
the contract between Meta Ireland and users of the Instagram Service (i.e. a standard form contract), Meta<br />
IrelandsubmitsthatthevalidityofcontractisnotwithinthecompetenceofCSAsortheEDPB.Inanyevent,Meta<br />
Ireland respectfully asks the EDPB to take into account its submission abovewith respect to standard form<br />
contracts”.Meta IEArticle65Submissions,Annex1,paragraph7.10.<br />
406SeealsoBindingDecision1/2021,paragraph191.<br />
407<br />
DraftDecision,paragraph193.<br />
<br />
<br />
59<br />
Adopted226. The EDPB recallsthat, in data protection law, the concept of fairness stems from the EU Charter of<br />
408<br />
Fundamental Rights . The EDPB hasalreadyprovided some elementsas tothe meaning andeffect<br />
of the principle of fairness in the context of processing personal data. For example, the EDPB has<br />
<br />
previously opined in its Guidelines on DataProtectionby Designand by Defaultthat “[f]airness is an<br />
overarching principle which requires that personal data should not be processed in a way that is<br />
unjustifiably detrimental,unlawfullydiscriminatory, unexpectedormisleading to thedata subject” 409.<br />
<br />
<br />
227. Among the key fairness elements that controllers should consider in this regard, the EDPB has<br />
<br />
mentioned autonomy of the data subjects, data subjects’ expectation, power balance, avoidance of<br />
deception, ethicaland truthful processing 410. These elements are particularlyrelevant in the caseat<br />
<br />
hand. The principle of fairness under Article 5(1)(a) GDPR underpins the entire data protection<br />
framework and seeks to address power asymmetries between the data controllers and the data<br />
<br />
subjects in order to cancel out the negative effects of such asymmetries and ensure the effective<br />
exercise of thedata subjects’ rights.The EDPBhas previously explained that“theprinciple of fairness<br />
includes, interalia, recognisingthe reasonable expectationsofthe data subjects, considering possible<br />
<br />
adverse consequences processing may have on them, and having regard to the relationship and<br />
potentialeffectsofimbalance betweenthemand thecontroller” 411.<br />
<br />
<br />
228. The EDPB recalls that a fair balance must be struck between, on the one hand, the commercial<br />
<br />
interests of the controllers and, on the other hand, the rights andexpectations of the data subjects<br />
under theGDPR 41.Akeyaspectofcompliancewiththeprinciple offairnessunder Article5(1)(a)GDPR<br />
413<br />
refersto pursuing “powerbalance” asa “key objectiveof the controller-datasubject relationship” ,<br />
especiallyinthecontextofonline servicesprovidedwithoutmonetarypayment,whereusersareoften<br />
not aware ofthe ways andextent to which their personal data is being processed 41. Consequently,<br />
<br />
lack of transparency can make it almost impossible in practice for the data subjects to exercise an<br />
informed choice over the use oftheir data 415which is incontrast withthe element of “autonomy”of<br />
<br />
datasubjects astothe processing of their personaldata 416.<br />
<br />
<br />
229. Considering theconstantlyincreasing economic value ofpersonal datainthedigitalenvironment, it is<br />
particularly important to ensure that data subjects are protected from any form of abuse and<br />
<br />
deception, intentionalor not, whichwould result in the unjustified loss ofcontrol over their personal<br />
<br />
408Art. 8 EU Charter of Fundamental Rights states as follows:“1. Everyone has the right to the protection of<br />
<br />
personal data concerninghim orher. 2. Such data must be processed fairlyforspecified purposes andon the<br />
basisoftheconsentofthepersonconcernedorsomeotherlegitimatebasislaiddownbylaw”(emphasisadded).<br />
409EDPB Guidelines 4/2019 onArticle25 Data Protection by Designand by Default, Version 2, Adopted on 20<br />
October2020(hereinafter“EDPBGuidelinesonDataProtectionbyDesignandbyDefault”),paragraph69.<br />
410<br />
411EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.<br />
EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph12.<br />
412Onthebalancebetweenthedifferentinterests atstakeseeforexample:JudgementoftheCourtofJustice<br />
of12December2013,X,C-486/12,ECLI:EU:C:2013:836;JudgementoftheCourtofJusticeof7May2009,College<br />
vanburgemeesterenwethoudersvanRotterdamvM.E.E. Rijkeboer,C-553/07,ECLI:EU:C:2009:293;Judgment<br />
<br />
of the Court (GrandChamber) of 9 November 2010, Volker undMarkus ScheckeGbR (C-92/09)andHartmut<br />
Eifert(C-93/09)vLandHessen,ECLI:EU:C:2010:662.<br />
413EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.<br />
414Ononlineservices,seeEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraphs3-5.<br />
415<br />
416FurtherEDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph4.<br />
EDPB Guidelines on Data Protectionby Design and byDefault, paragraph70. According to this element of<br />
fairness,“datasubjectsshouldbegrantedthehighestdegreeofautonomypossibletodeterminetheusemade<br />
oftheirpersonaldata,aswellasoverthescopeandconditionsofthatuseorprocessing”.<br />
<br />
<br />
<br />
60<br />
Adopted data.Compliance by providers ofonline services actingascontrollers withallthree of thecumulative<br />
<br />
requirements under Article 5(1)(a) GDPR, taking into account the particular service that is being<br />
provided and the characteristicsof their users, serves as a shield from the danger of abuse and<br />
deception, especiallyin situationsof power asymmetries.<br />
<br />
<br />
230. The EDPB haspreviously emphasised that the identification of the appropriate lawfulbasis is tiedto<br />
417<br />
theprinciples of fairnessandpurpose limitation .Inthisregard,theITSA rightlyobserves thatwhile<br />
finding a breachof transparencyrelatesto the wayin which information hasbeen provided to users<br />
<br />
via the InstagramTermsof Use andDataPolicy, compliance withthe principle of fairnessalso relates<br />
to“how thecontrolleraddressedthelawfulnessoftheprocessingactivitiesin connectionwithitssocial<br />
networkingservice” 41. Thus the EDPB considers that anassessment of compliance by Meta IE with<br />
<br />
the principle of fairness requires also an assessment of the consequences that the choice and<br />
presentation of the legal basis entail for the users of the Instagram service. In addition, that<br />
<br />
assessment cannot be made in the abstract, but has to take into account the specificities of the<br />
particularsocialnetworking serviceandof theprocessing ofpersonaldatacarriedout,namelyfor the<br />
419<br />
purpose of online behaviouraladvertising .<br />
<br />
231. The EDPBnotesthatin thisparticularcase thebreachof MetaIE’stransparencyobligationsisofsuch<br />
<br />
gravitythatit clearlyimpactsthe reasonable expectationsof the Instagramusers by confusing them<br />
on whether clicking the “Agree to Terms” button results in giving their consent to the processing of<br />
<br />
their personal data. The EDPB notes in this regardthat one of the elementsof compliance withthe<br />
principle offairness is avoiding deception i.e.providing information“in an objectiveand neutralway,<br />
420<br />
avoiding anydeceptiveor manipulative language or design” .<br />
<br />
232. Asoutlined inthe DraftDecision,the Complainant arguesthatMetaIEreliedon“forcedconsent” asa<br />
<br />
result of being led to believe that the legalbasis for processing the controller was relying upon was<br />
consent 421. The Complaint demonstratesthe confusion suffered bythe Complainant both due tothe<br />
422<br />
(lack of) information presented to Instagram users in the context of their “agreement” and the<br />
circumstancesof how the act of“agreement”wassought by MetaIE 423.TheEDPBconsiders thatthe<br />
<br />
LSA should have takeninto account such Meta IE’spracticesin relationto the principle of fairness,<br />
regardlessof its finding that Meta IE hasnot sought to rely on consent in order to process personal<br />
datatodeliver the Termsof Use 424.<br />
<br />
<br />
233. Inaddition, andasrecognisedby the LSA itself, further toitsassessment of the informationprovided<br />
<br />
concerning processing being carriedout in reliance on Article 6(1)(b) GDPR, “it is impossible for the<br />
user to identify with any degreeof specificitywhat processing is carriedout on what data, on foot of<br />
<br />
<br />
<br />
417EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph1.<br />
418<br />
419ITSAObjection,p.5.<br />
SeeDraftDecision,paragraph104wheretheIESAholdsthat“thecoreoftheserviceofferedbyMetaIreland<br />
is premised on the delivery of personalised advertising”and Meta IE Article65 Submissions, paragraph 6.38<br />
whereMeta IEclaimsthat“ItwouldbeimpossibletoprovidetheInstagramServiceinaccordancewiththeTerms<br />
ofUse withoutprovidingbehaviouraladvertising”.<br />
420<br />
421EDPBGuidelinesonDataProtectionbyDesignandbyDefault,paragraph70.<br />
DraftDecision,paragraph37.<br />
422Complaint,p.3.<br />
423Complaint,p.6-7.<br />
424DraftDecision,Finding1.<br />
<br />
<br />
<br />
61<br />
Adopted the specified lawful bases” 425. Considering this, in the EDPB’sview, there are clear indications that<br />
426<br />
Instagram users’ expectations with regard to the applicable legal basis have not been fulfilled .<br />
Therefore, the EDPB shares the IT SA’s concern that Instagram users are left “in the dark” 427and<br />
considers that the processing by Meta IE cannot be regardedas ethicaland truthful 428because it is<br />
<br />
confusing withregardtothetype ofdataprocessed,the legalbasisandthepurpose oftheprocessing,<br />
whichultimatelyrestrictsthe Instagramusers’ possibility toexercisetheir datasubjects’ rights.<br />
<br />
<br />
234. Furthermore, the EDPBconsiders that the extensive analysis by the IE SA withregardto the issue of<br />
<br />
legalbasisandtransparencyinrelationtotheprocessing being carriedoutinrelianceonArticle6(1)(b)<br />
GDPRisclosely linkedtotheissue of complianceby MetaIEwiththe principle offairness. Considering<br />
the seriousness of the infringementsof the transparencyobligations by MetaIE alreadyidentified in<br />
<br />
theDraftDecisionandthe relatedmisrepresentationofthelegalbasis reliedon, theEDPBagreeswith<br />
the IT SA that Meta IE has presented its service to the Instagram users in a misleading manner 429,<br />
<br />
which adversely affectstheir control over the processing of their personal data and the exercise of<br />
their data subjects' rights. Therefore, the EDPB isof the opinion that the IE SA’sfinding of breachof<br />
430<br />
Article 5(1)(a) GDPRwithregardto the principle of transparency should extend tothe principle of<br />
fairness too.<br />
<br />
<br />
235. This is all the more supported by the fact that, in the circumstances of the present case as<br />
demonstrated above 431, the overall effect of the infringements by Meta IE of the transparency<br />
<br />
obligations under Article 5(1)(a), Article 12(1), Article 13(1)(c) GDPR and the infringement of Article<br />
6(1)(b) GDPR 432furtherintensifiestheimbalancednatureof therelationshipbetweenMetaIEandthe<br />
<br />
Instagramusersbrought upbytheITSA objection. Thecombinationoffactors,such asthe asymmetry<br />
of the informationcreatedby MetaIEwithregardto theInstagram service users, combinedwiththe<br />
“take it or leave it” situation that they are faced with due to the lack of alternative services in the<br />
<br />
marketand the lackofoptions allowing them toadjust or opt out from a particularprocessing under<br />
the contract with Meta IE, systematically disadvantages the Instagram service users, limits their<br />
<br />
control over the processing of their personal data andundermines the exercise of their rightsunder<br />
Chapter IIIofthe GDPR.<br />
<br />
<br />
236. Therefore, the EDPB instructs the IE SA to include a finding of an infringement of the principle of<br />
fairness under Article 5(1)(a) GDPR by Meta IE, in addition to the infringement of the principle of<br />
<br />
transparency under the same provision, and to adopt the appropriate corrective measures, by<br />
addressing, but without being limited to, the question of anadministrative fine for thisinfringement<br />
<br />
asprovided for in Section9 of thisBinding Decision.<br />
<br />
<br />
<br />
425DraftDecision,paragraph185.<br />
426According to the fairness element of “expectation”, “processing should correspond with data subjects’<br />
<br />
427sonableexpectations”.EDPBGuidelinesonData ProtectionbyDesignandbyDefault,paragraph70.<br />
ITSAObjection,p.6.<br />
428See EDPB Guidelines on Data Protection by Designand byDefault, paragraph 70, wheretheEDPB explains<br />
that “ethical”means that “[t]he controllershouldsee the processing’s widerimpact on individuals’ rights and<br />
dignity“and “truthful”means that “[t]he controllermust make available information about how theyprocess<br />
<br />
429sonaldata,theyshouldactastheydeclaretheywillandnotmisleadthedatasubjects”.<br />
ITSAObjection,p.5.<br />
430DraftDecision,paragraphs180-196.<br />
431Paragraphs223-235ofthisBindingDecision.<br />
432Paragraph137ofthisBindingDecision.<br />
<br />
<br />
<br />
62<br />
Adopted 7 ON THE POTENTIALADDITIONAL INFRINGEMENTOFTHE<br />
<br />
PRINCIPLESOF PURPOSE LIMITATION ANDDATA MINIMISATION<br />
<br />
<br />
7.1 Analysis by the LSA inthe DraftDecision<br />
433 434<br />
237. The IESA referstoArticle5(1)(b)GDPR andArticle5(1)(c) GDPR whenanalysingthe extentofthe<br />
controller’sobligation under Article 13(1)(c) GDPRandwhether Meta IEhas infringed this provision.<br />
<br />
More specifically, the IESA highlightsthat Article13 GDPRrequiresthat the purposesandlegalbases<br />
must be specified in respect of the intended processing and cannot just be cited in the abstract 435.<br />
AfterexplainingwhyMetaIE’sviewthatthereisnospecific obligationfor thelegalbasistobe mapped<br />
<br />
to the purpose of processing cannot be reconciled with a literalreading of the GDPR, the IE SA, for<br />
completeness, alsoengagesina systemic readingbasedon thelegislator’sobjective andthecontents<br />
436<br />
of theGDPRasa whole .<br />
<br />
<br />
238. In this context, the IE SA points out that the six principles laid down under Article 5 GDPR are<br />
interconnectedandoperatein combinationtounderpin the whole GDPR 437.However,theIESA does<br />
not assess whether MetaIE’sprocessing activitiesentaila separate infringement of the principles of<br />
<br />
purpose limitationanddataminimisation under Article5(1)(b) andArticle 5(1)(c)GDPR.<br />
<br />
<br />
7.2 Summary of the objection raisedby the CSAs<br />
<br />
239. According tothe ITSA, thereisanadditionalinfringement ofpoints (b)and(c)of Article5(1)GDPRon<br />
accountof MetaIE’sfailuretocomplywiththe purpose limitationanddataminimisation principles. It<br />
<br />
considers that suchinfringement should be found without the needfor anyfurther investigationand<br />
should result intoa substantialincrease ofthe proposed administrative fine 438.<br />
<br />
<br />
240. The IT SA puts forward several factual and legal arguments for the proposed change to the Draft<br />
<br />
Decision.First,itpointsout thattheIESAconfinesitsassessment toonlyone ofthecontractspurposes<br />
(the provision of online behavioural advertising), while the Instagram service would actually be<br />
composed of several processing activities pursuing several purposes 439. According to the IT SA, the<br />
<br />
fact that Meta IE inappropriately based its multifarious processing activities only on Article 6(1)(b)<br />
GDPRentailsaninfringement ofthe purpose limitationanddataminimisation principles 440. The IT SA<br />
<br />
stresses the relevance of these principles in online services contracts, astheyare not negotiatedon<br />
an individual basis, and refers to pages 15 and 16 of the WP29 Opinion 03/2013 on purpose<br />
441<br />
limitation .The ITSA also refersto the EDPBGuidelines 2/2019 on Article 6(1)(b) GDPR andrecalls<br />
that, where the contract consists of several separate services or elements of a service that can be<br />
<br />
<br />
<br />
<br />
433<br />
434DraftDecision,paragraphs152-160.<br />
DraftDecision,paragraph152.<br />
435DraftDecision,paragraph162.<br />
436DraftDecision,paragraphs167-171.<br />
437Draft Decision, paragraph 152 andparagraphs 153-160withrespect to theprincipleof purposelimitation<br />
<br />
438erArt.5(1)(b)GDPR.<br />
ITSAObjection,p.4.<br />
439ITSAObjection,p.2.<br />
440ITSAObjection,p.2.<br />
441ITSAObjection,p.3.<br />
<br />
<br />
<br />
63<br />
Adopted performed independently, the applicability of Article 6(1)(b) GDPR should be assessed for each of<br />
442<br />
those services separately .<br />
<br />
<br />
241. On the risks posed by the Draft Decision, the IT SA refers to the risk identified by the WP29 in its<br />
Opinion 03/2013 on purpose limitation 443, namely that “data controllers may seek to include<br />
<br />
processingtermsincontractsto maximise thepossible collectionand usesof datawithout adequately<br />
specifying those purposes or considering data minimisation obligations” 444. In addition, in the IT SA’s<br />
<br />
view, the failure to specify and communicate the purposes of the processing to the data subject<br />
creates a risk of artificially expanding the types of processing or the categories or personal data<br />
considered necessary for the performance of a contract under Article 6(1)(b) GDPR, which would<br />
<br />
nullify the safeguardsaffordedtodata subjectsunder dataprotectionlaw 445.<br />
<br />
<br />
7.3 Position of the LSA on the objection<br />
<br />
242. The IE SA does not consider that the IT SA’s objection is relevant and reasoned 446. Categorising the<br />
<br />
objection asrelating tothe scope andconduct ofthe inquiry, the IE SA adopts the same approachas<br />
with regard to the alleged infringement of the principle of fairness. More specifically, the IE SA<br />
<br />
contends thatintroducing novel issues not raised bythe Complainant or otherwise put tothe parties<br />
would represent a significant departurein termsof the scope of the inquiry 44. It highlightsthe legal<br />
<br />
consequences thatwouldflow frommaking materialchangesconcerninginfringementsoutside ofthe<br />
complaint andDraftDecision,namelythelikelihood thatMetaIEwouldsucceedinarguingbeforethe<br />
IrishCourts thatit hasbeendenied anopportunity tobe heardon additionalandextraneousfindings<br />
<br />
thatare adverse toit 448.The IE SA’sconcernarose from the fact that,accordingtothe IE SA, MetaIE<br />
wasnever invitedto be heardin response toanallegationthatit had infringedthe fairness principle<br />
<br />
set out in Article 5(1)(a) GDPR. The IE SA notes, in this regard, that a respondent has the right tobe<br />
heardin response tothe particularsof the case being made against it andthat this is a core element<br />
<br />
of a fair procedure pursuant toIrish law.The IESA takesthe view thatexpanding the materialscope<br />
of the inquiry is not possible under Irish procedurallaw 449.Itfurther notes that avery significant risk<br />
<br />
ofproceduralunfairness, under Irishnationallaw,wouldresult from the proposal toassume, without<br />
anyfurther factualexamination,thatMetaIE hasinfringedthe purpose limitationprinciple 45.<br />
<br />
<br />
7.4 Analysis of the EDPB<br />
<br />
<br />
7.4.1 Assessment of whether theobjection was relevant and reasoned<br />
451<br />
243. The ITSA’sobjection concerns “whetherthereisan infringement oftheGDPR” .<br />
<br />
<br />
<br />
<br />
<br />
<br />
442ITSAObjection,p.3.<br />
443WP29Opinion03/2013onpurposelimitation,WP203,adoptedon2April2013.<br />
444ITSAObjection,p.3.<br />
445<br />
ITSAObjection,p.3.<br />
446CompositeResponse,paragraph36.<br />
447CompositeResponse,paragraph29.<br />
448CompositeResponse,paragraphs31-32.<br />
449<br />
CompositeResponse,paragraph32.<br />
450CompositeResponse,paragraph33.<br />
451EDPBGuidelinesonRRO,paragraph24.<br />
<br />
<br />
<br />
64<br />
Adopted244. The EDPB takes note of Meta IE’s view that the IT SA’s objection does not meet the relevant and<br />
452<br />
reasoned thresholds because it falls outside the defined scope of the inquiry . As previously<br />
explained, the EDPBdoes not share the understanding thatCSAs maynot disagree withthe scope of<br />
the inquiry asdecidedby the LSA bywayof anobjection 453.<br />
<br />
<br />
245. MetaIEpointsout thatthe objectionconcernsmattersthathavenot beeninvestigatedandrelatesto<br />
454<br />
theoreticalfindings on legalbases . Meta IE further arguesthat even if the objection satisfied the<br />
abovementioned thresholds, it should be disregarded because otherwise Meta IE’s right to fair<br />
455<br />
proceduresunder bothIrishand EUlaw would be contravened .<br />
<br />
246. The EDPB considers that the IT SA objection is relevant as it refers to specific parts of the Draft<br />
<br />
Decision, namely Finding 2 and Finding 3 456, and argues that the IE SA should have found an<br />
infringement of Article 5(1)(b) and Article 5(1)(c) GDPR which lay down the principles of data<br />
<br />
minimisation andpurpose limitation.<br />
<br />
<br />
247. The objection also includes argumentson legaland factualmistakesin the IESA’s DraftDecisionthat<br />
require amending.According tothe ITSA, theIE SA’sreasoning isinconsistent because thehigh-level,<br />
ratherunclearinformation provided tothedatasubjects isa major criticalitythat shouldhave ledthe<br />
<br />
IE SA not only to question the features of the information notice, but also to verify, in detail, the<br />
application of the principles of purpose limitation and data minimisation from a substantive<br />
457<br />
perspective . More specially, the ITSA takesthe view that the IE SA should have hadregardtothe<br />
actualconfigurationof theprocessing operations performedin ordertoassess whetherthecontroller<br />
<br />
had abided by the obligation toprocess personal data for specified, explicit and legitimatepurposes<br />
bothwhen collectingthose dataandthereafter 45.<br />
<br />
<br />
248. As regards the risk posed by the Draft Decision, the EDPB takes note of the IT SA’s reference to<br />
paragraph16 of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR and reiteratesthe particular<br />
<br />
relevance ofArticle 5(1)(b) andArticle 5(1)(c)GDPRin the contextof contractsfor online services, in<br />
view of the risk that data controllers may seek to include generalprocessing terms in contracts in<br />
<br />
order to maximise the possible collection and uses of data, without adequately specifying those<br />
purposes or considering dataminimisationobligations 45.Nevertheless,theEDPBstressesthatamere<br />
referencetothe EDPBGuidelinesisnot sufficient todemonstratetherisks posedbythe DraftDecision<br />
<br />
inthis specific caseand inthese specific circumstances.<br />
<br />
<br />
249. The IT SA also considers that the purposes for the processing “must be clearly specified and<br />
communicated to the data subject, in line with the controller’spurpose limitation and transparency<br />
<br />
obligations”, otherwise there is “a risk that other data protection obligations might be evaded by<br />
artificiallyexpanding the typesofprocessing or thecategoriesofpersonaldata that areconsideredto<br />
<br />
<br />
452<br />
Meta IEArticle65Submissions,Annex1,paragraphs7.1-7.4.<br />
453Seeparagraphs73-75ofthisBindingDecision.<br />
454Meta IEArticle65Submissions,Annex1paragraphs7.2.<br />
455Meta IEArticle65Submissions,Annex1,paragraphs7.3.<br />
456<br />
TheIT SArefers to theIE SA’s reasoning preceding Finding 2 and to paragraphs 122-149and 184, 185and<br />
187precedingFinding3oftheDraftDecision.<br />
457ITSAObjection,p.4.<br />
458ITSAObjection,p.4.<br />
459EDPBGuidelines2/2019onArticle6(1)(b)GDPR,paragraph16.<br />
<br />
<br />
<br />
65<br />
Adopted be ‘necessary’forperformanceofthecontractunder Article6(1)(b)GDPR -which would in turn nullify<br />
thesafeguards affordedto datasubjectsbypersonaldata protectionlaw” 46.<br />
<br />
<br />
250. The EDPB recalls that the objection must put forward arguments or justifications concerning the<br />
<br />
consequences of issuing the decision without the changesproposed in the objection, andhow such<br />
consequences would pose significant risks for datasubjects’ fundamentalrightsandfreedoms 46.The<br />
<br />
CSA needs to advance sufficient arguments to explicitly show that such risks are substantial and<br />
plausible462. Inaddition,the demonstrationofthe significance ofthe risks cannotbe implied from the<br />
legaland/or factualargumentsprovidedbythe CSA, but hastobe explicitlyidentified andelaborated<br />
463<br />
inthe objection .<br />
<br />
<br />
251. The EDPB considers that the IT SA’s objection fails to meet these requirements as it does not<br />
demonstratethe significance of the risk stemmingfrom anomission inthe DraftDecisionof afinding<br />
that the principles of purpose limitationand data minimisation have beeninfringed by Meta IE. The<br />
<br />
risk, asdescribed by the IT SA objection, is not substantial andplausible enough. Moreover, the risk<br />
relatesto the IE SA’s decision not to conclude on the inappropriate use of Article 6(1)(b) GDPR asa<br />
<br />
legalbasis for MetaIE’sprocessing activitiesbut fails toestablish a clear link withthe LSA’sdecision<br />
not tomake a finding on the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR.<br />
<br />
<br />
252. Therefore, the EDPB considers that the abovementioned objection by the IT SA is not reasoned (cf.<br />
Article4(24) GDPR)andwillnot assess iton the merits.<br />
<br />
<br />
<br />
8 ON CORRECTIVEMEASURESOTHER THAN ADMINISTRATIVE FINES<br />
<br />
<br />
8.1 Analysis by the LSA inthe DraftDecision<br />
<br />
253. The IE SA considers thatanorder tobring processing into compliance (Art. 58(2)(d) GDPR)should be<br />
imposed on Meta IE, requiring them tobring their Data Policy andTerms of Service into compliance<br />
<br />
with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR asregardsprocessing carriedout on the<br />
basis ofArticle 6(1)(b) GDPRwithinthreemonths of thedate ofnotification ofanyfinal decision 46.<br />
<br />
<br />
254. The LSA considers an order is necessary and proportionate, contrary to the controller’sposition 46.<br />
Regarding the necessity, the IE SA explains that this order is the only way toguarantee that Meta IE<br />
<br />
amendsthe infringementsoutlined in the DraftDecision,which isessentialfor the protectionofdata<br />
subjects’ rights46. Concerning the proportionality, the LSA points out that the proposed measure is<br />
<br />
the minimum action required to ensure the future compliance of the controller. Further, the IE SA<br />
<br />
<br />
<br />
<br />
<br />
<br />
460ITSAObjection,p.3.<br />
461EDPBGuidelinesonRRO,paragraph18.<br />
462<br />
463EDPBGuidelinesonRRO,paragraph37.<br />
EDPBGuidelinesonRRO,paragraph37.<br />
464DraftDecision,paragraphs200and203.<br />
465 Meta IE Submissions on Preliminary Draft Decision, paragraphs 12.1, 12.2, and 12.4; Draft Decision,<br />
paragraphs200and201.<br />
466DraftDecision,paragraph204.<br />
<br />
<br />
<br />
66<br />
Adopted recallsMetaIE’savailableresources,thespecificity ofthe LSA’sorder, andthe importanceof thedata<br />
467<br />
subject’srightsconcernedtoconclude thatsuch measureis proportionate .<br />
<br />
<br />
8.2 Summary of the objections raised by the CSAs<br />
<br />
255. The NL SA objects tothe choice of the corrective measuresof the LSA in their Draft Decision 468. The<br />
NLSA notesthattheIESA isproposing toimpose anorder pursuant toArticle58(2)(d)GDPRalongside<br />
<br />
an administrative fine, and that this objection concerns the first of these two measures 46. More<br />
specifically, theNL SA objectstotheorder tobringprocessing intocompliance (Article58(2)(d) GDPR)<br />
<br />
within three months proposed by the LSA, arguing that it is not appropriate, not necessary, nor<br />
proportionate to ensure compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR, as<br />
<br />
well as the additional infringement of Article 6(1)(b) andArticle 9(2) GDPR raisedin its objection 47.<br />
The NL SA takes the view that the proposed order is insufficient to remedy the serious situation of<br />
<br />
non-compliance arising from these infringements, since it does not remedy the illegality of the<br />
conduct carriedout during the transitionperiod (i.e. the time between the issuance of the decision<br />
<br />
andtheexpirationdateof theorder),bearing inmindthateverydaythe service continuesoperations<br />
as described in the Terms of Use andData Policy, it does so in an illegalwayharming the rightsand<br />
471<br />
freedoms ofmillions of datasubjects in the EEA .Accordingtothe NL SA, the DraftDecisionshould<br />
be modified to include a temporary ban on Meta IE’sprocessing of personal data for the duration<br />
<br />
necessary for the controller to bring its processing into compliance with the GDPR (Article 58(2)(f)<br />
GDPR), as this would be appropriate, necessary and proportionate taking into account the<br />
circumstancesofthe case 472,andwouldbe the onlymeasure suitabletomakesure thattheexpansive<br />
<br />
violation ofthe fundamentalrightsand freedomsof datasubjects is not continued 47. The NL SA also<br />
arguesthat the breachesofthe GDPR establishedbythe LSA, combinedwiththe additionalbreaches<br />
<br />
put forward bythe NL SA, areof a very gravenature andjustify haltingprocessing operations during<br />
the time the controller needs to remedy its severe lack of compliance 474. In essence, the NL SA<br />
<br />
identifies the risk posed by the DraftDecision in thatit allowsthe companyto resume operations as<br />
usual while amending the compliance deficits (with regard to transparency), which they argue<br />
475<br />
essentially deprivesdata subjectsof their rightsduring atransitionperiod .<br />
<br />
<br />
256. The FISA alsoarguesthatthe IESA should “exerciseeffective,proportionateanddissuasive corrective<br />
powers” and order Meta IE to“bring itsprocessing operations into compliance with the provision of<br />
<br />
Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying<br />
on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR” 476. The HU SA reaches the same<br />
conclusion, proposing toapplythe legalconsequencesunder Article58(2)(d) GDPRandtoinstructthe<br />
<br />
controller toindicate a different legalbasis47. Onthe risks, boththe FI andthe HU SAs statethatthe<br />
absence of appropriate and necessary corrective powers would amount to a dangerous precedent,<br />
<br />
<br />
467<br />
DraftDecision,paragraph205.<br />
468NLSAObjection,paragraph55.<br />
469NLSAObjection,paragraph56.<br />
470NLSAObjection,paragraph56.<br />
471<br />
NLSAObjection,paragraph57.<br />
472NLSAObjection,paragraph58<br />
473NLSAObjection,paragraph59.<br />
474NLSAObjection,paragraph63.<br />
475<br />
NLSAObjection,paragraphs57,58,and63.<br />
476FI SAObjection,paragraph25.<br />
477HUSAObjection,p.3.<br />
<br />
<br />
<br />
67<br />
Adopted sending a deceiving message to the market and to data subjects whose fundamental rights and<br />
<br />
freedoms wouldultimatelyjeopardise 478.Moreover, theFI SA notes thattheDraftDecisionaffectsall<br />
datasubjectswithintheEEAandthat,therefore,theconsequencesofnot makinguse ofthecorrective<br />
<br />
measurespursuant Article58(2)would be enormous 479.<br />
<br />
<br />
257. The AT SA requests thatthe LSA makes use of itscorrective measurespursuant toArticle 58(2)GDPR<br />
in relationto the additional infringement of Article 6(1)(b) GDPR 48, inorder tobring the processing<br />
481 482<br />
operationsofthecontroller inline withtheGDPR andremedytheinfringement .Accordingtothe<br />
AT SA, the IESA should exercise ‘’correctivepowers’’soastoensure thatMeta IE couldnot continue<br />
<br />
to unlawfully rely on Article 6(1)(b) GDPR for the processing of users’ personal data for behavioral<br />
advertising 483. More specifically, the AT SA suggests that the IE SA prohibits Meta IE “the processing<br />
484<br />
of a user’s datafor behavioural advertising by relying on Article 6(1)(b) GDPR” . Inthe absence of<br />
additionalcorrectivemeasures,theATSAconsidersthatifcorrectivemeasuresarenotimposed, there<br />
<br />
is a risk “that [Meta IE] continues to unlawfully rely on Article 6(1)(b) GDPR for the processing of a<br />
user’s data for behavioural advertising and continues to undermine or bypass data protection<br />
485<br />
principles’’ , which would affect millions of data subjects within the EEA and bear vast<br />
consequences 486.<br />
<br />
<br />
258. The FR SA notes that reversing the findings concerning the infringements of Article 6(1) GDPR also<br />
<br />
affects the scope of the corrective actions proposed by the IE SA, in addition to the administrative<br />
fine 487<br />
<br />
<br />
259. Finally, accordingtothe NOandDESAs,the IESAshould takeconcretecorrectivemeasuresinrelation<br />
totheadditionalinfringement ofMetaIEwithArticle6(1)(b) GDPR,namelytoorderMetaIEtodelete<br />
<br />
personal data that hasbeen unlawfully processed on Article 6(1)(b) GDPR andtoprohibit the use of<br />
thislegalbasis for such processing activities 488.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
478FI SAObjection,paragraph28;HUSAObjection,p.4.<br />
479FI SAObjection,paragraph29.<br />
480<br />
481AT SAObjection,p.7.<br />
AT SAObjection, p. 8. TheAT SAalso highlights that according to theCJEU wherean infringement is found<br />
during a complaint-based procedure, theSA is under an obligationto takeappropriateaction by exercising<br />
correctivepowers,anditcitesC-311/18,paragraph111.Additionally,theAT SAclarifiesthatalthoughittakes<br />
<br />
the positionthat a complainant does not havea subjectiveright to request from therespectivesupervisory<br />
authoritytheexerciseofa specificcorrectivepoweranditisuptotheauthorityonlytodecidewhichactionis<br />
appropriateandnecessary(referringtoC-311/18,paragraph112),itfindstheexerciseofcorrectivepowersto<br />
benecessaryinthecurrentcase.<br />
482AT SAObjection,p.8-9.<br />
483<br />
AT SAObjection,p.7-8.<br />
484AT SAObjection,p.9.<br />
485AT SAObjection,p.7.<br />
486AT SAObjection,p.8.<br />
487<br />
FRSAObjection,paragraph50.<br />
488DESAs Objection,p.10;NOSAObjection,p.9.<br />
<br />
<br />
<br />
68<br />
Adopted 8.3 Position of the LSA on the objections<br />
<br />
<br />
260. The IESA does not consider the objections above tobe relevantand/or reasonedanddoesnot follow<br />
them 48. Giventhat these objections were premised upon the requirement for the DraftDecision to<br />
include a finding of infringement of Article 6(1)(b) GDPR on which the IE SA expressed its<br />
<br />
disagreement,theIESAdoesnot consider theobjectionsrequesting theexerciseofacorrectivepower<br />
inresponse toa finding of infringementof Article6(1)(b) GDPRasbeing relevant andreasoned 490.<br />
<br />
<br />
8.4 Assessment of the EDPB<br />
<br />
<br />
8.4.1 Assessment of whether theobjections were relevant and reasoned<br />
<br />
<br />
261. The objections raisedby theAT,DE,FI,FR,HU,NLandNOSAsconcern“whethertheactionenvisaged<br />
491<br />
inthe DraftDecisioncomplies withthe GDPR” .<br />
<br />
<br />
262. Inaddition tothe primaryargumentlevelledagainst allCSA’sobjections, MetaIE provides additional<br />
argumentson whetherthese are relevantand/or reasoned 492.<br />
<br />
<br />
263. Meta IE argues the AT and NL SAs’ objection cannot be considered relevant because they are<br />
dependent on another objection, which Meta IE deems inadmissible and without merit 493. On the<br />
494<br />
same basis, MetaIE refutesthatthe AT SA’sobjection isadequatelyreasoned . Asstatedabove,in<br />
Section 4.4.1, the EDPB finds the AT and NL SAs’ objections on the subject of Article 6(1)(b) GDPR<br />
495<br />
relevantand reasoned .<br />
<br />
<br />
264. Additionally, MetaIEarguesthatthe AT andNL SAs’ objections fail toset out how the DraftDecision<br />
would pose a direct andsignificant risk to fundamental rightsand freedoms. First, Meta IE refersto<br />
theirargumentsputforwardinresponse tothe ATandNL SAs’objections onthematterofcompliance<br />
<br />
with Article 6(1)(b) GDPR 496. The EDPB has takenthis line of reasoning into consideration above in<br />
<br />
<br />
<br />
<br />
489CompositeResponse,paragraphs103-104(inresponsetotheATandFI SAs),paragraph105(inresponseto<br />
NLSA), paragraph106(inresponsetoDESAs),paragraph107(inresponsetoNOSA)andparagraph108(in<br />
responsetoHUSA).<br />
490<br />
CompositeResponse,paragraphs110.<br />
491EDPBGuidelinesonRRO,paragraph32.<br />
492Meta IEargues that“theEDPBcannotexpandthescopeoftheInquiryinthemannersuggestedbytheCSAs<br />
throughObjectionsthatarenotrelevanttothesubstanceoftheComplaint.”and“suchobjectionsoughttobe<br />
<br />
disregardedintheirentiretybytheEDPB”.TheEDPBdoes notsharethisunderstanding,asexplainedabove.<br />
SeeSection4.4.1.<br />
493Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheSufficientlyRelevant<br />
Threshold,becauseitisitselfbasedonanObjectiongroundedinamistakenallegationofinfringementofArticle<br />
6(1)(b)GDPR,whichdoesnotsatisfytheThresholdsandlacksmerit.Therefore,thisObjectionisnotsufficiently<br />
<br />
relevantasithasnodirectconnectiontothesubstanceandreasoningoftheDraftDecision.”Analogouswording<br />
is usedinresponsetotheNLSA’s objectioninMetaIEArticle65Submissions,Annex1,p.110.<br />
494Meta IEArticle65Submissions,Annex1,p.71:“TheATSA’sObjectionfailstosatisfytheAdequatelyReasoned<br />
Threshold because it is premised on its Objection that Meta Ireland infringed Article 6(1) GDPR, which, as<br />
<br />
analysedintheprevioussection,doesnotsatisfytheThresholdsandlacksmerit”.Analogouswordingisusedin<br />
responsetotheNLSA’s objectioninMeta IEArticle65Submissions,Annex1,p.110.<br />
495Paragraph84above.<br />
496Meta IEArticle65Submissions,Annex1,p.72andp.111.<br />
<br />
<br />
<br />
69<br />
Adopted Section 4.4.1 497. Second, Meta IE puts forward that the AT and NL SAs appear to consider that the<br />
498<br />
Draft Decision provides “a mandate for Meta Ireland to unlawfully process data” . Meta IE points<br />
out thatnosuchinferencecanbedrawnfrom theDraftDecision,goingontodrawtheconclusion that<br />
<br />
“asthe DraftDecisiondoesnot in anyway give a blanket approval for any unlawful processing based<br />
on Article 6(1)(b) GDPR, there is no direct and significant risk to the fundamental rights and<br />
499<br />
freedoms” .Astothissecond line ofreasoning, theEDPBfails tosee wording by whichthe ATSA or<br />
NL SA might have suggested it understands the Draft Decision as a mandate for Meta Ireland to<br />
<br />
unlawfully process data,thuslimiting future investigations.<br />
<br />
265. The NLSA disagreeswiththecorrectivemeasure chosenby theIESA inadditiontothe administrative<br />
<br />
fine, arguinga temporarybanon processing (Article58(2)(f) GDPR)should have been included inthe<br />
Draft Decision instead of an order to bring processing into compliance. If followed, this objection<br />
<br />
wouldleadtoadifferentconclusion astothechoiceofcorrectivemeasures.Inconsequence,theEDPB<br />
considers the objection tobe relevant.<br />
<br />
<br />
266. The NL SA argues that an order to bring processing into compliance entails that Meta IE would<br />
500<br />
maintain its illegal conduct while they amend their compliance deficits . Conversely, a temporary<br />
ban on Meta IE’s processing of data would ensure that data processing is halted during the time<br />
501<br />
needed for the company tochange its practicesto comply withthe GDPR .Intermsof risk, the NL<br />
SA puts forwardthat ‘’nottemporarilybanning thisprocessing would underminethe effectivenessof<br />
502<br />
theGDPR’’,andwouldcontinue todeprive datasubjectsoftheir rightsduring thetransitionperiod .<br />
The NL SA considers the risk significant, asthe controller provides the Instagramservice tohundreds<br />
of millions ofusers across Europe and because the processing involves special categoriesof personal<br />
<br />
data 503.Therefore, the EDPB considers the objection to be reasonedandtoclearlydemonstrate the<br />
significance of therisks posed bythe DraftDecision.<br />
<br />
<br />
267. TheAT SA disagreeswitha specific partoftheIESA’sDraftDecision,namelyChapter 8‘’Ordertobring<br />
<br />
processinginto compliance’’,arguingthatthe LSA should have included correctivemeasures inorder<br />
toremedyaninfringement ofArticle6(1)(b) GDPR 504.Morespecifically,the ATSA suggeststhattheIE<br />
505<br />
SA prohibits Meta IE from relying on Article 6(1)(b) GDPR . Therefore, if followed, this objection<br />
would leadto a different conclusion asto the choice of corrective measures 506. Inconsequence, the<br />
<br />
EDPBconsiders the objection tobe relevant.<br />
<br />
<br />
268. Furthermore,theATSAarguesthatwhenaninfringementisfound-notablyinlightofotherobjections<br />
raised in the current case in relation to additional infringement of Articles 6(1)(b) - the supervisory<br />
<br />
authority is under an obligation to issue appropriate corrective measures pursuant to Article 58(2)<br />
<br />
497<br />
498Paragraph82above.<br />
Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta<br />
IE's Article65Submissions,Annex1,p.72.<br />
499Meta IEArticle65Submissions,Annex1,p.111.AnalogouswordingisusedinresponsetotheATSA, Meta<br />
IE's Article65Submissions,Annex1,p.72.<br />
500<br />
NLSAObjection,paragraph57-58.<br />
501NLSAObjection,paragraph63.<br />
502NLSAObjection,paragraphs58-59.<br />
503NLSAObjection,paragraphs58-59.<br />
504<br />
AT SAObjection,pp.7-8.<br />
505AT SAObjectionpp.7-8.<br />
506AT SAObjection,pp.7-8.<br />
<br />
<br />
<br />
70<br />
Adopted GDPR.Intermsofrisk, the AT SA arguesthat without this amendment of the DraftDecision, MetaIE<br />
“could simply continue to unlawfully rely on Article 6(1)(b) GDPR and to undermine data protection<br />
principles” which would continue toaffect millions of datasubjects within the EEA0.Therefore,the<br />
<br />
EDPBconsiders the objection tobe reasonedandtoclearlydemonstrate the significance of the risks<br />
posed by theDraftDecision.<br />
<br />
<br />
269. Considering the above, the EDPBfinds thatthe objections of theAT andNL SAs requesting additional<br />
and/or alternativespecific correctivemeasurestobe imposed arerelevantandreasonedpursuantto<br />
Article4(24) GDPR.<br />
<br />
<br />
270. In addition, the EDPB recalls the analysis made in Section 4.4.1 above concerning the objections in<br />
relationtotheadditionalbreachby MetaIEofitslawfulness obligationmadebythe FRSA (requesting<br />
<br />
totakeappropriate correctivemeasures), andbythe FI andHU SAs(asking the LSA totakecorrective<br />
measuresunder Article58(2)(d) GDPR),whichwerefound tobe relevantandreasoned.<br />
<br />
<br />
271. The EDPBrecallsthatthe DE andNOSAscalledonthe LSA totake specific correctivemeasuresinthe<br />
event theEDPBfollowedtheir objectionon compliancewithArticle6(1)(b) GDPR.TheEDPBconsiders<br />
these to be reflections upon how, in their view, the LSA should give full effect to the binding<br />
<br />
direction(s)assetoutintheEDPB’sdecision 50.Intheabsenceoflegalorfactualargumentsthatwould<br />
justify including these specific corrective measures in the Draft Decision as opposed to others, the<br />
EDPB does not consider this aspect of the DE and NO SAs’ objections to meet the requirements of<br />
<br />
Article4(24) GDPRastheyarenotsufficientlyreasoned.<br />
<br />
<br />
8.4.2 Assessment on the merits<br />
<br />
Preliminarymatters<br />
<br />
272. The EDPBconsiders thatthe objections found tobe relevantand reasonedin this subsection require<br />
an assessment of whether the Draft Decision needs to be changed in respect of the corrective<br />
<br />
measures proposed. More specifically, the EDPB needs to assess the request to impose a ban of<br />
processing for both the infringements of the transparency obligations found by the LSA and the<br />
additional infringement of Article 6(1) GDPR established above in Section 4.4.2, andthe connected<br />
<br />
issue of the corrective measure to be imposed for the infringement of Article 6(1) GDPR. When<br />
assessing the meritsof the objections raised, the EDPBalso takesinto account MetaIE’sposition on<br />
the objection anditssubmissions.<br />
<br />
<br />
273. Bywayofintroduction, the EDPBhighlightsthatthe analysis carriedout in thissection doesnot refer<br />
tothecontentoftheDraftDecisionandoftheobjectionsinrespectoftheimposition ofadministrative<br />
<br />
fines, which arecoveredbelow inSection9.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
507<br />
AT SAObjection,p.8.<br />
508EDPBGuidelinesonArticle65(1)(a)GDPR,paragraph50.<br />
<br />
<br />
71<br />
<br />
Adopted MetaIE’sposition on theobjectionsand itssubmissions<br />
<br />
274. MetaIEconsidersthe LSAhassole discretiontodeterminethe appropriatecorrectivemeasuresinthe<br />
<br />
event of a finding of infringement 509and that the EDPB lacks competence to determine or adopt<br />
decisions onappropriate correctivemeasures 510.<br />
<br />
<br />
275. While MetaIEacknowledgesthat“Article65(1)GDPRallowstheEDPBtoconsiderreasonedobjections<br />
<br />
as to whether the envisaged corrective measures comply with the GDPR”, it argues that CSAs are<br />
strictlylimitedtocriticism ofthe correctivemeasuresalreadyput forwardintheDraftDecisionbythe<br />
<br />
LSA. Therefore,accordingtoMetaIE,“should theEDPBfind an infringementof Article6(1)GDPR[...],<br />
theappropriatecoursewouldbetoreferthematterbacktotheLSA(i.e.theDPC)todeterminewhether<br />
to impose any appropriate corrective measures. To do otherwise, including direct the DPCto make a<br />
<br />
specific orderinthetermsproposedbycertainObjections,wouldexceedtheEDPB’scompetenceunder<br />
Article65 GDPR” 51.<br />
<br />
<br />
276. Withrespect tothe issue ofthe correctivemeasure tobe imposed for theinfringement of Article6(1)<br />
<br />
GDPR,ifany,MetaIE arguesthata temporarybanisneither necessary, nor proportionate toachieve<br />
theobjective ofensuringcompliance withtheGDPR,asthereexistsalternative,lessonerousmeasures<br />
512<br />
tobringitsprocessing operationintocompliance withtheGDPR .Inaddition,MetaIEcontendsthat<br />
it would be both unfair anddisproportionate to order an immediate ban given that it relied upon a<br />
good faith understanding as to what it considered to be a valid legal basis 513. Further, Meta IE<br />
<br />
considers there is no urgent necessity for a banbased on other decisions takenunder the Article 60<br />
GDPRcooperationmechanism insimilar circumstances 514.Finally,MetaIEputsforwardthesignificant<br />
<br />
impact of a temporaryban not only on itsactivities but also on third parties’business, such as small<br />
andmedium sizedbusinesses acrossEurope, relying onthe platform for behavioural advertising 515.<br />
<br />
<br />
EDPB’sassessment on themerits<br />
<br />
277. First of all, according to the EDPB, the views of Meta IE amount to a misunderstanding of the GDPR<br />
<br />
one-stop-shop mechanism and of the shared competences of the CSAs. The EDPB recalls that the<br />
GDPR requires supervisory authorities to cooperate pursuant to Article 60 GDPR to achieve a<br />
516<br />
consistent interpretation of the Regulation . The fact that the LSA will be the authority that can<br />
ultimatelyexercise the corrective powerslisted in Article 58(2)GDPRcannot neither limit the role of<br />
517<br />
the CSAs withinthe cooperationprocedure nor theone ofthe EDPBinthe consistency procedure .<br />
<br />
<br />
<br />
<br />
509<br />
510Meta IEArticle65Submissions,paragraphs8.4and8.18.<br />
Meta IEArticle65Submissions,paragraph8.6.<br />
511Meta IEArticle65Submissions,paragraph8.13.<br />
512Meta IEArticle65Submissions,paragraph8.27.<br />
513Meta IEArticle65Submissions,paragraph8.28.<br />
514<br />
Meta IEArticle65Submissions,paragraph8.28.<br />
515Meta IEArticle65Submissions,paragraph8.29.<br />
516 See Art. 51(2), Art. 60, Art. 61(1) GDPR, and C-645/19, Facebook v Gegevensbeschermingsautoriteit,<br />
paragraphs53,63,68,72.<br />
517<br />
See Art. 63 and 65 GDPR. In this regard it should benoted that Recital 11 GDPR stresses that ‘effective<br />
protection of personal data throughout the Union requires [...] equivalent sanctions forinfringements in the<br />
MemberStates’. Therefore, in orderto ensurethis ‘consistent monitoringandenforcement’ of theGDPR, the<br />
legislatorhasdecidedtoprovidesupervisoryauthoritieswiththe‘samecorrectivepowers’(Recital129GDPR).<br />
<br />
<br />
<br />
72<br />
Adopted278. More specifically, when raising an objection on the existing or missing corrective measure(s) in the<br />
<br />
Drafting Decision, the CSAs should indicate which actionthey believe would be appropriate for the<br />
LSA toundertakeandinclude inthe finaldecision 518. Incaseof disagreementonthese objections, the<br />
dispute resolution competence of the EDPBcovers ‘’allthe matterswhich are subject of therelevant<br />
519<br />
and reasonedobjection’’(emphasisadded) . Therefore,contrarytoMetaIE’sviews,the consistency<br />
mechanism may also be used to promote a consistent application by the supervisory authorities of<br />
520<br />
their correctivepowers, takingintoaccount the rangeofpowerslisted inArticle 58(2)GDPR ,when<br />
arelevantandreasonedobjectionquestions theaction(s)envisagedbytheDraftDecisionvis-a-visthe<br />
<br />
controller/processor, or theabsence thereof.<br />
<br />
279. Inaddition, the EDPBfinds thatMeta IEmisunderstands the AT SA’s objection when it arguesthatit<br />
<br />
does acknowledge that it is for the LSA alone to decide which corrective measures are appropriate<br />
andnecessary, byciting paragraph112of the SchremsIICJEU judgment 521.Infact,the ATSA doesno<br />
<br />
such thing: in its objection it stated‘’acomplainant doesnot have a subjective right to request from<br />
the respective supervisoryauthority(in this case: the DPC)the exercise ofa specific corrective power<br />
<br />
and it is for the supervisory authorityalone to decide which action is appropriate and necessary(see<br />
C ‑311/18, point 112)’’522anddid not engage inan interpretationof how Article 58(2) GDPR is to be<br />
understood in cross-border cases in the sections referred to. The cooperation and consistency<br />
<br />
mechanism of the GDPRisnot addressed inCJEU ruling C-311/18 (SchremsII)either.<br />
<br />
<br />
280. Moving onto the analysis of the issue of corrective measuresas requiredby the objections found to<br />
be relevant and reasoned above, the EDPB recalls that when a violation of the GDPR has been<br />
<br />
established, competent supervisory authorities are required to react appropriately to remedy this<br />
infringement in accordance with the means provided to them by Article 58(2) GDPR 523. Article 58(2)<br />
GDPRprovidesa wide choice ofeffectivetools for theauthoritiestotakeactionagainstinfringements<br />
<br />
of the Regulationandwhich can be imposed in addition toor instead of a fine. According to Recital<br />
129 GDPR, every corrective measure applied by a supervisory authority under Article 58(2) GDPR<br />
<br />
should be ‘‘appropriate, necessary and proportionate in view of ensuring compliance with the<br />
Regulation’’inlightof allthe circumstancesofeachindividual case.Recital148 GDPR showsthe duty<br />
<br />
for supervisory authorities toimpose corrective measuresthat are proportionate to the seriousness<br />
of the infringement 52. This highlights the need for the corrective measures and any exercise of<br />
powersby supervisory authoritiestobe tailoredtothe specific case 525.<br />
<br />
<br />
281. Considering the nature and gravityof the infringement of Article 6(1)(b) GDPR established above in<br />
<br />
Section4.4.2,aswellasthe number of datasubjects affected,theEDPBsharesthe view of the AT,FI,<br />
<br />
<br />
<br />
518SeeEDPBGuidelinesonRRO,paragraph33.<br />
519Art. 65(1)(a)GDPR.<br />
520<br />
521SeeEDPBGuidelinesonArticle65(1)(a)GDPR,paragraph92.<br />
Meta IEArticle65Submissions,paragraph8.6.Seeaboveparagraph274.<br />
522AT SAObjection,p.8.<br />
523C-311/18,SchremsII,paragraph111.<br />
524Recital 148GDPR states, forinstance:“in a case of a minorinfringement orif the fine likely to be imposed<br />
<br />
would constitute a disproportionate burden toa natural person, a reprimand may be issuedinsteadof afine”.<br />
TheEDPBconfirmedthat“theindicationsprovidedbythisRecitalcanberelevantfortheimpositionofcorrective<br />
measures in general and for the choice of the combination of corrective measures that is appropriate and<br />
proportionatetotheinfringementcommitted”.EDPBBindingDecision1/2021,paragraph256.<br />
525EDPBBindingDecision1/2021,paragraph256.<br />
<br />
<br />
<br />
73<br />
Adopted FR, HUand NL SAs thatit is particularlyimportantthat appropriatecorrective measuresbe imposed,<br />
<br />
inaddition toa fine, inorder toensure thatMetaIEcomplies withthisprovision ofthe GDPR.<br />
<br />
<br />
282. Inrespectof whichmeasure should be imposed, asstated,theNL SA arguesthatthe IESA's proposal<br />
toorder MetaIEtocomplywithArticle5(1)(a), Article12(1)andArticle 13(1)(c)GDPRwithina period<br />
of threemonths is not appropriate,considering these breachesinconjunction withthe gravityofthe<br />
<br />
additional breachesof Article 6(1)(b) and Article 9(2)GDPR identified in its objection526. Instead,the<br />
NL SA is of the opinion that only a temporaryban imposed in respect of all these infringements can<br />
<br />
effectively protectthe rightsof the data subjects during the transition period inwhich the controller<br />
remedies to these violations 52. The FI SA considers that the IE SA should “exercise effective,<br />
<br />
proportionate and dissuasive corrective powers” and, taking into account the nature of the<br />
infringement, order MetaIE to“bringits processing operations into compliance with the provision of<br />
<br />
Article 6(1) GDPR and prohibit to process users’ personal data for behavioural advertising by relying<br />
on Article 6(1)(b) GDPR as laid down in Article 58(2)(d) GDPR” 528. The HU SA proposes to apply the<br />
legalconsequences under Article 58(2)(d) GDPR in relationtoviolation of Article 6(1) GDPRby Meta<br />
<br />
IE andtoinstruct the controller toindicate a another alternativelegalbasis 529. Inaddition, the AT SA<br />
callsontheIESA touse itscorrectivepowersunder Article58(2)GDPRinordertobringthe processing<br />
<br />
operations of Meta IE into line with the GDPR, and suggests ‘’that the DPC prohibits Facebook the<br />
processing of a user’s data for behavioural advertising by relying on Article 6(1)(b)’ stating that<br />
530<br />
‘otherwise,Facebookcould simply continue tounlawfully relyon Article6(1)(b) GDPR’’ .<br />
<br />
<br />
283. Meta IE argues that a temporary ban would not be necessary as less onerous measures could be<br />
imposed and that it would be unfair and disproportionate, also considering its impact on third<br />
parties 53.<br />
<br />
<br />
284. The EDPBagreeswiththe observations madeby the NLSA thatthe infringement found inthe case at<br />
<br />
hand constitutes a “very serious situation of non-compliance” 532with the GDPR, in relation to<br />
processing of “extensiveamountsof[...]data,whichis essentialto thecontroller’sbusinessmode”’ 533,<br />
534<br />
thusharming“therightsand freedomsofmillions ofdata subjectsin theEEA” .Asaresult, theEDPB<br />
sharestheNLSA’sconcernthatthecorrectivemeasurechoseninthecircumstancesofthiscaseshould<br />
<br />
aimtobringthe processing intocompliancewiththeGDPRthusminimising thepotentialharm todata<br />
subjects createdbythe violations of theGDPR.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
526<br />
NL SAObjection, paragraph57. In this respect, theEDPB recalls that, as stated in Sections 4.4.2 and 5.4.2<br />
above,whiletheEDPBfinds thattheIESAshouldhavefoundaninfringementofArt.6(1)(b)GDPRinits Draft<br />
Decision,itdoesnothavesufficientfactualevidenceallowingittofinda possibleinfringementbyMeta IEofits<br />
obligationsunderArt.9(2)GDPR.<br />
527<br />
NLSAObjection,paragraph58.<br />
528FI SAObjection,paragraph25.<br />
529HUSAObjection,p.3.<br />
530AT SAObjection,p.8-9.<br />
531<br />
532Meta IEArticle65Submissions,paragraphs8.27-8.28.<br />
NLSAObjection,paragraph54.<br />
533NLSAObjection,paragraph58.<br />
534NLSAObjection,paragraph57.<br />
<br />
<br />
<br />
74<br />
Adopted285. Inaddition, the EDPB recallsthatcontrarytoMetaIE’scontention, it is not necessarytoestablish an<br />
‘urgentnecessity’ 535for imposing atemporaryban, in thatnothing in the GDPRlimits the application<br />
536<br />
of Article58(2)(f) GDPRtoexceptionalcircumstances .<br />
<br />
286. Atthe sametime,theEDPBnotesthatinassessing the appropriatemeasuretobeapplied, Recital129<br />
<br />
GDPR provides that consideration should be given to ensuring that the measure chosen does not<br />
create ‘’superfluouscosts’’ and‘’excessive inconveniences’’ for the persons concerned in light of the<br />
<br />
objective pursued. When choosing the appropriate corrective measure, there is a need to assess<br />
whether the chosen measure is necessary to enforce the GDPR and achieve protection of the data<br />
subjects withregardtothe processing oftheir personaldata,whichis the objective being pursued 53.<br />
<br />
Compliance withtheprinciple of proportionalityrequiresensuring thatthe chosen measuredoes not<br />
createdisproportionate disadvantagesinrelationtothe aim pursued.<br />
<br />
<br />
287. The EDPB takes note of the elements raised by the objections, particularlythe NL SA, to justify the<br />
needfor imposing atemporaryban,consisting in essence inthe need tohalt the processing activities<br />
<br />
thatarebeingundertakeninviolationoftheGDPRuntilcomplianceisensuredinordertoavoidfurther<br />
prejudicing data subject rights. However, the EDPB considers that the objective of ensuring<br />
<br />
compliance and bringing the harm to the data subjects to an end can, in this particular case, be<br />
adequatelymetalsobyamendingtheorder tobring processing intocompliance envisagedintheDraft<br />
DecisiontoreflectMetaIE’sinfringementofArticle6(1)GDPRidentifiedinSection4.4.2ofthisBinding<br />
<br />
Decision. In addition tothe fines that willbe imposed, this measure would require Meta IE toput in<br />
placethenecessarytechnicalandoperationalmeasurestoachievecompliance withinaset timeframe.<br />
<br />
<br />
288. Inrespectofthe imposition of anorder tobring processing intocompliance, MetaIEsubmitsthatany<br />
such order should ‘’afforda reasonable opportunity’’toMetaIE tocomply 538. Whendetermining the<br />
<br />
transitionperiodfor bringingMetaIE’sprocessingintocompliance withGDPR,theEDPBrequeststhat<br />
the IE SA gives due regardtothe harm caused tothe data subjects by the continuation of Meta IE’s<br />
<br />
infringement ofArticle6(1)GDPRduring thisperiod. More specifically, theorder should requireMeta<br />
IEtorestorecompliance withinashort periodoftime.Inthisrespect,theEDPBnotesthat,inresponse<br />
to Meta IE’s submission, the IE SA considered the three-month deadline for compliance for the<br />
<br />
infringements of Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR necessary andproportionate<br />
in light ofthe potentialfor harmstothe datasubjects rightsthatsuch a measure entails, considering<br />
539<br />
that the interim period for compliance ‘’willinvolve a serious ongoing deprivation of their rights’’ .<br />
The LSA also points out the significant financial, technological, and human resources, as well asthe<br />
<br />
<br />
535Meta IEArticle65Submissions,paragraph8.28.<br />
536 See a contrario Art. 4 Implementing Decision 2010/87, in its version prior to the entry into force of<br />
<br />
537lementingDecision2016/2297;C-311/18SchremsII,paragraph114.<br />
C-311/18, Schrems II, paragraph112:‘’Althoughthe supervisory authority must determine which actionis<br />
appropriate and necessary and take into consideration all the circumstances [...] in that determination, the<br />
supervisory authority is nevertheless required to execute its responsibility forensuringthat the GDPR is fully<br />
enforcedwithallduediligence’’.<br />
538Meta IEArticle65Submissions,point8.31.<br />
539<br />
Draft Decision, paragraph 202. Inthis regard, Meta IE argues that this was not a reasonableperiodof time<br />
within which to makethenecessary changes, as thechanges would beresource-intensiveand wouldrequire<br />
“sufficientleadintimeforpreparing,drafting,designingandengineeringtherelevantchanges,conductingand<br />
takingaccountofusertestingoftheproposedchanges,internalcross-functionalengagementaswellasofcourse<br />
engagement with the Commission, and localisation and translation of the information forcountries in the<br />
<br />
EuropeanRegion’’.DraftDecision,paragraph201.<br />
<br />
<br />
75<br />
Adopted clear instructions provided to Meta IE to comply with GDPR 540. The EDPB considers that this line of<br />
reasoning applies all the more to the corrective measures imposed in relation to Meta IE’s<br />
<br />
infringement ofArticle 6(1)GDPR.<br />
<br />
289. Finally, the EDPBrecalls thatnon-compliance withanorder issued by a supervisory authoritycanbe<br />
<br />
relevantboth intermsof it being subject toadministrative fines up to20 million euros or,in the case<br />
of anundertaking,up to4% ofthe totalworldwide annualturnover of the preceding financialyear in<br />
line with Article 83(6) GDPR, and in terms of it being an aggravating factor for the imposition of<br />
<br />
administrative fines541. Inaddition, the investigative powers of supervisory authorities allow them to<br />
order the provision of all the information necessary for the performance of their tasks including the<br />
542<br />
verificationof compliance withone of theirorders .<br />
<br />
290. The EDPBtherefore instructsthe IESA toinclude in itsfinaldecision anorder for MetaIE tobring its<br />
<br />
processing of personaldatafor thepurpose ofbehaviouraladvertising inthecontextof theInstagram<br />
services intocompliance withArticle6(1) GDPRwithinthreemonths.<br />
<br />
<br />
291. Inaddition, the EDPBnotesthatthe currentwording ofthe order“to bring theDataPolicyand Terms<br />
of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR as regards<br />
<br />
information providedondata processedpursuanttoArticle6(1)(b)GDPR”’shouldbe modifiedinorder<br />
toreflecttheEDPB’sfindingsinSection4.4.2thatMetaIEisnotallowedtorelyonArticle6(1)(b)GDPR<br />
for the processing of personal data for the purpose of behavioural advertising. Therefore, the EDPB<br />
<br />
instructstheLSA toadjust itsorder toMetaIEtobringitsInstagramDataPolicyandTermsofUse into<br />
compliance withArticle 5(1)(a), Article 12(1) andArticle 13(1)(c) GDPRwithin three months, to refer<br />
not onlytoinformationprovided ondataprocessed pursuant toArticle6(1)(b) GDPR,butalsoondata<br />
<br />
processed for the purpose of behavioural advertising in the context of Instagram services(to reflect<br />
the finding of the EDPB inSection 4.4.2 that for this processing the controller cannot rely on Article<br />
<br />
6(1)(b) GDPR).<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
540DraftDecision,paragraph202.<br />
541Art. 83(2)(i)GDPR.<br />
542<br />
Art. 58(1)GDPR.<br />
<br />
<br />
76<br />
Adopted 9 ON THE DETERMINATIONOF THE ADMINISTRATIVEFINE<br />
<br />
<br />
292. The EDPB recalls that the consistency mechanism may also be used to promote a consistent<br />
applicationof administrativefines 543.<br />
<br />
<br />
9.1 On the determination of the administrativefine for the transparency<br />
<br />
infringements<br />
<br />
<br />
9.1.1 Analysis bythe LSA in the Draft Decision<br />
<br />
<br />
The applicationof thecriteriaunder Article83(2)GDPR<br />
<br />
293. InitsDraftDecision,the IESA explainshow itconsidered the criteriainArticle 83(2)GDPRindeciding<br />
whether to impose an administrative fine and to determine its amount in the circumstancesof this<br />
case 544.The most pertinent criteriafor the present dispute aresummarised below.<br />
<br />
<br />
Thenature,gravityanddurationoftheinfringement,taking into accountthe naturescopeor purpose<br />
of theprocessing concernedas wellas the numberof data subjects affectedand the levelofdamage<br />
<br />
sufferedbythem(Article 83(2)(a)GDPR)<br />
<br />
294. The IESAexplains thatitassesses theinfringementsofArticle5(1)(a), Article12(1)andArticle13(1)(c)<br />
GDPR identified in the Draft Decision simultaneously in the context of the Article 83(2) GDPR<br />
545<br />
criteria .Further,the IESA explainsthat‘’theprocessing concerned’’refersto“allofthe processing<br />
operationsthat[MetaIE]carriesoutinthecontextoftheInstagramserviceonthepersonaldata under<br />
its controllership for which it relies on Article 6(1)(b) GDPR”, in line with the scope of the inquiry<br />
<br />
(permissibility inprinciple ofprocessing personal datafor behaviouraladvertising) 546.<br />
<br />
<br />
295. In terms of the nature ofthe infringements, the IE SA explains that they concern a cornerstone of<br />
data subject rights, namely the right to information. The IE SA argues that ”the provision of the<br />
informationconcernedgoes to theveryheart ofthe fundamentalright ofthe individual to protection<br />
<br />
ofpersonaldata whichstemsfrom thefreewilland autonomyoftheindividual toshare theirpersonal<br />
datain avoluntary situation such asthis. Ifthe requiredinformation hasnot been provided, thedata<br />
subject has been deprived of the ability to make a fully informed decision as to whethertheywish to<br />
<br />
use aservice that involves the processing of their personal data and engagestheir associated rights.<br />
Furthermore,theextenttowhicha data controller hascomplied with itstransparencyobligationshas<br />
<br />
a direct impact on the effectivenessof the other data subject rights. If data subjects have not been<br />
providedwith the prescribed information, theymaybe deprived of the knowledge theyneedin order<br />
to consider exercising one of the other data subject rights”54. Further, the IE SA points out that the<br />
<br />
<br />
<br />
543SeeRecital150GDPR;EDPBGuidelinesonRRO,paragraph34andEDPBGuidelinesonArticle65(1)(a)GDPR,<br />
paragraph91.<br />
544<br />
DraftDecision,paragraphs206-207.<br />
545“While I emphasise that each is an individual anddiscrete “infringement”of the GDPR, I am proposingto<br />
assessallthreeinfringementssimultaneouslyasallconcerntransparencyand,byreasonoftheircommonnature<br />
and purpose, are likely to generate the same, orsimilar, outcomesin the context of some of the Article 83(2)<br />
GDPRassessmentcriteria”.DraftDecision,paragraph209.<br />
546DraftDecision,paragraph210.<br />
547<br />
DraftDecision,paragraphs212.<br />
<br />
<br />
77<br />
Adopted breachof the transparencyprinciple by Meta IE has the potentialto undermine other fundamental<br />
dataprotectionprinciplessur astheprinciples offairnessandaccountability 54.Finally,theIESA notes<br />
<br />
thatthe Europeanlegislator included infringementsonthe right toinformationandArticle 5 GDPRin<br />
Article83(5) GDPR,whichcarriesthe highest maximum fine 549.<br />
<br />
<br />
296. In terms of the gravity of the infringements, the IE SA explains that Meta IE is found to also have<br />
<br />
infringed Article 12(1) and Article 5(1)(a)GDPR because the company hasnot provided the required<br />
information inthe required manner under Article 13(1)(c) GDPR.TheIE SA adds thatthis “represents<br />
a significant levelof non-compliance,taking into account theimportance of theright to information,<br />
<br />
the consequent impact on the data subjects concerned and the number of data subjects potentially<br />
affected” 550.<br />
<br />
<br />
297. With regardsto the nature,scopeorpurposeofthe processingconcerned,theIE SA considers that<br />
the “processing carried out by [Meta IE] in the context of the Instagram service pursuant to Article<br />
<br />
6(1)(b) GDPR is extensive. [Meta IE]processes a varietyof data in order to provide Instagram users<br />
with a ‘personalised’ experience, including by way of serving personalised advertisements. The<br />
<br />
processingis centralto andessentialto thebusiness modeloffered,and,for this reason,the provision<br />
of compliant information in relation to that processing becomeseven more important. This, indeed,<br />
mayinclude location and IPaddressdata” 551.<br />
<br />
<br />
298. With reference to the number of data subjects affected, the IE SA points out that, as Meta IE<br />
<br />
confirmed, ’’asof the date of the commencement ofthe Inquiry, i.e. 31 August 2018, [Meta IE]had<br />
approximately monthly active accounts and, as of December 2021, it had approximately<br />
monthlyactiveusersin theEuropean EconomicArea” 552.While noting thefiguresprovided by<br />
<br />
MetaIE incorrectlyexcluded the number of UKactive accountstowhich the GDPRwas applicable at<br />
the dateoftheComplaint, the LSA consideredthat,whenmeasuring these figuresby referencetothe<br />
<br />
totalpopulationoftheEEA(including theUK),a‘’significantportionofthepopulationoftheEEAseems<br />
to have beenimpactedby theinfringements’’ 553.<br />
<br />
<br />
299. Intermsof damagessufferedby affecteddata subjects, the IE SA finds that“failure to provide all of<br />
theprescribed information underminesthe effectivenessofthe data subjectrightsand, consequently,<br />
<br />
infringes the rights and freedomsof the data subjects concerned. A core element oftransparency is<br />
empoweringdata subjectsto makeinformed decisions aboutengaging withactivitiesthatcause their<br />
<br />
personal data to be processed, and making informed decisions about whether to exercise particular<br />
rights,and whethertheycan do so. Thisright isundermined bya lackof transparencyon thepart ofa<br />
datacontroller” 55.<br />
<br />
<br />
300. OnArticle 83(2)(a)GDPR,theIESA concludes that“[the]infringementsareserious in nature.Thelack<br />
<br />
of transparencygoes to the heart of data subject rights and risks undermining their effectivenessby<br />
not providing transparentinformation in that regard.While the infringementsconsidered hererelate<br />
<br />
<br />
548DraftDecision,paragraph213<br />
549<br />
550DraftDecision,paragraph214.<br />
DraftDecision,paragraph216.<br />
551DraftDecision,paragraph221.<br />
552DraftDecision,paragraph223.<br />
553DraftDecision,paragraphs223-225and253.<br />
554DraftDecision,paragraph228.<br />
<br />
<br />
<br />
78<br />
Adopted to one lawful basis, it nonethelessconcernsvast swathesof personaldata impacting millions ofdata<br />
<br />
subjects. When such factors are considered, it is clear that the infringements are serious in their<br />
gravity” 55. The IE SA further notes the impact of the infringement on a ‘’significant portion of the<br />
<br />
population of the EEA’’, as well as on ‘’data subject’s ability to be fully informed about their data<br />
protectionrights,or indeed about whetherin theirview theyshould exercisethoserights’’ 556.<br />
<br />
<br />
301. The IE SA does not attachsignificant weight tothe durationof the infringements 55, considering that<br />
the complaint - andtherefor the Inquiry - wasmade againsta specific set of documents (Instagram’s<br />
<br />
DataPolicy and Termsof Use) and thatmore recentversions of the relevantdocuments areoutside<br />
the scope of the Inquiry 55.<br />
<br />
<br />
Theintentionalor negligentcharacterofthe infringements(Article83(2)(b) GDPR)<br />
<br />
<br />
302. The IESA notesthecomplainantsview thattheinfringement arosefrom ‘’[MetaIE]madea deliberate<br />
and calculated decision to present the information in a particular manner such as to mislead data<br />
<br />
subject’’559 but statesthat there is no evidence that Meta IE ‘’made adeliberate decision to present<br />
the information to data subject in a particular way’’ 560. The IE SA further notes that the EDPB<br />
<br />
Guidelines on Administrative Fines ‘’recognisethatan intentionalbreachgenerallyonly occurswhere<br />
thereis a deliberateact to infringe the GDPR’’,andthat,in this regard,‘’afinding of intentionalityis<br />
<br />
predicatedon knowledgeand wilfulness as tocharacteristicsofan offence’’.TheIESA finds therewas<br />
noevidence ofanintentionalandknowing breachofaprovision ofthe GDPR. TheIESAhowever finds<br />
<br />
thatthe infringement wasnegligent,takingintoaccount ‘’the failure ofan organisation ofthis sizeto<br />
provide sufficientlytransparentmaterialsin relation to thecoreof itsbusiness mode” 56.<br />
<br />
<br />
The action taken by the controller or processor to mitigate the damage suffered by data subjects<br />
(Article83(2)(c) GDPR)<br />
<br />
<br />
303. The IE SA notes MetaIE’sposition that “hasdischarged itstransparencyobligations in respectof the<br />
<br />
Instagram service and, accordingly, complies fully with the GDPR in this respect.” Notwithstanding<br />
their disagreementwiththis position, the IESA “accept[s]thatit representsa genuinelyheld beliefon<br />
<br />
[Meta IE’s] part’’. Onthat basis, the IE SA notes that ‘’there hasnot been an effort to mitigate the<br />
damage to data subjects, as it was [Meta IE’s] position that data subjects were incurring no such<br />
damage” 562.TheIESA isnot swayedby MetaIE’sargumentthattheireffortstocomplywiththeGDPR<br />
<br />
<br />
<br />
555DraftDecision,paragraph253.<br />
556DraftDecision,paragraph253.<br />
557<br />
558DraftDecision,paragraph253.<br />
DraftDecision,paragraphs218and253.TheIESAnotes,however,that“Inimposingcorrectivepowers[...]<br />
theGDPRrequiresthatthebroaderimpactofinfringementsbeconsidered”(DraftDecision,paragraph218).<br />
559DraftDecision,paragraph231.<br />
560DraftDecision,paragraph232.Initsanalysis,theIESAtakes intoconsiderationtheEDPBGuidelineson<br />
<br />
AdministrativeFines onthenotionsof‘intentional’and‘negligent’.DraftDecision,paragraphs230-232.<br />
561Inthis regard,theIESAnotes that‘’Meta Irelandshouldhavebeenawareofitstransparencyrequirements,<br />
especiallyinlightofthetransparencyguidelinesandshouldhaveprovidedclarityaboutthepreciseextentofthe<br />
processing operations carried out pursuant to Article 6(1)(b) GDPR. Meta Ireland furthershould have ensured<br />
<br />
that it adhered strictly to its transparency obligations when choosingthe lawful bases onwhich they rely and<br />
should have used these obligations as a guide as to the information to be conveyed to data subjects’’ (Draft<br />
Decision,paragraph253).<br />
562DraftDecision,paragraph234.<br />
<br />
<br />
<br />
79<br />
Adopted should be takeninto consideration, as -in general-compliance withthe GDPRis a duty imposed on<br />
<br />
each controller. In the present case, the IE SA finds this factor is neither mitigating nor aggravating<br />
insofar as“beyondsimply complyingwith the GDPR,thereareno obvious mitigating stepsthat could<br />
563<br />
have been taken” . Notwithstanding this, the IE SA identifies a mitigating factor in Meta IE’s<br />
willingness toengageinstepstobring itsprocessing intocompliance ona voluntarybasispending the<br />
conclusion ofthe inquiry 564.<br />
<br />
<br />
The degree of responsibility of the controller taking into account technical and organisational<br />
<br />
measuresimplementedpursuantto Articles25 and 32 (Article83(2)(d) GDPR)<br />
<br />
<br />
304. The IE SA does mentionthis factor asanaggravatingfactorin the DraftDecision. The IE SA takesthe<br />
view that, considering that guidance on transparency was available to Meta IE at the date of the<br />
<br />
complaint, it ’’shouldhave been awareof theappropriate standards– albeit at a generallevel– and,<br />
having madea deliberatedecisionto presentthe information in a manner which fellsignificant below<br />
thestandardrequired,hasa high degreeofresponsibilityfor thelackofcompliancewiththeGDPR’’ 565.<br />
<br />
<br />
Anyrelevantpreviousinfringementsbythe controlleror processor(Article83(2)(e) GDPR)<br />
<br />
<br />
305. The IESA does not mentionthis factoras anaggravatingormitigatingfactorinthe DraftDecision 56,<br />
<br />
taking into consideration that‘’theCommission has not made any findings ofinfringementsby Meta<br />
Ireland in the context of the Instagram service which could be considered relevant for [this]<br />
567<br />
assessment’’ .<br />
<br />
Thecategoriesof personaldata affectedbythe infringements(Article83(2)(g) GDPR)<br />
<br />
<br />
306. The IESA notesthat “[the]lackof transparencyconcernedbroad categoriesofpersonal data relating<br />
568<br />
to userswho sign up to theInstagramservice” .Althoughacknowledgingthatthe assessment made<br />
by the IE SA in this Inquiry “was rather generalised in nature” the LSA points out that the lack of<br />
<br />
transparency by Meta IE contributed to the “lack of clarity as to the precise categories of personal<br />
datarelevantfor thisInquiry” 569.<br />
<br />
<br />
307. Nonetheless, the IE SA concludes that, in the absence of evidence that these personal data are of a<br />
particularlysensitive nature,this factorshould be regardedasneitheraggravatingnormitigating 570.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
563DraftDecision,paragraph235.<br />
564<br />
DraftDecision,paragraph236.<br />
565DraftDecision,paragraph240.<br />
566DraftDecision,paragraph253.<br />
567Draft Decision, paragraphs 241 and 243. The IE SA notes their disagreement with Meta IE Article 65<br />
<br />
568missionsthattheabsenceofpreviousdecisionshouldbeconsideredasa mitigatingfactor.<br />
DraftDecision,paragraph247.<br />
569DraftDecision,paragraph247.<br />
570DraftDecision,paragraph247.<br />
<br />
<br />
<br />
80<br />
Adopted The manner in which the infringementsbecame known to the supervisory authority(Article 83(2)(h)<br />
<br />
GDPR)<br />
<br />
308. The IE SA notes that “[the] subject matter became known to the Commission due to an Inquiry<br />
<br />
conducted on foot of the Complaint. The subject matter did not give rise to any requirement of<br />
notification,and Ihave alreadyacknowledged severaltimesthatthe controller’sgenuinelyheld belief<br />
571<br />
is thatno infringementis/was occurring” .The IESA does not mentionthis factoras anaggravating<br />
or mitigatingfactorin theDraftDecision 57.<br />
<br />
<br />
Anyotheraggravating ormitigating factor (Article83(2)(k) GDPR)<br />
<br />
<br />
309. The IE SA considers whether the “lack oftransparencyhas the potentialto have resulted in financial<br />
benefitsfor [MetaIE]”basedon theview thata “moretransparentapproachtoprocessing operations<br />
<br />
carriedouton foot ofthatcontractwouldrepresentariskto[MetaIE]’sbusiness model”,whichwould<br />
be thecase“ifexistingorprospectiveusersweredissuaded fromusing theInstagramservicebyclearer<br />
<br />
explanations of the processing operationscarried out, and their purposes”. The IE SA concludes that<br />
thisfactorisneitheraggravatingnormitigating,arguingthat“anygeneralconsiderationofthis[factor]<br />
ultimatelyinvolvesanelementofspeculation on both [MetaIE]’sand the Commission’s part” 573.<br />
<br />
<br />
The applicationof thecriteriaunder Article83(1)GDPR<br />
<br />
310. Basedonthese circumstances,theIESAconsiders thatadministrativefinespursuant toArticle 58(2)(i)<br />
<br />
GDPRandArticle83 GDPR,totalinganamountnotlessthan€18 million andanamountnot morethan<br />
€23 millionshould be issued onMetaIEforthe infringementofArticle5(1)(a),Article12(1)andArticle<br />
574<br />
13(1)(c) GDPRinthe contextof Instagramservice .<br />
<br />
<br />
311. The LSA considers that the proposed administrative fines areeffective, proportionate and dissuasive<br />
taking into account all of the circumstancesof the Inquiry 575. Regarding the effectiveness, the IE SA<br />
argues that the “infringements are serious, both in terms of the extremelylarge number of data<br />
<br />
subjectspotentiallyaffected,thecategoriesofpersonaldata involved,and theconsequencesthatflow<br />
from the failure to comply with the transparency requirements for users” 576. Concerning the<br />
<br />
dissuasiveness, the LSA states that the fine must “dissuade both the controller/processor concerned<br />
as wellas other controllers/processorscarrying out similar processing operationsfrom repeating the<br />
<br />
<br />
<br />
571DraftDecision,paragraph248.<br />
572<br />
DraftDecision,paragraph253.<br />
573DraftDecision,paragraphs251-252.<br />
574DraftDecision,sections9and10.<br />
Morespecifically,theIESAproposesthefollowingadministrativefines(DraftDecision,paragraph254):<br />
<br />
- a fineof between €11.5millionand€14millionforthefailuretoprovidesufficientinformationinrelationto<br />
the processing operations carried out on foot of Article6(1)(b) GDPR, thereby infringing Articles 5(1)(a) and<br />
13(1)(c)GDPR;<br />
- a fineof between €6.5millionand€9millionforthefailuretoprovidetheinformationthatwasprovidedon<br />
theprocessingoperations carried out infoot of Article6(1)(b) GDPR, in a concise, transparent, intelligibleand<br />
<br />
easilyaccessibleform,usingclearandplainlanguage,therebyinfringingArticles5(1)(a)and12(1)GDPR.<br />
Theproposedadministrativefinesaretobeappliedcumulatively,astheydonotsurpassthemaximumprovided<br />
forinArt.83(5)GDPR.SeeDraftDecision,paragraphs264,295and296.<br />
575DraftDecision,paragraph258.<br />
576DraftDecision,paragraph255.<br />
<br />
<br />
<br />
81<br />
Adopted conductconcerned” 577.Asregardstheproportionality, theIESA considers thatthefines proposed “do<br />
<br />
not exceed what is necessary to enforce compliance with the GDPR, taking into account the size of<br />
Instagram user base, the impact of the infringementson the effectivenessof the data subject rights<br />
<br />
enshrinedinChapter IIIofthe GDPRandthe importanceof thoserights in the contextofthe GDPRas<br />
awhole” 578.<br />
<br />
<br />
312. The IE SA refers tothe needto takeinto account the undertaking’sturnover in the calculationofthe<br />
579<br />
maximum possible fine amounts . The notion of “undertaking” is determined to refer to Meta<br />
Platforms,Inc. 580.The IESA takesintoconsiderationthe revenue reportedbyMetaPlatforms,Inc.for<br />
the yearending 31 December2020 ($85.965billion) 58.<br />
<br />
<br />
9.1.2 Summary of theobjections raised by theCSAs<br />
<br />
<br />
582<br />
313. The DE,FR, IT, NL, andNOSAs object tothe envisagedactiontakenby the LSA withregardto the<br />
administrative fine proposed in the DraftDecision concerning the infringements of the transparency<br />
583<br />
obligationsbyasking the IESA toimpose a(significantly) higheradministrativefinewithreference<br />
totheestablishedinfringements.<br />
<br />
<br />
314. The dispute arising from these objections concerns whether the proposed fine is effective,<br />
proportionate and dissuasive pursuant to Article 83(1) GDPR 58. With reference to these three<br />
<br />
criteria,theabove mentioned CSAs, specifically, argueasfollows.<br />
<br />
<br />
315. According tothe DESAs, thefine proposed bythe LSA in the DraftDecisionis not proportionate with<br />
regard to the financial position of the undertaking. More specifically, the DE SAs argue that the<br />
<br />
envisaged fine of at most 23 million euros is not proportionate compared to the worldwide annual<br />
turnoveronMetaPlatforms,Inc 585.TheDESAspointoutthattheproposedfine‘’representsonlyabout<br />
586<br />
0.03%oftheturnoverofMetaPlatforms,Inc.andabout 0.72%ofthemaximum fine“ .Withrespect<br />
to dissuasiveness, the DE SAs consider that the fine proposed by the LSA “weakensthe position of<br />
<br />
supervisory authorities and endangers compliance with the GDPR’’ as this would leave controllers<br />
under the impression that“enforcementoftheGDPRwill notbe felt economically’’ 587.<br />
<br />
<br />
316. The FR SA arguesthat the amount of the envisaged fine “seemslow and hardlycompatible with the<br />
objective set by Article 83(1) GDPR of ensuring to impose dissuasive fines” taking into account “the<br />
<br />
<br />
577<br />
DraftDecision,paragraph256.<br />
578DraftDecision,paragraph257.<br />
579DraftDecision,paragraph274.<br />
580<br />
581DraftDecision,paragraphs275-295.FormerlyFacebook,Inc.<br />
DraftDecision,paragraph295.<br />
582DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjection,pp.7-10;NLSAObjection,<br />
paragraphs39-53;NOSAObjection,pp.9-13.<br />
583All theseCSAsspecifiedthatthefineshouldbeincreased‘’significantly’’or‘’substantially’’excepttheNLand<br />
<br />
theITSAs (whichstatedthefineshouldbeincreased).SeeDESAs Objection,p.12;FRSAObjection,paragraph<br />
45;ITSAObjection,pp.8-9;NOSAObjection,p.13;NLSAObjection,paragraph51.<br />
584DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph<br />
50;NOSAObjection,pp.11-12.<br />
585<br />
DESAs Objection,p.11.<br />
586DESAs Objection,p.11.<br />
587DESAs Objection,p.11.<br />
<br />
<br />
<br />
82<br />
Adopted number of data subjects concerned, the particularlyintrusive nature of the processing operations in<br />
<br />
question,thebreachesobserved,theposition ofMetaPlatformsIrelandLimited asa quasi-monopolist<br />
anditsfinancial situation”588.Inthisrespect,the FRSA notesthatthe fine proposed by theIE SA isno<br />
<br />
proportionate since “the cumulative amount of the two breaches of the provisions of Articles 5-1-a)<br />
and13-1-c) ofthe GDPR,onthe one hand, andthe provisions of Articles5-1-a) and 12-1 of theGDPR,<br />
on the otherhand, representsonly about 0.03% of the turnover of MetaPlatforms Inc.and lessthan<br />
<br />
1% ofthe maximum fine” 58.<br />
<br />
<br />
317. The IT SA arguesthat ‘’byhaving regardto the controller, inparticular the nature and size of Meta<br />
Platforms Inc. [...]the range at issue would appear to be overly low and neither proportionate nor<br />
590<br />
dissuasive’’ .<br />
<br />
<br />
318. The NL SA doubts, also referring to the EDPB Guidelines on Administrative Fines, that the fines<br />
proposed bythe IESA meettheobjective tobe effective,“particularlyconsidering thestrong financial<br />
positionofthecontrollerandthefindingthatthe identifiedlackoftransparencylikelyhashadfinancial<br />
<br />
benefits for the controller” 59. As regard to dissuasiveness, the NL SA argues, also referring to<br />
establishedCJEU case-law,thatMetaIE“generatesaturnoverofover86billion dollars(approximately<br />
<br />
79 billion euros)per annum, thereforeit would be able to generatea daily revenueof approximately<br />
235 million dollars. Instead of dissuading future behaviour, the penaltywould be simply regenerated<br />
592<br />
in a few hours” (specific deterrence) . With reference to proportionality, the NL SA questions the<br />
lack of reasoning in the Draft Decision as to why the amounts proposed are commensurate to the<br />
593<br />
seriousness of theinfringements .<br />
<br />
319. TheNOSA arguesthattheenvisagedamountofthe fine isnoteffective nor dissuasive neithertoMeta<br />
<br />
IE nor to other controllers, considering the financial benefits accrued because of the violation and<br />
worldwide annual turnover ofMetaPlatform, Inc.for 2020 594Inparticular,theNOSA points out that<br />
<br />
MetaIE“would likelyhave no issue paying theproposed fine,and theamount ofthefine it isnot likely<br />
to affect [it] in such a waythat it would see a need to substantially change its practices”5. The NO<br />
<br />
SA illustratesthisby the factthat in2020, MetaIEset aside one billion euroof provisions toaddress,<br />
inter alia,the riskof fines for infringement tothe dataprotectionrules596.<br />
<br />
<br />
320. In addition, these objections raise arguments with regardsto the weight afforded to some of the<br />
criterialistedin Article83(2) GDPR.<br />
<br />
<br />
321. The ITSA objects totheLSA's decision not toconsider WhatsApp's previous infringementsin the case<br />
<br />
IN-18-12-2asanaggravatingcircumstanceunderArticle83(2)(e)GDPR,insofarasitispartofthesame<br />
group of companies of Meta IE. According to the IT SA “even though the WhatsApp case did raise<br />
<br />
additional,morespecific issues,one canhardlyquestionthattherelevantdecisionsetsa keyprecedent<br />
<br />
<br />
588FRSAObjection,paragraph38.<br />
589<br />
FRObjection,paragraph40.<br />
590ITSAObjection,p.8.<br />
591NLSAObjection,paragraph48.<br />
592NLSAObjection,paragraph49.<br />
593<br />
594NLSAObjection,paragraph50.<br />
NOSAObjection,p.12.<br />
595NOSAObjection,p.12.<br />
596NOSAObjection,p.11.<br />
<br />
<br />
<br />
83<br />
Adopted in assessing controller’srepetitiveconduct’’as‘’notonly did the controller in question clearlystickto<br />
<br />
the same business modelin offeringits different social networking services,it also did not change its<br />
assessment as to how to manage users’ data with particular regard to its information and<br />
597<br />
transparencyobligations’’ .<br />
<br />
322. According to the DE, FR, NL and NO SAs, the fine proposed by the LSA in the Draft Decision is not<br />
<br />
proportionate withregardtotheseriousness of the infringement 59.<br />
<br />
<br />
323. The NL SA argues that the fine is not commensurate with the seriousness of the infringements<br />
established(Article 83(2)(a)GDPR)andisinconsistent withtheIESA's qualificationsassuch 599.The FR<br />
<br />
SA alsoarguesthat the fine isincontradictionwiththe seriousnessofthe violationsidentified andthe<br />
natureof the processing (Article 83(2)(a)GDPR) 600.<br />
<br />
<br />
324. The DE,FR,andIT SAs statethatthe fine proposed is not consistent withthe amount retainedbythe<br />
IESA initsdecision dated20 August2021 againstthecompanyWhatsAppIrelandLimited(caseIN-18-<br />
<br />
12-2), in which the IE SA imposed an administrative fine of 225 million euros, including a fine of 30<br />
million eurosfor the infringementof Article12 and13GDPRanda fine of90 millionon accountofthe<br />
601<br />
infringement ofArticle5(1)(a) GDPR .Moreover,theFR andITSAs statethatthe amount proposed<br />
appears low also in comparison with the one retained by the LU SA in its decision of 15 July 2021<br />
<br />
againstthecompanyAmazonEuropeCore, whereanadministrativefine of746 millioneuroshasbeen<br />
imposed fortheinfringementsofArticles6,12and13GDPR,andwhichwasalso basedonacomplaint<br />
<br />
that the processing operations carried out by the companies of the Amazon group relating to<br />
behaviouraladvertisingdidnot havea validlegalbasis 602.Inaddition, theFRSA notesthattheamount<br />
ofthefine proposedbytheIESA“seemstobeunderestimatedincomparisonwiththeamountretained<br />
<br />
in thedeliberation oftheCNIL’srestrictedcommitteeNo.SAN-2019-001 of21 January2019 imposing<br />
a penalty of 50 million euros on the company Google LLC” 603. The FR SA considers this case as<br />
<br />
comparable because it is also based on a referral “filed by the association ‘NOYB’ with the CNIL,<br />
relating to a similar issue and formulated against Google, and that the restricted committee has<br />
<br />
identifiedabreach ofArticle6 of theGDPRand a breachof theprovisions ofArticles12 and 13 of the<br />
GDPR” 60. However, the FR SA notes that “the amount retained against Google LLC is close to that<br />
<br />
proposed by the Irish data protection authority, even though the processing operations in question<br />
concernall European users, [...]which was not the case in the above-mentioned CNIL’s decision, for<br />
whichonlyFrench usersweretaken into account” 605.<br />
<br />
<br />
<br />
<br />
<br />
<br />
597<br />
ITSAObjection,p.9.<br />
598DESAs Objectionp.11;FRSAObjection,paragraph47;NLSAObjection,paragraphs39and43-44;NOSA<br />
Objection,p.12.<br />
599NLSAObjection,paragraphs39and43-44.<br />
600<br />
FRSAObjection,paragraph50.<br />
601FRSAObjection,paragraph42;ITSAObjection,p.8.<br />
602FR SAObjection,paragraph43.SimilarreasoningisincludedintheITSAObjection,whichstates that‘’even<br />
byproportiontotherespectiveturnover[...]there islittle doubtthatthefiningproposalbytheLSAisnotinline<br />
<br />
603hthe proportinalityrequirement’’(ITSAObjection,p.8).<br />
FRSAObjection,paragraph41.<br />
604FRSAObjection,paragraph41.<br />
605FRSAObjection,paragraph41.<br />
<br />
<br />
<br />
84<br />
Adopted325. TheNOSA arguesthat“thesuggestedfine isnotproportionatetotheseriousnessofthe violationsand<br />
<br />
the aggravating factors identified”, the “number of data subjects affected in the EEA amounts to<br />
hundredsofmillions” andagreeswiththe LSA thatthe controller’s“levelof responsibility ishigh” 606.<br />
<br />
<br />
326. Onthe risksposed by the DraftDecision,the DE,FR,IT,NL,andNOSAs consider that,ifadopted,the<br />
<br />
Draft Decision would lead to a significant risk for the protection of the fundamental rights and<br />
freedoms of the data subjects 607. The DE, FR, IT, NL, andNOSAsexplain that it would not ensure an<br />
<br />
effective enforcementof theGDPR,asthe proposed fine isunable tocreateadeterrenteffect(either<br />
specifically towardsthe controller, or in generaltowardsother controllers) 608. The NO SA considers<br />
this would mean, “that the complainant and the affected data subjects would in practice be denied<br />
<br />
the levelof data protectionset out in the GDPR” 60. The FR SA arguesthe Draft Decisionas it stands<br />
would “lead to a levelling down of the level of administrative fines imposed by European data<br />
<br />
protectionauthorities,therebyreducingtheauthorities'coercivepowerand,consequently,theirability<br />
to ensureeffectivecompliancewith theprotectionofthe personaldataof Europeanresidents” 610.The<br />
611<br />
DESAsaddthat“theDraftDecisiondoesnotensureaconsistentapplicationofadministrativefines” .<br />
<br />
<br />
9.1.3 Position ofthe LSA on theobjections<br />
<br />
327. The LSA considers none of theobjections relatingtothequantum of theproposed administrative fine<br />
asrelevantand reasoned 61.<br />
<br />
<br />
328. Inrelationtoobjections calling for anincrease ofthe amount ofthe fine setout inthe DraftDecision,<br />
the LSA statesthat notwithstanding the variance betweenthe viewsofthe CSAsonthe calculationof<br />
<br />
the fine that the IE SA has “fully taken into account the criteria at Article 83(2) GDPR, and that the<br />
proposedadministrativefinesmeettherequirementsofArticle83(1)GDPR,takinginto accountallthe<br />
613<br />
circumstancesofthismatterand asset out Part9 oftheDraft Decision” .The IESA also arguesthat<br />
the IE SA considers “the proposal as to the fine to be meaningful in terms of both the financial<br />
<br />
significance of it on any view, as well as the significant publicity that a fine in this region will<br />
attract’’614.<br />
<br />
<br />
329. Withreference totheobjections relatingtothe mode ofcalculatingthe proposed administrative fine<br />
<br />
(assessment of the Article 83(2) GDPR criteria), the LSA does not accept that these objections are<br />
relevant 615. The LSA recalls that it has already examined in its Draft Decision whether the<br />
infringements were intentional and whether Meta IE obtained a financial benefit as a result of the<br />
<br />
infringements,questions towhichitansweredinthenegative 61.Furthermore,theLSAtakesthe view<br />
<br />
<br />
606NOSAObjection,p.12.<br />
607DESAs Objection,p.12;FRSAObjection,paragraph47;ITSAObjection,pp.8-10;NLSAObjection<br />
<br />
608agraph52;NOSAObjection,p.12.<br />
DESAs Objection,p.12;FRSAObjectionparagraph47;ITSAObjection,pp.8-10;NLSAObjection<br />
paragraph49and52;NOSAObjection,p.12.<br />
609NOSAObjection,p.12.<br />
610FRSAObjection,paragraph.48.<br />
611<br />
DESAs Objection,p.11.<br />
612CompositeResponse,paragraph120.<br />
613CompositeResponse,paragraph118.<br />
614CompositeResponse,paragraph119.<br />
615<br />
CompositeResponse,paragraph126.<br />
616CompositeResponse,paragraph124.Onthismatter,theIESArefers torespectivelyparagraphs230-233<br />
and251-252oftheDraftDecision.<br />
<br />
<br />
<br />
85<br />
Adopted that“itwouldbe contraryto a literalinterpretationofArticle83(2)(e)GDPRtotakethedecision made<br />
<br />
bytheIESA in respectofWhatsApp IrelandLimited(i.e.IN-18-2-1)in the calculationofthefine for this<br />
Draft Decision in circumstances where the infringements do not concern the same controller or<br />
617<br />
processor’’ .<br />
<br />
<br />
9.1.4 Assessment of the EDPB<br />
<br />
<br />
9.1.4.1 Assessmentof whethertheobjectionswererelevantandreasoned<br />
<br />
<br />
330. The objections raisedby the DE,FR,IT,NL,andNOSAs concern‘’whethertheactionenvisaged in the<br />
DraftDecisioncomplieswiththeGDPR’’ 618.<br />
<br />
<br />
331. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe<br />
619<br />
threshold ofArticle 4(24)GDPR .<br />
<br />
<br />
332. With specific regard to these objections on the determination of the administrative fine for the<br />
transparency infringements, Meta IE acknowledges that the objections as to whether envisaged<br />
<br />
corrective measures comply with the GDPR fall within the scope of the dispute resolution<br />
mechanism 62,however intheir view,objections thatsolelyobject totheamount ofa fine areoutside<br />
the scope of this mechanism 621. Meta IE arguesthat ‘’the DPC, asthe LSA, has the sole competence<br />
<br />
and discretion to impose an administrative fine’’ 62. Moreover, Meta IE claims that the EDPB is not<br />
competenttodeterminewhethertheadministrativefine iseffective,proportionate,anddissuasive 623.<br />
<br />
The EDPBdoes not share thisreading ofthe GDPR,asexplainedabove (see Section 8.4.2,paragraphs<br />
277-279 ofthis Binding Decision)andconsiders thatCSAs mayobject tothefine amount proposed by<br />
624<br />
anLSA in itsdraftdecision .<br />
<br />
<br />
<br />
<br />
<br />
<br />
617CompositeResponse,paragraph126.<br />
618<br />
EDPBGuidelinesonRRO,paragraph32.<br />
619Meta IEArticle65Submissions,Annex1,p.65.<br />
620Meta IEArticle65Submissions,paragraph8.5<br />
621Meta IEArticle65Submissions,paragraph9.2<br />
622<br />
623Meta IEArticle65Submissions,paragraph9.2.<br />
Meta IEArticle65Submissions,paragraph9.2.Meta IEarguesthat“TheGDPRdoesnotconferanypoweron<br />
theEDPBto considerobjectionssolelychallengingtheamountofafine,andtheEDPBmaynotgiveinstructions<br />
asto whetherafineoughttobeimposed,orastoitsamount’’.<br />
624<br />
Inthis regard,Recital150GDPRcanberecalled,asitstatesthattheconsistencymechanismmayalsobeused<br />
to promote a consistent application of administrativefines. Consequently, an objection can challengethe<br />
elements reliedupontocalculatetheamountofthefine,andiftheassessmentoftheEDPBwithinthiscontext<br />
identifiesshortcomingsinthereasoningleadingtotheimpositionofthefineatstake,theLSAwillbeinstructed<br />
to re-assess thefineandremedytheidentifiedshortcomings(EDPBGuidelinesonArt.65(1)(a),para 91;EDPB<br />
<br />
RROGuidelines,paragraph34). TheEDPBfoundseveralobjectionsonthissubjectmatteradmissibleinthepast,<br />
seeinteraliaBindingDecision1/2020,paragraphs 175-178and180-181,BindingDecision1/2021,paragraphs<br />
310-314, Binding Decision 1/2022 paragraphs 53-55, Binding Decision 2/2022, paragraphs 186-190.<br />
Consequently,withinitsmissionofensuringa consistentapplicationoftheGDPR,theEDPBis fullycompetent<br />
<br />
to resolvethedisputearisenamongsupervisoryauthoritiesandremedytheshortcomingsintheDraftDecision<br />
concerningthecalculationoftheamountofthefine,whichwillinanyeventbequantifiedandimposedbythe<br />
LSAinits nationaldecisionadoptedonthebasisoftheEDPB’s bindingdecision.<br />
<br />
<br />
<br />
86<br />
Adopted333. The EDPBtakesnote of further argumentsput forwardbyMetaIE,aiming todemonstratethe lackof<br />
625<br />
relevance of the objections raised by the DE, FR, IT, NL, and NO SAs . Meta IE disagrees with the<br />
content ofthese objections, whichconcerns itsmeritsandnot itsadmissibility.<br />
<br />
<br />
334. The EDPB finds that the DE, FR, IT, NL, and NO SAs disagree with specific parts of the IE SA’s Draft<br />
Decision, namelythe assessment madeby the LSA in Chapter 9 ‘’Administrativefine’’andChapter 10<br />
<br />
‘’Otherrelevantfactors’’insettingtheadministrative fine applicable tothe violationsof transparency<br />
identified626. Iffollowed, these objections would leadtoa different conclusion in termsof corrective<br />
<br />
measures imposed. In consequence, the EDPB considers the objections raised by the DE, FR, IT, NL,<br />
andNOSAs tobe relevant.<br />
<br />
<br />
335. MetaIEfurtherconsiders thatthe DE,FR,IT,NLandNOSAs’ objections have not created“reasonable<br />
<br />
doubt’’astothe validityofthe LSA’scalculationofthe fine anddonot explainwhythe fine envisaged<br />
in the DraftDecision is incompatible withArticle 83 GDPR 627.Inthis respect, MetaIE claims thatthe<br />
objections ofthe DE,FR,IT,NLandNOSAsare not sufficientlyreasonedastheyfocusonhypothetical<br />
<br />
“preventiveeffects”ofthefine on other controllersinfuture proceedings 628.Inaddition, MetaIEputs<br />
forward that the comparison made by the DE, FR, and IT SAs in their objections with other fines<br />
<br />
imposed in other cases is not relevant to the extent that fines should result in a case-by-case<br />
assessment 629. Meta IE also objects to the FR SA’s objection that the fine should be tied to the<br />
<br />
turnover, considering that Meta IE’s turnover is only relevant for determining the maximum fine<br />
amount under Articles83(4)-(6) GDPRand not the fine amount 630.Finally, in response tothe NOSA’s<br />
<br />
objection, Meta IE argues that controller’s financial provisions for potential regulatory-related<br />
expenses cannot be considered asa relevant factor under Article 83(2) GDPR 63. It follows from the<br />
above argumentsthatMetaIEdisagreeswiththe reasoning provided inthese objections, which thus<br />
<br />
concernsthe meritsandnot the admissibility ofthe objection.<br />
<br />
<br />
336. The EDPB finds that the DE, FR, IT, NL, and NO SAs argue why they propose amending the Draft<br />
Decisionandhow this leadstoadifferent conclusion intermsof administrativefine imposed, i.e.why<br />
632<br />
theypropose toimpose a higherfine for the transparencybreaches .<br />
<br />
<br />
<br />
<br />
625Meta IEargues thattheseobjectionsare“adirectcriticismof theamountoftheDPC’sproposedfine(i.e.an<br />
<br />
areawithintheDPC’ssolediscretionasLSA)ratherthanthelawfulnessoftheDPC’srelianceontherelevant<br />
factorstocalculatethefine(whichwouldbetheDraftDecision’srelevantlegalandfactualcontenttowhich<br />
the[CSAs]couldobject)’’.Meta IEArticle65Submissions,Annex1,paragraphs2.17-2.19,5.13,7.12,8.23,and<br />
9.19.<br />
626<br />
DESAs Objection,p.10;FRSAObjection,paragraph36;ITSAObjection,pp.7-9;NLSAObjection,<br />
paragraph40and53;NOSAs’Objection,pp.9-10.<br />
627Meta IEArticle65Submissions,Annex1,paragraphs2.21,5.15,5.17-18,7.14,8.25,and9.22.Inthisregard<br />
Meta IEsubmitsthat‘’afineproposedbytheLSAiseffective,proportionate,anddissuasiveaslongasthecriteria<br />
laiddowninArticle83(2)GDPRaredulytakenintoaccount(whichisclearlythecasehere).Indeed,thecalculation<br />
<br />
of fines is subjective, and there is significant variance amongst objecting CSAsas to what the appropriate fine<br />
shouldbe’.<br />
628Meta IEArticle65Submissions,Annex1,paragraphs2.22,5.19,7.16,8.26,and9.23.<br />
629Meta IEArticle65Submissions,Annex1,paragraphs2.23,5.18,and7.17.<br />
630<br />
631Meta IEArticle65Submissions,Annex1,paragraph5.21.<br />
Meta IEArticle65Submissions,Annex1,paragraph9.26.<br />
632DESAs Objection,p.11-12;FRSAObjection,paragraphs38,40,42,43,47;ITSAObjection,pp.7-9;NLSA<br />
Objection,paragraphs44-45and47-50;NOSAObjection,pp.11-12.<br />
<br />
<br />
<br />
87<br />
Adopted337. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk<br />
<br />
tofundamentalrightsandarguesthe objections of the DE,FR,IT,NL,andNOSAs failtodemonstrate<br />
the contrary,asrequired 63.<br />
<br />
<br />
338. Inparticular,MetaIEconsidersthattheDE,FRSA andITSAs’ objections appeartofocusonincreasing<br />
the “punitive impact” of the fine on Meta IE, instead of demonstrating any significant risks to the<br />
<br />
fundamentalrightsofdatasubjects 63.MetaIEfurtherclaimsthattheNLandNOSAs’objections does<br />
not set out how the proposed fine would pose a direct andsignificant risk tofundamentalrightsand<br />
635<br />
freedoms . In addition, Meta IE argues the DE, FR, IT, NL and NO SAs’ objections rest on<br />
unsubstantiatedpossible effecttheDraftDecisioncouldhaveonfuture behaviourofothercontrollers,<br />
636<br />
without demonstrating how this Decision would lead to significant risks in the case at hand .<br />
Therefore, Meta IE claims that, in doing so, the assessment made by the DE, FR, IT and NL SAs is<br />
637<br />
incorrectastheydo not consider the reputationalcosts generatedbysuch afine .<br />
<br />
339. First, the EDPBnotes thatany risk assessment addresses future outcomes whichare tosome degree<br />
<br />
uncertain,andfinds thereis no basis in theGDPRtolimit the notion ofrisks tothe boundaries ofthe<br />
particular case at hand. Article 4(24) GDPR referstothe risks posed to the "fundamentalrights and<br />
<br />
freedomsof data subjects" and “where applicable, the free flow of personaldata within the Union”.<br />
Bothofthese aspectsare phrasedina generalway. The wording ofthisprovisiondoesnot in anyway<br />
<br />
limit the demonstration of the risks to showing the risks posed to the data subjects affectedby the<br />
concrete processing carriedout by the specific controller, in light of the objective of guaranteeing a<br />
638<br />
‘’highlevelofprotectionintheEUfortherightsand interestsoftheindividuals’’ .Therefore,therisks<br />
posedbyadraftdecision tobe demonstratedbya relevantandreasonedobjectionmightalsoconcern<br />
datasubjects whose personaldatamight be processed inthe future, including by other controllers.<br />
<br />
<br />
340. The EDPB also notes that the DE, FR, IT, NL, and NO SAs 639 considered both of the aspects that are<br />
<br />
entailedbydissuasiveness ofthe fine, i.e.specific deterrenceandgeneraldeterrence 640.<br />
<br />
<br />
<br />
<br />
<br />
633Meta IEArticle65Submissions,Annex1,paragraphs2.24-2.27,5.22-5.25,7.18-7.21,8.28-8.32,and9.25-<br />
9.27.<br />
634Meta IEArticle65Submissions,Annex1,paragraphs2.24,5.22,and7.18.<br />
635<br />
Meta IEArticle65Submissions,Annex1,paragraphs8.28,and9.25.<br />
636Meta IEArticle65Submissions,Annex1,paragraphs2.25,5.23,7.19,8.30,and9.26.<br />
637Meta IEArticle65Submissions,Annex1,paragraphs2.26,5.24,7.20,8.31.Meta IEaddsthat,inanycase,it<br />
‘’doesnotconsiderthatfinessuchastheoneproposedintheDraftDecisioncouldencourageothercompanies<br />
<br />
638tocomplywiththeGDPR’’.<br />
Judgement of the Court of Justiceof 6 November 2003, Lindqvist, CaseC-101/01, ECLI:EU:C:2003596,<br />
(hereinafter‘C-101/01Lindqvist'),paragraph95;JudgementoftheCourtofJusticeof16December2008,Heinz<br />
HubervBundesrepublikDeutschland,C‑524/06,ECLI:EU:C:2008:724,(hereinafter‘C‑524/06Huber’),paragraph<br />
50; Judgement of the Court of Justice of 24 November 2011, Asociación Nacional de Establecimientos<br />
<br />
FinancierosdeCrédito,C-468/10andC-469/10,ECLI:EU:C:2011:777,paragraph28.<br />
639DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring<br />
to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52<br />
(referring to the risk in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to<br />
<br />
640ncentivesforMetaIE’’).<br />
TheCJEUhas consistentlyheldthata dissuasivefineisonethathasagenuinedeterrenteffect,encompassing<br />
bothspecificdeterrence(discouragingtheaddresseeofthefinefromcommittingthesameinfringementagain)<br />
andgeneral deterrence(discouragingothersfromcommittingthesameinfringementinthefuture).See, inter<br />
<br />
<br />
<br />
88<br />
Adopted341. The EDPB finds that the DE, FR, IT, NL, and NO SAs articulate an adverse effect on the rights and<br />
freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee<br />
641<br />
a highlevelof protectioninthe EU for the rightsand interestsof the individuals .<br />
<br />
342. Therefore,the EDPBconsiders the DE,FR,IT,NL,andNOSAs objections tobe reasoned.<br />
<br />
<br />
9.1.4.1 9.1.4.2. Assessment on themerits<br />
<br />
343. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a binding decision concerning all the<br />
matters which are the subject of the relevant and reasoned objections, in particular whether the<br />
envisagedactioninrelationtothe controller complies withtheGDPR.<br />
<br />
<br />
344. The EDPB recalls that the consistency mechanism may also be used to promote a consistent<br />
642<br />
application of administrative fines . A fine should be effective, proportionate and dissuasive, as<br />
required byArticle 83(1) GDPR,takingaccount of the factsof the case 643. Inaddition, when deciding<br />
ontheamount ofthe fine,theLSA shalltakeintoconsiderationthecriterialistedinArticle83(2)GDPR.<br />
<br />
<br />
345. The EDPB responds to Meta IE’s argument that the LSA has sole discretion to determine the<br />
<br />
appropriate corrective measures in the event of a finding of infringement above (see Section 8.4.2,<br />
paragraphs277 -279 aswellasfootnote 624).<br />
<br />
<br />
346. The finding in the Draft Decision of a transparency infringement for the processing concerned still<br />
stands. The EDPB recalls that, on substance, no objections were raised on this finding. Meta IE<br />
<br />
infringed its generaltransparency obligations by being unclear on the link between the purposes of<br />
processing, the lawful bases of processing and the processing operations involved 644, irrespective of<br />
the validityofthe legalbasis reliedonfor the ‘processing concerned’.Itremainsthecase that,forthe<br />
<br />
transparencyinfringements, ‘‘theprocessing concerned’’shouldbe understood asmeaning all ofthe<br />
processing operations thatMetaIEcarriesout onthe personaldata under itscontrollershipfor which<br />
645<br />
Meta IE indicated it relied on Article 6(1)(b) GDPR , including for the purposes of behavioural<br />
advertising.This is without prejudice tothe fact thatMetaIE inappropriatelyrelied on Article6(1)(b)<br />
GDPR asa legalbasis to process personal data for the purpose of behavioural advertising as part of<br />
<br />
the delivery of its Instagram service under the Termsof Use. Whether or not Meta IE appropriately<br />
chose its legal basis for processing, the transparencyinfringement as assessed in the Draft Decision<br />
<br />
still stands. Therefore, the IE SA must not modify this description retro-actively in light of the<br />
assessment ofthevalidityofthelegalbasis, including forthepurpose ofcarryingoutanyreassessment<br />
of the administrative fines originally proposed by the Draft Decision, as might be required by this<br />
<br />
Binding Decision.<br />
<br />
<br />
<br />
alia, Judgement of the Court of Justiceof 13 June 2013, Versalis Spa v European Commission, C-511/11P,<br />
ECLI:EU:C:2013:386,(hereinafter‘C-511/11,Versalis’),aragraph 94.<br />
641DESAs Objection,p.12,FRSAObjection,paragraphs47-48;ITSAObjection,pp.8-9;NLSAObjection,<br />
paragraph52;NOSAObjection,p.12.SeealsoEDPBGuidelinesonRRO,paragraph37.<br />
642<br />
Recital 150GDPR. EDPB Guidelines on RRO, paragraph 34;EDPB Guidelines on Administrativefines p. 7<br />
(“When the relevant andreasonedobjection raises the issue of the compliance ofthe corrective measure with<br />
the GDPR, the decision of EDPB will also discuss how the principles of effectiveness, proportionality and<br />
deterrence are observed in the administrative fine proposedin the draft decision of the competent supervisory<br />
authority”).<br />
643<br />
644EDPBGuidelinesonAdministrativefines,p.7;EDPBGuidelinesoncalculationoffines,paragraphs132-134.<br />
DraftDecision,paragraph189.<br />
645DraftDecision,paragraph210.<br />
<br />
89<br />
Adopted347. Inlightofthe objectionsfound relevantandreasoned, theEDPBaddresseswhetherthe DraftDecision<br />
proposes afine for the transparencyinfringements thatis inaccordancewith thecriteria established<br />
<br />
by Article83(2) GDPRandthe criteria provided for by Article 83(1)GDPR.Indoing this, the EDPBwill<br />
first assess the disputes arisen in respect of the analysis of specific criteria under Article 83(2)GDPR<br />
performed by the LSA, and then examine whether the proposed fine meets the requirements of<br />
<br />
effectiveness, dissuasiveness and proportionality set in Article 83(1) GDPR, including by affording<br />
adequateweighttothe relevant factorsandtothe circumstancesofthe case.<br />
<br />
<br />
On any relevantpreviousinfringementsby thecontrolleror processor (Article83(2)(e)GDPR)<br />
<br />
348. Article 83(2)(e) GDPR requires supervisory authorities to give due regard to any previous relevant<br />
<br />
infringement of the GDPRbythe controller or processor asone of the circumstancesthat justifies an<br />
increase inthe basic amount of the fine. Assimilar reference canbe found inRecital148 GDPR.<br />
<br />
<br />
349. For the purposes of Article 83(2)(e) GDPR, both previous infringements of the same subject matter<br />
and infringements of a different subject matter but committed in a manner similar to that under<br />
<br />
investigation, should be considered as relevant. Furthermore, the EDPB recalls that the scope of<br />
assessment ofinfringementsmayinclude not only previous decisions bythe investigatingsupervisory<br />
authority, but also infringements found by other authorities, provided that theyare relevant tothe<br />
646<br />
case under investigation .<br />
<br />
647<br />
350. The EDPB first notes that, contrary to Meta IE’s views , substantial similarities exist in the<br />
infringements found by the LSA in its draft decision and in its decision IN-18-12-2 in relation to<br />
WhatsApp Ireland Limited and in which breach of GDPR obligations were established. As rightly<br />
<br />
pointed out by the IT SA, the LSA indeed considered in both decisions that the controller had not<br />
provided transparentinformationon thelegalbasisandpurposesofthe processing operationsor sets<br />
<br />
ofprocessing operationscarriedout,therebyinfringing Article5(1)(a),Article12(1)andArticle13(1)(c)<br />
GDPR 648.<br />
<br />
<br />
351. TheITSA contendsthat,totheextentthatMetaIEandWhatsAppIrelandLimitedarepartofthesame<br />
corporategroup, theprevious decision concerning WhatsAppIrelandLimited“setsa keyprecedentin<br />
<br />
assessing a controller’srepetitive conduct”,as“not onlydid the controller in question clearlystickto<br />
the same business modelin offering its different social networking services,it also did not change its<br />
assessment as to how to manage users’ data with particular regard to its information and<br />
649<br />
transparencyobligations” . The IE SA disagreeswiththis objection, considering thatArticle83(2)(e)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
646EDPBGuidelinesonAdministrativeFines,paragraph93.<br />
647Meta IEArticle65Submissions,paragraph10.3.AccordingtoMeta IE’s theDPCFinalDecisionIN-18-12-2<br />
<br />
againstWhatsAppIrelandLimitedconcerns‘’whollyseparateproceedinginvolvingwhollyseparateallegations<br />
andclaims’’.<br />
648DPCFinalDecisionIN-18-12-2concerningWhatsAppIrelandLimited,20August2021,paragraphs496,591<br />
and595,availableat: https://edpb.europa.eu/system/files/2021-09/dpc final decision redacted for issue<br />
to edpb 01-09-21 en.pdf;DraftDecision,p.71.<br />
649<br />
ITSAObjection,p.9.<br />
<br />
<br />
90<br />
Adopted GDPRcannot apply in the circumstancesof thiscase insofar as itsdecision againstWhatsApp Ireland<br />
650<br />
Limitedwasaddressedtoa different controller .<br />
<br />
<br />
352. In this respect, the EDPB notes that Meta IE and WhatsApp Ireland Limited are both subsidiaries of<br />
MetaPlatforms, Inc. 651.Nonetheless,the EDPBrecallsthat the GDPRdrawsa distinction betweenon<br />
the one handthe “controller”or“processor” 652,whichare responsible for complying withthe rulesof<br />
<br />
the GDPR,andonthe otherhand the“undertaking” 653towhichthe controller or processor is partof,<br />
andthatmaybefound jointly andseverallyliable for thepaymentofthe fine 65.Inthiscontext,Article<br />
<br />
83(2)(e)GDPRexplicitlyreferstotheneedtoconsider previousrelevantinfringementscommitted‘’by<br />
thecontrolleror processor’’(emphasis added).<br />
<br />
<br />
353. Therefore,the EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringements by<br />
<br />
WhatsAppIrelandLimited,asestablishedinDecisionIN-18-12-2,asanaggravatingfactorunderArticle<br />
83(2)(e) GDPRfor thecalculationof thefine.<br />
<br />
<br />
Theeffectiveness,proportionalityanddissuasiveness ofthe administrativefine (Article 83(1)GDPR)<br />
<br />
354. Withregardtoeffectivenessofthe fines, theEDPBrecallsthattheobjective pursuedby thecorrective<br />
<br />
measure chosencanbe tore-establishcompliance withthe rules,or topunish unlawfulbehaviour, or<br />
both 655. In addition, the EDPB notes that the CJEU has consistently held that a dissuasive penalty is<br />
one that has a genuine deterrent effect. Inthat respect, a distinction canbe made betweengeneral<br />
<br />
deterrence (discouraging others from committing the same infringement in the future) and specific<br />
deterrence(discouraging theaddressee of the fine from committingthe same infringement again) 656.<br />
<br />
Therefore, in order to ensure deterrence, the fine must be set at a level that discourages both the<br />
controller or processor concerned as well as other controllers or processors carrying out similar<br />
<br />
processing operations from repeating the same or a similar unlawful conduct. Proportionality of the<br />
fine needs also to be ensured as the measure must not go beyond what is necessary to attainthat<br />
657<br />
objective .Inthisrespect,theEDPBdisagreeswithMetaIE’sviewsthatthereisnobasis toconclude<br />
thatthe amount ofthe fine must have a generalpreventive effect 65.<br />
<br />
<br />
<br />
<br />
650CompositeResponse,paragraph125.AccordingtotheIE SA, this stems directlyfromthewordingofArticle<br />
83(2)(e) GDPR, which ‘’expressly states that only relevant previous infringements by the same controlleror<br />
<br />
651cessormustbetakenintoconsideration’’.<br />
DPCFinalDecisionIN-18-12-1concerningWhatsAppIrelandLimited,20August2021,paragraph872;Draft<br />
Decision,paragraphs5and288.<br />
652SeeArt. 4(7)-(8)GDPR.<br />
653AccordingtoRecital150,‘’whereadministrativefinesareimposedonanundertaking,anundertakingshould<br />
<br />
beunderstoodtobeanundertakinginaccordancewithArticles101and102TFEUforthosepurposes’’.According<br />
to settled case-law of theCJEU, the term ‘undertaking’ “encompasses every entity engagedin an economic<br />
activity,regardlessofthelegalstatusoftheentityandthewayinwhichitisfinanced’’(see,inthisregard,EDPB<br />
BindingDecision1/2021,paragraph292).<br />
654<br />
655EDPBBindingDecision1/2021,paragraph290.<br />
EDPBGuidelinesonAdministrativeFines,p.6.<br />
656See, interalia,C-511/11,Versalis,paragraph94.<br />
657SeeJudgementoftheGeneral Courtof14October2021,MTvLandespolizeidirektionSteiermark,C‑231/20,<br />
, ECLI:EU:C:2021:845,paragraph 45(“theseverityofthepenaltiesimposedmust[…]becommensuratewiththe<br />
<br />
seriousness of the infringements forwhich they are imposed, in particularby ensuring a genuinelydeterrent<br />
effect, whilenotgoingbeyondwhatisnecessarytoattainthatobjective”).<br />
658Meta IEArticle65Submissions,Annex1,paragraphs,2.22,5.16,7.16,8.30and9.23.<br />
<br />
<br />
<br />
91<br />
Adopted355. The EDPB reiterates that it is incumbent upon the supervisory authorities to verify whether the<br />
<br />
amount of the envisaged fines meets the requirements of effectiveness, proportionality and<br />
dissuasiveness, or whetherfurther adjustmentstothe amountarenecessary,considering the entirety<br />
<br />
of the fine imposed and allthe circumstancesof the case,including e.g.theaccumulationof multiple<br />
infringements, increases and decreases for aggravating and mitigating circumstances and<br />
659<br />
financial/socio-economic circumstances . Further, the EDPB recallsthat the setting of a fine is not<br />
an arithmeticallyprecise exercise 66, andsupervisory authoritieshave a certainmarginof discretion<br />
661<br />
inthis respect .<br />
<br />
356. The DE,FR,IT,NL,andNOSAs ,object tothe level ofthe fine envisaged inthe DraftDecisionas they<br />
<br />
consider the proposed fine not effective,proportionate anddissuasive (Article83(1) GDPR) 662.<br />
<br />
<br />
357. These CSAs arguethatthe elementsof Article83(2)GDPRarenot weighedcorrectlybythe LSA when<br />
calculating the administrative fines in the present case, in light of the requirements of Article 83(1)<br />
663<br />
GDPR .Specifically,theDE,FR,IT, NLandNOSAs arguethatthefine envisagedintheDraftDecision<br />
isnot proportionatewithIESA’sfindings inrelationtothenatureandseriousness oftheinfringements<br />
664<br />
andthe number of datasubjects concerned .<br />
<br />
<br />
358. In addition, these CSAs argue that the fine is not effective, proportionate and dissuasive taking into<br />
account thefinancial position of MetaPlatform,Inc. 66.<br />
<br />
<br />
359. The EDPBtakesnote of MetaIE’sdisagreement withthe fine proposed by the IESA 666 andtheir view<br />
that the LSA alreadyconsiders all factorsit considered tobe relevant toArticle 83(2) GDPR andthat<br />
<br />
‘’noneoftheCSAs have createdanyreasonable doubt asto thevalidity ofthe DPC’scalculation’’ 667.<br />
<br />
<br />
360. The EDPB notes that in the Draft Decisionthe IE SA indicates being satisfied the proposed fines are<br />
effective, proportionate and dissuasive, taking into account all the circumstances of the IE SA’s<br />
668<br />
inquiry . TheIESAassessed thedifferentcriteriaofArticle83(2)GDPRinrelationtothe transparency<br />
<br />
<br />
<br />
659EDPB Guidelines on calculation offines, paragraph 132, and EDPB Guidelines on AdministrativeFines, p. 6,<br />
<br />
specifyingthat”administrativefinesshouldadequatelyrespondtothenature,gravityandconsequencesofthe<br />
breach, and supervisory authorities must assess all the facts of the case in a mannerthat is consistent and<br />
objectivelyjustified”.<br />
660See Judgement of the General Court of 22 September 2021, AlticeEuropeNV v Commission, T 425/18,<br />
ECLI:EU:T:2021:607, paragraph 362; Judgement of theGeneral Court of 5 October 2011, Romana Tabacchi v<br />
<br />
Commission,CaseT‑11/06,ECLI:EU:T:2011:560, paragraph 266.<br />
661See, inter alia, judgement of the General Court of 16 June 2011, Caffaro Srl v Commission, T-192/06,<br />
ECLI:EU:T:2011:278, paragraph 38.SeealsoEDPBGuidelinesoncalculationoffines,p.2.<br />
662<br />
DE SAs Objection,pp.10-12;FRSAObjection,paragraphs36-48;ITSAObjectionpp.7-10;NLSAObjection,<br />
paragraphs39-53;NOSAObjection,pp.9-13;<br />
663DESAs Objection,p.11;FRSAObjection,paragraph47;ITSAObjectionpp.7-8;NLSAObjection,paragraph<br />
50;NOSAObjection,pp.11-12<br />
664<br />
DESAs Objection,p.11;FRSAObjection,paragraph38;ITSAObjection,p.8;NLSAObjection,paragraph42<br />
and48;NOSAObjection,p.12.<br />
665DESAs Objection,p.11;FRSAObjection,paragraph38-40;ITSAObjection,pp.8;NLSAObjection,paragraph<br />
48-49;NOSAObjection,pp.11-12.<br />
666<br />
Meta IEArticle65Submissions,paragraph9.1.<br />
667Meta IEArticle65Submissions,paragraph9.3.<br />
668DraftDecision,paragraphs255-258.<br />
<br />
<br />
<br />
92<br />
Adopted infringements found 669. The IE SA considered the infringements as serious in nature 670, andin terms<br />
<br />
of gravityofthe infringements found a significant levelof non-compliance 671. Furthermore,the EDPB<br />
underlines that, as established by the IE SA, the infringements affect a significant number of data<br />
<br />
subjects 672 and are extensive 673. The EDPB also observes that the IE SA considered the negligent<br />
character ofthe infringement 674, aswell as the high level of responsibility of Meta IE for the lackof<br />
<br />
compliance with the GDPR 675 as aggravating factors under Article 83(2) GDPR. Further, the IE SA<br />
qualifiedthelevelofdamagesufferedbydatasubjectsassignificant 676.Inaddition,theIESAidentified<br />
<br />
only one mitigating factor, without indicating, however, whether this should lead to a slight or<br />
substantialreductionof the fine range 677.<br />
<br />
<br />
361. MetaIEarguesthatreputationcostsshould alsobe takenintoconsideration, citingthe IESA’sremark<br />
678<br />
on “the significant publicity that a fine in this region will attract” . Onprinciple, the EDPB agrees<br />
thatreputationcostscould be takenintoconsideration tosome extent,ifcredible argumentsareput<br />
679<br />
forward about the grave detriment that would ensue. Meta IE does not present such arguments .<br />
The EDPBisoftheview thatinthis caseother incentiveswouldoffset anyreputationalcosts. Asfaras<br />
<br />
advertisers are concerned, Meta IE puts forward that “The personalised nature of the Instagram<br />
Service is also the reason why it has been instrumental in the success of small and medium sized<br />
<br />
businesses (“SMBs”) worldwide, including across the EU. Personalisation on social media and other<br />
digitaltechnologies,including theInstagram Service,enablesSMBstocompeteforcustomersthrough<br />
<br />
“customizing [sic] productsand services,[...]building a unique brand image,tailoring marketing to a<br />
specific audienceand developing a strong one-to-oneconnectionwith a communityof customers’’ 680.<br />
As far asusers of the Instagramservice are concerned,there are networkeffectsat playwhich leads<br />
<br />
to incentives to join - or not leave - the platform, so as not to be excluded from participating in<br />
discussions, corresponding withandreceiving informationfrom others 68.<br />
<br />
<br />
362. According tothe DE, FR, and IT SAs, the proposed fine is not consistent with the fine of 225 million<br />
<br />
eurosdecideduponbytheIESAinitsdecision dated20August2021againstWhatsAppIrelandLimited<br />
<br />
<br />
669<br />
DraftDecision,paragraphs209-252.<br />
670DraftDecision,paragraphs212-215and253.<br />
671DraftDecision,paragraphs216-217and253.<br />
672<br />
673DraftDecision,paragraphs223-225and253.<br />
DraftDecision,paragraph221.<br />
674DraftDecision,paragraphs230-233and253.<br />
675 Draft Decision, paragraph240. The IE SA considers that ‘’Meta Ireland should have been aware of the<br />
<br />
appropriate standards– albeit at a general level – and, having made a deliberate decision to present the<br />
information in a mannerwhich fellsignificant below the standard required, hasa high degree of responsibility<br />
forthe lackofcompliancewiththeGDPR’’.<br />
676TheIESAfindsitsufficientlyshownthat“rightshavebeendamagedinasignificantmanner,giventhelackof<br />
<br />
677pportunitytoexercisedatasubjectrightswhilebeingfullyinformed”,DraftDecision,paragraph229<br />
DraftDecision,paragraphs234-236.<br />
678CompositeResponse, paragraph 119. SeeMeta IE Article65 Submissions, Annex 1, paragraphs 2.26, 5.24,<br />
7.20,8.31.<br />
679Meta IE states that“evenifMetaIrelandorothercompaniescouldeverconsiderthatmulti-millionfinesare<br />
<br />
negligible from a financial point of view (a statement that is unsubstantiated anddisputed), such companies<br />
wouldobviouslybeconcernedbythereputationalcostofsuchfines.”Meta IE Article65Submissions,Annex1,<br />
paragraphs2.26,5.24,7.20,and8.31.<br />
680Meta IEArticle65Submissions,paragraph6.23.<br />
681<br />
NO SA Objection, p. 5. Inthesamevein, theFR SAdescribes Meta IE’s position as quasi-monopolist (FR SA<br />
Objection,paragraph38).<br />
<br />
<br />
<br />
93<br />
Adopted for the same transparencyinfringements(breaches of Articles12 and 13 GDPR) 68. Inparticular, the<br />
<br />
DE SAs point out that ‘’the facts and the seriousness of the infringements in the two cases are no<br />
sufficiently different to justify a difference of 85% in the fine imposed’’83. The FR and IT SAs also<br />
<br />
comparewiththe fine of 746million euros decidedbythe LU SA initsdecision of 15July 2021 against<br />
the companyAmazonEurope Core for carryingout behaviouraladvertising without a validlegalbasis<br />
<br />
andfor transparencyinfringements(Articles 6,12 and13 GDPR) 684.While theEDPBagreeswithboth<br />
theIESAandMetaIEthatimposingfinesrequiresacase-by-caseassessment under Article83GDPR 685,<br />
<br />
the EDPB notes that the cases cited by the DE, FR and IT SAs do show marked similarities with the<br />
currentcase,astheybothrefertolargeinternetplatformsrunbydatacontrollerswithmulti-national<br />
<br />
operations and significant resources available tothem, including large, in-house, compliance teams.<br />
Moreover, there are similarities with regards to the nature and gravity of the infringements<br />
686<br />
involved . Thus, these casescangive anindication onthe matter.<br />
<br />
687<br />
363. The DE,FR,ITandNOSAscalculatethatthe envisagedupper limit of thefine rangeisabout 0.03%<br />
of the global annual turnover of Meta Platforms, Inc., which the DE SAs note is about 0.72% of the<br />
688<br />
maximum ceiling provided for in Article 83(5) GDPR . For illustrative purposes also, is the amount<br />
oftimeit wouldtakeMetaPlatforms,Inc.onaveragetogenerate23millioneurosinturnover in2020,<br />
689<br />
whichwasabout 2 hours and33 minutes .<br />
<br />
<br />
364. The EDPB agreeswith the objections raised that - if the proposed fine was to be imposed for the<br />
transparency infringements - there would be no sufficient special preventive effect towards the<br />
controller, nor a credible generalpreventive effect 69.The proposed fine amount,even where a final<br />
<br />
amountattheupper limitoftherangewouldbe chosen, isnot effective,proportionateanddissuasive,<br />
in the sense that this amount can simply be absorbed by the undertaking as an acceptable cost of<br />
<br />
doing business 691. Asbehavioural advertising is atthe core of MetaIE’sbusiness model 692, the riskof<br />
this occurring is allthe greater69.Bybearingthe cost of the administrative fine, the undertaking can<br />
<br />
avoidbearing the cost ofadjusting their business modeltoone that iscompliant aswellasanyfuture<br />
losses that wouldfollow from theadjustment.<br />
<br />
<br />
<br />
<br />
<br />
<br />
682<br />
DESAObjection,p.11-12;FRSAObjection,paragraph42;ITSAObjection,p.8.TheIESA’s decisioninthis<br />
case(caseIN-18-12-2)isunderappealbeforetheIrishcourts.<br />
683DESAObjection,p.12.<br />
684<br />
685FRSAObjection,paragraph43;ITSAObjectionp.8.<br />
DraftDecision,paragraph219-220;Meta IEArticle65Submissions,pargraphs2.23,5.18,7.17.<br />
686Inthis regard,theDE SApoints outthatinbothdecisionstheIESAstatedthattheprovisionsinfringed‘’go<br />
tothe heartofthegeneralprincipleoftransparencyandthefundamentalrightoftheindividualtoprotectionof<br />
<br />
his/herpersonal data which stems from the free will andautonomyof the individual to share his/herpersonal<br />
data”.DESAObjection,p.11.<br />
687DESAObjection,p.11;FRSAObjection,paragraph40;ITSAObjection,p.8;NOSAObjection,p.12.<br />
688DESAObjection,p.11.<br />
689Basedonthetotal annualturnoverof2020beingEUR79billioncalculatedbytheNLSAinits objection(NL<br />
<br />
SAObjection,paragraph49)onthebasisoftheturnoverofMeta Platforms,Inc.referredtointheDraft<br />
Decision(86billiondollars).Thus,a fineofEUR23millionwouldhavetaken2h33togenerate.<br />
690DESAObjection,p.12; ITSAObjection,pp.8-9;NOSAObjection,p.12;FRSAObjection,paragraph47.<br />
691NOSAObjection,p.11.<br />
692<br />
DraftDecision,paragraphs102,221,227and251.<br />
693NOSAObjection,pp.11-12.<br />
<br />
<br />
<br />
94<br />
Adopted365. Though the IE SA touches upon the notions of effectiveness, proportionality and dissuasiveness in<br />
relation to the proposed fine 69, there is no justification based on elements specific to the case to<br />
<br />
explain the modest fine range chosen. Moreover, the EDPB notes that while the IE SA takes into<br />
considerationthe turnoverof theundertakingtoensure thatthefine it proposed doesnot exceedthe<br />
695<br />
maximum amount of the fine provided for in Article83(5) GDPR ,theIESA does not articulatehow<br />
andtowhatextentthe turnover ofthisundertaking isconsidered toascertainthatthe administrative<br />
696<br />
fine meetsthe requirementof effectiveness, proportionality and dissuasiveness . Inthis regardthe<br />
EDPB recalls that, contraryto Meta IE’sviews 69, the turnover of the undertaking concerned is not<br />
exclusively relevant for the determination of the maximum fine amount in accordance with Article<br />
<br />
83(4)-(6) GDPR,butshould alsobe consideredfor thecalculationof thefine itself, whereappropriate,<br />
toensure the fine iseffective,proportionate anddissuasive inaccordancewithArticle 83(1)GDPR 698.<br />
<br />
The EDPB therefore instructs the IE SA to modify its Draft Decision to elaborate on the manner in<br />
which the turnover of the undertaking concerned has beentakeninto account for the calculationof<br />
the fine.<br />
<br />
<br />
366. In light of the above, the EDPB considers that the proposed fine does not adequately reflect the<br />
<br />
seriousness andseverity of the infringements nor has a dissuasive effect on Meta IE. Therefore, the<br />
fine does not fulfil the requirement of being effective, proportionate and dissuasive in accordance<br />
with Article 83(1) and (2) GDPR. Inlight of this, the EDPB directs the IE SA to set out a significantly<br />
<br />
higher fine amount for the transparencyinfringementsidentified, in comparison withthe upper limit<br />
for the administrative fine envisagedin the Draft Decision. Indoing so, the IESA must remainin line<br />
<br />
withthe criteriaof effectiveness, proportionality, anddissuasiveness enshrined inArticle 83(1)GDPR<br />
inits overallreassessment of the amountof the administrativefine.<br />
<br />
<br />
9.2 On the determination of anadministrative finefor further infringements<br />
<br />
<br />
9.2.1 Analysis bythe LSA in the Draft Decision<br />
367. The IE SA in the Draft Decisionconcludes that Meta IE hasnot sought to relyon consent in order to<br />
<br />
processpersonal datatodeliver itsservice asoutlinedinthe InstagramTermsofUseandis not legally<br />
obligedtorelyon consent inorder todo so(Finding 1) 699. Alongside, theIE SA concludes thatMetaIE<br />
<br />
can rely on Article 6(1)(b) GDPR as a legalbasis to carryout the personal data processing activities<br />
involved inthe provision of itsservice tousers, including behaviouraladvertisinginsofar asthatforms<br />
700<br />
a core part of the service (Finding 2) . In these terms, the IE SA did not propose to establish an<br />
infringement ofArticle 6(1)GDPR.<br />
<br />
<br />
<br />
<br />
<br />
<br />
694<br />
DraftDecision,paragraphs255-258.<br />
695DraftDecision,paragraph295.<br />
696EDPBGuidelinesoncalculationoffines,paragraph120.<br />
697Meta IEArticle65Submissions,paragraphs9.8-9.10.Inaddition,Meta IE’sargumentthat“[turnover]isnota<br />
<br />
relevant consideration whendeterminingthe amount of the fine underArticle 83(2) GDPR”is not withinthe<br />
scopeofthedisputeasnoCSAsraisedanobjectionontheconsiderationofturnoverunderthisprovision(Meta<br />
IEArticle65Submissions,paragraphs9.5-9.8).<br />
698EDPBBindingDecision1/2021,paragraphs405-412.<br />
699DraftDecision,p.23.<br />
700DraftDecision,paragraphs111-115andp.40.<br />
<br />
<br />
<br />
95<br />
Adopted368. Inaddition, no infringement of Article 9(1) GDPR hasbeen found as the IE SA has not identified and<br />
<br />
separatelyassessed anyprocessing of specialcategoriesofpersonal databyMetaIEin thecontext of<br />
InstagramTermsof Use.<br />
<br />
<br />
369. The IESA initsDraftDecision concludes thatMetaIEhasinfringed Article5(1)(a), Article 13(1)(c)and<br />
Article12(1)GDPRduetothelackoftransparencyinrelationtotheprocessing for whichArticle6(1)(b)<br />
<br />
GDPRhasbeenreliedon (Finding 3) 701.<br />
<br />
<br />
9.2.2 Summary ofthe objections raised bythe CSAs<br />
702<br />
370. The AT, DE,FR, IT, NO, andSE SAs object tothe LSA’s failure totake actionwithrespect toone or<br />
more specific infringementstheydeem should have beenfound and askthe IESA toimpose a higher<br />
administrativefineas a resultoftheseadditionalinfringements.<br />
<br />
<br />
Objectionsrequesting the imposition of a fine for the additional infringement of Article 6(1)GDPR or<br />
<br />
Article6(1)(b) GDPR<br />
<br />
703<br />
371. TheDEandFR SAsaskfor theadministrative fine tobe increased asa consequence ofthe proposed<br />
finding of an infringement of Article 6(1) GDPR704. The AT, NOandSE SAs argue that the fine should<br />
705<br />
be increasedfollowing the finding of aninfringement ofArticle 6(1)(b) GDPR .<br />
<br />
372. The DE SAs state that the fact that Article 6(1) GDPR was infringed is not properly reflected in the<br />
<br />
calculationofthefine intheDraftDecision 706.TheDESAsarguethatinthecurrentcasetheprocessing<br />
of personal data was performed without a legal basis as consent of the data subjects would be<br />
<br />
required,whichwasnot given,andthatthe“DraftDecisionisinsofar not incompliancewithArticle83<br />
GDPR as it does not consider the additional infringement of Articles 5(1)(a), Art. 6(1), 9(1) when<br />
707<br />
calculating the amount of the administrative fine” . The DE SAs state that it is a highly serious<br />
infringement under Article 83(2)(a) GDPR considering that personal data of at least<br />
708<br />
individuals were affected .TheDE SAs also highlight thatthe fine imposed needs toaim toprevent<br />
further infringementsof theGDPR;first, itshould have “specialpreventive”effects,meaningthatthe<br />
amount imposedneeds tobe such that“itisnot tobeexpectedthatthespecificcontrollerwillcommit<br />
<br />
similar infringementsagain” byhaving“such anoticeableimpacton theprofitsoftheundertakingthat<br />
future infringementsofdata protectionlaw would not be ‘discounted’ into the processing performed<br />
<br />
<br />
<br />
<br />
<br />
<br />
701<br />
702DraftDecision,p.71.<br />
AT SAObjection,pp.11-12;DESAs Objection,p.10and12;FRSAObjection,pp.9-10.;NOSAObjection,pp.<br />
9-13;SESAObjection,pp.4-5.<br />
703FRSAObjection,paragraph44;DESAs Objection,p.10.<br />
704DESAs Objection,pp.1-6andpp.9-10;FRSAObjection,paragraphs5-14,33and52;<br />
705<br />
AT SAObjection,pp.11-12;NOSAObjection,pp.10-11;SESAObjection,pp.4-5.<br />
In addition, also theDE (DE SAs objection, p. 10), FI and NO (NO SA objection, p. 9) SAs (FI SA Objection,<br />
paragraph26)arguethatanadministrativefineshouldbeimposedfortheinfringementofArticle6(1)(b)GDPR;<br />
however, this aspect of theobjectionraisedby the DE, FI and NO SAs was deemed to be not relevant and<br />
<br />
706sonedbytheEDPBinparagraph85above.<br />
DESAs Objection,p.10.<br />
707DESAs Objection,p.10.<br />
708DESAs Objection,p.10.<br />
<br />
<br />
<br />
96<br />
Adopted by the undertaking lightly”; secondly, it should have ‘’generalpreventive” effects by leading other<br />
<br />
controllersto“make asignificant effortto avoid similar violations” 709.<br />
<br />
<br />
373. The FRSA considers thatsome violations arewronglynot included inthe DraftDecision 710andargues<br />
that “since it considers that breach of Articles 6 has been committed, which is added to the other<br />
<br />
breachesfound by the Irish data protection authority, the amount proposed by the latter should be<br />
accordinglyincreased” 71.TheFRSArecallsthatthesame approachofcumulating theamountsofthe<br />
712<br />
fine hasbeenadoptedby theEDPBin points 324 to327 ofits Binding Decision1/2021 .<br />
<br />
<br />
374. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision<br />
would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because<br />
<br />
an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental<br />
rights and freedoms of the data subjects, cannot be ensured’’ 713. The DE SAs also point out that<br />
<br />
administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both<br />
special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand<br />
714<br />
freedom ofthe data subjectsby preventingfurther infringementsof the GDPR” .Moreover,theDE<br />
SAs raisethat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any<br />
<br />
negativefinancial impacton theundertakingand therefore,fromaneconomicalpoint ofa view could<br />
beareasonable optionfor controllers’’ 715.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision<br />
<br />
asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance<br />
with Article 4(24)of the GDPR” 716and“would lead to a levelling down of the levelof administrative<br />
fines imposed by European data protection authorities, thereby reducing the authorities' coercive<br />
<br />
power and, consequently, their ability to ensure effective compliance with the protection of the<br />
personaldata ofEuropean residents” 717.<br />
<br />
<br />
***<br />
<br />
<br />
375. The AT,NOand SE SAs, whichconsidered that theIE SA should have found aninfringement of Article<br />
<br />
6(1)(b)GDPR 71,askfor theadministrativefine tobeincreasedasa consequence ofthatinfringement.<br />
<br />
<br />
376. The AT SA arguesthat “theadditional infringement [of Article 6(1)(b) GDPR]is not properlyreflected<br />
in the envisaged amount of the administrative fine” and that the IE SA’s Draft Decision is not in<br />
<br />
compliance withArticle83 GDPRinsofar asit does not consider the additionalinfringement of Article<br />
6(1)(b) GDPRwhencalculatingthe amount ofthe administrative fine 719.<br />
<br />
<br />
<br />
<br />
<br />
<br />
709DESAs Objection,p.10.<br />
710<br />
FRSAObjection,paragraph44.<br />
711FRSAObjection,paragraph44.<br />
712FRSAObjection,paragraph44.<br />
713DESAs Objection,p.12.<br />
714<br />
DESAs Objection,p.10.<br />
715DESAs Objection,p.12.<br />
716FRSAObjection,paragraph47.<br />
717FRSAObjection,paragraph48.<br />
718<br />
AT SAObjection,pp.1-7;NOSAObjection,pp.10-11;SESAObjection,pp.2-3.<br />
719AT SAObjection,p.11.<br />
<br />
<br />
<br />
97<br />
Adopted377. The NO SA statesthat anadministrative fine should be imposed for MetaIE’sprocessing of personal<br />
720<br />
datainthecontext ofonline behaviouraladvertisingwithout avalidlegalbasis . The NOSA analyses<br />
severalof the criteria listedin Article 83(2) GDPR in order to prove the need of the imposition of an<br />
721<br />
administrative fine . Specifically, the NO SA argues that an administrative fine of a substantial<br />
amount is needed, in light of the nature andgravityof the infringement (giventhat “the principle of<br />
lawfulness [...] is a fundamental pillar of the GDPR” and “processing personal data without a legal<br />
<br />
basis is a clear violation of the data subjects’ fundamental right to data protection because no one<br />
should have to tolerate processing of their personal data save for when it is legitimised by the<br />
722<br />
legislators” ), as well as the scope of the processing (“wide”, as ‘’all data subject activity may<br />
potentiallybeusedfor OBApurposes”),the number ofdatasubjects affectedinthe EEA(“hundredsof<br />
<br />
millions”) and the intangible damage suffered by them (Article 83(2)(a) GDPR), the high level of<br />
responsibility of Meta IE(Article 83(2)(d) GDPR),the categoriesof personal datainvolved (“of a very<br />
<br />
personal and private nature”, able to“revealintimate detailsofthe data subjects’ lifestyle, mindset,<br />
preferences,psychologicalwellbeinget cetera”)(Article83(2)(g)GDPR)andanadditionalaggravating<br />
<br />
factor(highlikelihood of contributiontodevelopment of‘’targetingalgorithmswhichmaybeharmful<br />
onanindividual andsocietallevel’’,Article83(2)(k)GDPR) 723.<br />
<br />
<br />
378. The SE SA arguesthat“theDraftDecisionis not in compliance withArticle 83 insofar asthe additional<br />
infringement of Article 6(1)(b) is not considered in calculating the administrative fine” and that “an<br />
<br />
administrative fine pursuant to Article 83 GDPR cannot be regarded as ‘effective, proportionate and<br />
dissuasive’ when the provision that the processing is based on, namely Article 6(1)(b) GDPR, was<br />
<br />
infringed and when this infringement is not properly reflected in the envisaged amount of the<br />
administrativefine” 724.TheSESAtakestheview thatthattheintentionalcharacteroftheinfringement<br />
(Article83(2)(b) GDPR)andthefinancialbenefitsgainedfrom theinfringement (Article83(2)(k)GDPR)<br />
<br />
must be found as aggravating factors 725. Astointentionality, the SE SA arguesthat the switch from<br />
consent toArticle6(1)(b)GDPRin2018 suggeststhisactwasdone withthe intentionof circumventing<br />
<br />
the new rights afforded to users by the GDPR when the processing relies upon consent, and that in<br />
anywaytheinfringement needstobe consideredasintentionalatleast asofthe moment ofadoption<br />
<br />
of the EDPB Guidelines on Article 6(1)(b) GDPR which “clearly gives doubt to the legality of the<br />
processing” 726.Astothefinancialbenefitsgained,theSE SAargues“MetaIrelandhasmadesignificant<br />
<br />
financial gain from being able to provide personal advertisementaspart ofa whole takeit or leaveit<br />
offer for its social media platform service” andthat due tothe unclear information provided todata<br />
<br />
subjects itcanbe reasonablyassumedthatmore datasubjectshave beenmisledintobeing subject to<br />
the processing 727. Lastly, the SE SA considers it would be appropriate to take into account Meta IE’s<br />
turnover for the calculationofthe fine inorder tomake it effective anddissuasive 728.<br />
<br />
<br />
<br />
<br />
<br />
<br />
720NOSAObjection,p.10.<br />
721NOSAObjection,p.10-11.<br />
722<br />
TheNO SAalsohighlightsthat“[behaviouraladvertising]entailsprofiling,whichinherentlyconstitutesrisks<br />
forthe datasubjects’integrity”.<br />
723NOSAObjection,p.10-11.<br />
724SESAObjection,p.4.<br />
725<br />
726SESAObjection,p.4.<br />
SESAObjection,p.4.<br />
727SESAObjection,p.4.<br />
728SESAObjection,p.4-5.<br />
<br />
<br />
<br />
98<br />
Adopted379. Onrisks posed bythe DraftDecision, theAT SA arguesthat“should theDraft Decisionbe approvedin<br />
<br />
its current version, the risks for the fundamental rights and freedomsof data subjects lie in the fact<br />
that theactionenvisagedin relationto the controlleris likelyto fall short ofthe proportionalityand–<br />
<br />
above all– dissuasiveness requirementssetforthin Article83 GDPR”andthat“ignoring infringements<br />
of the GDPRwhencalculatingfines would lead to lesser compliance with the GDPRand ultimatelyto<br />
lesserprotectionofdatasubjectsinrelationtotheprocessing ofpersonaldata” 72.TheNOSA explains<br />
<br />
thatnot imposing afine for the lackof legalbasis createsthe risk thatthe violatedprovisions arenot<br />
respectedby MetaIEor other controllersand the LSA would not be able toeffectively safeguardthe<br />
<br />
data subjects’ rights, and that “in absence of corrective measures that create the appropriate<br />
incentivesfor [MetaIE]andothercontrollersto changetheir behaviour,the same or similar violations<br />
730<br />
arelikelyto reoccurtothedetrimentofthecomplainantandotherdata subjects” .TheSE SA argues<br />
the infringement of Article 6(1)(b) GDPR “is not properly reflected in the envisaged amount of the<br />
<br />
administrative fine,it shows controllers(MetaIreland included)thatenforcementoftheGDPRand its<br />
provisions is not effective.Thisthreatenscompliancewith the GDPRon a generallevel, seeing ashow<br />
<br />
non-compliance could be a viable option for controllers when the costs for compliance are greater.<br />
Given the proposed changed findings regarding legal basis, there are significant risks to the<br />
fundamental rights of data subjects if these does not also merits a substantive increase in fines to<br />
731<br />
dissuade MetaIrelandand other controllers” .<br />
<br />
<br />
Objectionsrequestingthe imposition of a fine for theadditional infringementof Article9 GDPR<br />
<br />
380. The DE and FR SAs argue that, as the IE SA should have identified and separately assessed any<br />
processing of specialcategoriesofpersonaldataunder Article 9GDPRinthe contextofthe Instagram<br />
<br />
Terms of Use and that Meta IE processes the entire amount of data it holds, including special<br />
categoriesof data in breachof Articles6 and9 GDPR 732,the amount of the fine should be increased<br />
733<br />
accordingly .<br />
<br />
<br />
381. The DE SAs state that “the infringement ofArticle 5(1)(a), Article 6(1)and Article 9(1) GDPR [...]also<br />
entailsanadministrativemeasureand a fine accordingtoArt.83(2)(5)GDPR” 734,andarguethatthese<br />
735<br />
infringements are “serious” . The FR SA considers that a breach of Article 9 GDPR is wrongly not<br />
included in the Draft Decision 736 and that the amount of the fine proposed by the LSA should be<br />
increased in light of the addition of such infringements to those already established 73. The FR SA<br />
<br />
recallsthatthe same approachof cumulatingthe amounts ofthe fine hasbeen adoptedbythe EDPB<br />
inpoints 324 to327 of the Binding Decision1/2021 73.<br />
<br />
<br />
382. On risks posed by the Draft Decision, the DE SAs explain that the shortcoming of the Draft Decision<br />
<br />
would cause significant risks for the fundamentalrightsandfreedoms of the datasubjects, “because<br />
an effectiveenforcement oftheGDPR,which isthepreconditionfortheprotectionofthefundamental<br />
<br />
<br />
729AT SAObjection,p.12.<br />
730NOSAObjection,p.12.<br />
731<br />
SESAObjection,p.5.<br />
732SeeSection5.2.,paragraphs150-155.<br />
733DESAs Objection,pp.7-8;FRSAObjection,paragraph30.<br />
734DESAs Objection,p.10.<br />
735<br />
736DESAs Objection,p.10.<br />
FRSAObjection,paragraph44.<br />
737FRSAObjection,paragraph44.<br />
738FRSAObjection,paragraph44.<br />
<br />
<br />
<br />
99<br />
Adopted rights and freedoms of the data subjects, cannot be ensured’’ 73. The DE SAs also point out that<br />
<br />
administrative fines shall in eachindividual case be effective,proportionate anddissuasive and both<br />
special andgeneralpreventive since these two“conceptsaim to protect the fundamentalrightsand<br />
740<br />
freedom ofthe data subjectsby preventingfurther infringementsof the GDPR” .Moreover,theDE<br />
SA raisesthat“thenon-compliance withone ofthecentralprovisions oftheGDPRwould not have any<br />
<br />
negativefinancial impacton theundertaking and therefore,fromaneconomicalpoint ofa view could<br />
beareasonable optionfor controllers’’ 74.TheFRSAconsiders thatadoptingthe IESA'sDraftDecision<br />
<br />
asitstands“presentsarisktothefundamentalrightsand freedomsofthedata subjects,inaccordance<br />
with Article 4(24)of the GDPR” 742and“would lead to a levelling down of the levelof administrative<br />
fines imposed by European data protection authorities, thereby reducing the authorities' coercive<br />
<br />
power and, consequently, their ability to ensure effective compliance with the protection of the<br />
personaldataofEuropeanresidents” 743.<br />
<br />
<br />
Objections requesting the imposition of a fine for the additional infringement of Article 5(1)(a) and<br />
<br />
5(1)(b)-(c) GDPR<br />
<br />
383. The IT SA arguesthat the fine should be increasedfollowing the finding of aninfringement of Article<br />
744 745<br />
5(1)(a) GDPR , and of Article 5(1)(b) and Article 5(1)(c) GDPR . As stated in Section 6.2 of this<br />
Binding Decision, the IT SA agrees to a large extent with the Draft Decision’s Finding 3 on the<br />
infringement ofArticle12(1), Article13(1)(c), andArticle5(1)(a)GDPRintermsoftransparency 746but<br />
<br />
itarguesthatMetaIEhasalsofailedtocomplywiththemoregeneralprincipleoffairnessunder Article<br />
5(1)(a) GDPR, which, in the view of the IT SA, entails separate requirements from those relating<br />
<br />
specifically to transparency747.Moreover,as analysedin Section 7.2,the IT SA statesthatthere is an<br />
additional infringement of points (b) and (c) of Article 5(1) GDPR on account of Meta IE’sfailure to<br />
748<br />
comply withthe purpose limitationanddataminimisation principles . The ITSA asks for afine tobe<br />
issued for those two additional infringements. With regardtoArticle 5(1)(a) GDPR, the IT SA argues<br />
<br />
thatthe finding of such infringement“should resultinto theimposition of the relevantadministrative<br />
fine asperArticle83(5)(a)GDPR”asfaras“theinfringementofthefairnessprinciple in additionto the<br />
<br />
transparencyone [...] should result into increasing the amount ofthe said fine substantiallybyhaving<br />
regardto the requirementthateach fine should be proportionate and dissuasive. Indeed,thegravity<br />
749<br />
of the infringementwould be factually compounded” .With referenceto Article 5(1)(b) andArticle<br />
5(1)(c) GDPR,theIT SA considers that “theinfringementof purpose limitation and data minimisation<br />
principles(...)should result into increasing the amount of the said fine substantially by having regard<br />
<br />
to the requirement that each fine should be proportionate and dissuasive. Indeed, the gravityof the<br />
infringementwould befactually compounded” 75.<br />
<br />
<br />
<br />
<br />
739<br />
740DESAs Objection,p.12.<br />
DESAs Objection,p.10.<br />
741DESAs Objection,p.12.<br />
742FRSAObjection,paragraph47.<br />
743FRSAObjection,paragraph48.<br />
744<br />
ITSAObjection,Section2,p.7<br />
745ITSAObjection,Section2,p.4<br />
746ITSAObjection,Section2,pp.4-5.<br />
747ITSAObjection,Section2,pp.4-7<br />
748<br />
ITSAObjection,Section1,pp.2-4.<br />
749ITSAObjection,pp.6-7<br />
750ITSAObjection,p.4.<br />
<br />
<br />
<br />
100<br />
Adopted384. On the significance of risks posed by the Draft Decision, the IT SA arguesthat “the failure to find an<br />
<br />
infringement ofArticle5(1)(a) GDPRasfor the fairnessprinciple may becomea dangerousprecedent<br />
with a view to future decisions concerning other digital platform operators– more generally, other<br />
<br />
controllersthatrelyonthesamebusiness model–and markedlyweakenthesafeguardstobeprovided<br />
by way of the effective, comprehensive implementation of the data protection framework including<br />
thefairness ofprocessingprinciple” 751.Withreference toArticle5(1)(b) andArticle5(1)(c) GDPR,the<br />
<br />
ITSA addsthat,should theDraftDecision be approvedin itscurrent version, the infringement oftwo<br />
key principles of the whole data protection framework as introduced by the GDPR will not be<br />
<br />
punished, “which would seriously jeopardise the safeguards the data subjects (Instagram users) are<br />
entitledto” 752.<br />
<br />
<br />
9.2.3 Position ofthe LSA on theobjections<br />
<br />
385. The LSA considers none of the objections requesting the imposition of a fine for the proposed<br />
additional infringements as meeting the threshold set by Article 4(24) GDPR 753. Given that these<br />
<br />
objections were premised upon the requirement for the Draft Decision to include findings of<br />
infringement of Article 6(1)(b), Article 9, Article 5(1)(a), 5(1)(b) and5(1)(c) GDPR,on which the IE SA<br />
<br />
expressed its disagreement – the IE SA does not consider the objections requesting exercise of a<br />
correctivepower in response tothese findings ofinfringement asbeing relevant andreasoned.<br />
<br />
<br />
9.2.4 Analysis ofthe EDPB<br />
<br />
9.2.4.1 Assessmentof whethertheobjectionswererelevantandreasoned<br />
386. The objections raised by the AT,DE,FR, IT,NO,and SE SAs concern“whethertheaction envisaged in<br />
754<br />
theDraft Decisioncomplieswith theGDPR” .<br />
<br />
<br />
387. The EDPBtakesnote of MetaIE’sview that not a single objection put forwardbythe CSAs meetsthe<br />
threshold of Article 4(24) GDPR 755. Meta IE rejects the objections in this section based on its view<br />
that the LSA has sole discretion to determine corrective measures 756. The EDPB responds to these<br />
<br />
arguments above (see Section 8.4.2) and is of the view that CSAs may ask for specific corrective<br />
measurestobe takenby the LSA, whetherthis concernsinfringements alreadyidentified in theDraft<br />
757<br />
Decision or as a result of the one identified by the CSA in its objection . Meta IE refutes the<br />
allegations of additional infringements put forward in the objections, and by consequence, any<br />
758<br />
demands for increasing the administrative fine in relation them . The EDPB recalls that the<br />
assessment ofadmissibility ofobjections and theassessment of themeritsare twodistinct steps 75.<br />
<br />
<br />
388. The EDPB finds that the objections concerning the increase of the administrative fine in connection<br />
withthe additional infringement ofArticle 6(1)/6(1)(b) GDPRand/or Article 9 GDPRraisedby the AT,<br />
<br />
<br />
<br />
751ITSAObjection,p.7.<br />
752ITSAObjection,p.4<br />
753CompositeResponse,paragraph110..<br />
754<br />
EDPBGuidelinesonRRO,paragraph32.<br />
755Meta IEArticle65Submissions,Annex1,p.65.<br />
756Meta IEArticle65Submissions,Annex1,paragraphs1.31,2.21,5.18,7.15,9.22,and10.16.<br />
757EDPBRROGuidelines,paragraph34.SeealsoRecital150GDPR.TheEDPBfoundseveralobjectionsonthis<br />
<br />
758jectmatteradmissibleinthepast,seeBindingDecision2/2022,paragraphs186-190.<br />
SeeMeta IEArticle65Submissions,paragraphs8.10-8.15,andmorespecificallyAnnex1,paragraphs1.33,<br />
2.18,5.20,7.13,9.18and9.20,and10.16.<br />
759EDPBGuidelinesonArticle65(1)(a),paragraph63.<br />
<br />
<br />
<br />
101<br />
Adopted DE, FR, NO, and SE SAs stand in direct connection withthe substance of the Draft Decision, as they<br />
<br />
concerntheimposition ofa correctivemeasurefor anadditionalinfringement,whichwould be found<br />
as a consequence of reversing the conclusions in the Draft Decision also in scope of this dispute 76.<br />
<br />
Clearly, the decision on the merits of the demands to take corrective measures for a proposed<br />
additional infringement is affectedby the EDPB’sdecision on whether to reverse the findings in the<br />
DraftDecisionandwhether toinstruct theLSA toestablishadditionalinfringements.<br />
<br />
<br />
389. The EDPBtakesnote of further argumentsput forwardbyMeta IEaiming todemonstrate the lackof<br />
761<br />
relevance of these objections, specifically with regard to the objections raised by the ATSA .<br />
However,theEDPBnotesthatMetaIEdisagreeswiththe contentofthese objections, whichconcerns<br />
<br />
itsmeritsandnot its admissibility.<br />
<br />
<br />
390. If followed, these objections would lead to a different conclusion in terms of corrective measures<br />
imposed 762. Inconsequence, the EDPB considers the objections raised by the AT, DE, FR, NOand SE<br />
SAs in connection to imposing an administrative fine for the alleged breach of Article 6(1)/6(1)(b)<br />
<br />
GDPRand/or Article 9 GDPRtobe relevant.<br />
<br />
<br />
391. Meta IE arguesthat the AT, NO, and SE SAs objections in relation to the need to increase the fine<br />
amount because ofthe allegedinfringement ofArticle 6(1)(b)GDPRlacksadequatereasoning asthey<br />
763<br />
fail todemonstrate why Meta IE could not rely on Article 6(1)(b) GDPR . According toMeta IE, the<br />
SE SA’sobjectionisalsobasedontheunfounded claimthatMetaIEintentionallysoughttocircumvent<br />
764<br />
datasubjectrightsbyswitchingfrom consenttocontractualnecessityasthelegalbasisinMay2018 .<br />
Furthermore, Meta IE takes the view that the objections from the AT, DE, FR and NO SAs are not<br />
sufficiently reasoned astheyrefer tothe use of administrativefine as''generalpreventivemeasures''<br />
<br />
on controllers, thus speculating on potential future behaviour or intentions of unidentified<br />
controllers765. The EDPB understands that Meta IE disagrees with the reasoning provided in the<br />
<br />
objections, whichthusconcerns their meritsandnot their admissibility.<br />
<br />
<br />
392. Inaddition, MetaIEarguesthattheFRSA’sobjectionis notreasonedbecause itdoes not substantiate<br />
“how a fine for the additional purportedinfringementswould be calculated, whether thisfine would<br />
766<br />
needto be added to the proposed fine and how this would affect the overallfine” .Meta IEfurther<br />
takesissue withthe AT SA’sobjection andarguesit has not put forwarda sufficiently reasonedbasis<br />
for itsobjection tochallenge theLSA’scalculationof thecriterialaiddowninArticle83(2) GDPR 767. In<br />
<br />
this respect, the EDPB recalls that CSAs are not required to engage in a full assessment of all the<br />
<br />
<br />
760AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraphs44and50;NOSAObjection,p.<br />
<br />
761SE SAObjection,p.4.<br />
Meta IEArticle65Submissions,Annex1,paragraph1.32.AccordingtoMeta IE,byreferringtothefactthat<br />
‘’MetaIrelandis... theproviderofoneofthebiggestsocialmedianetworkintheworld’’,theAT SA‘’failsto<br />
explainhowthisrelatestoanyspecificfactualandlegalcontentoftheDraftDecision’’.<br />
762AT SAObjection,p.11;DESAs Objection,p.2;FRSAObjection,paragraph44and50;NOSAObjection,p.<br />
<br />
11;SE SAObjection,p.4.<br />
763Meta IEArticle65Submissions,Annex1,1.33,9.20,and10.17.<br />
764Meta IEArticle65Submissions,Annex1,10.17.<br />
765Meta IEArticle65Submissions,Annex1,paragraphs1.35,2.22,5.16and9.23.Meta IEaddsthat‘’inany<br />
<br />
event,wherea fineaslargeasthatcurrentlyproposedintheDraftDecisionisimposed,thereisnodoubtthat<br />
othercontrollerswilltakenoteofthisinsuchcircumstances’’.<br />
766Meta IEArticle65Submissions,Annex1,paragraph5.20.<br />
767Meta IEArticle65Submissions,Annex1,paragraph1.34.<br />
<br />
<br />
<br />
102<br />
Adopted aspects of Article 83 GDPR in order for an objection on the appropriate administrative fine to be<br />
<br />
considered reasoned.Itis sufficient tolayout whichaspect ofthe DraftDecisionthat,intheir view, is<br />
deficient/erroneous and why. Second, the EDPB recalls that the criteria listed in Article 83(2) GDPR<br />
<br />
are not exhaustive, thus it is entirely possible to argue an administrative fine is not “effective,<br />
proportionate and dissuasive” in the meaning of Article 83(1) GDPR without referring to a specific<br />
<br />
criterionlistedin Article83(2)GDPR.<br />
<br />
<br />
393. The EDPBfinds thatthe AT,DE,FR, NOandSE SAsadequatelyargue whytheypropose amendingthe<br />
Draft Decision 768 and how this leads to a different conclusion in terms of administrative fine<br />
imposed 769.<br />
<br />
<br />
394. Intermsof risks, Meta IEclaims the DraftDecision does not pose any risk, let alone a significant risk<br />
<br />
to fundamental rights, and argues the objections of the AT, DE ,FR, NO and SE SAs 770 fail to<br />
demonstratethe contrary,asrequired.<br />
<br />
<br />
395. More specifically, Meta IE considers that the DE and FR SAs’ objections focus on increasing the<br />
<br />
‘’punitive impact’’ of the fine on Meta IE rather than demonstrating any significant risks to the<br />
fundamental rights of data subjects 771. In this regard, Meta IE argues the AT, DE, NO, and SE SAs’<br />
<br />
objections rest on unsubstantiated possible effect of the Draft Decision on the future behaviour of<br />
other controllers, instead of doing a case by case assessment under Article 83 GDPR 772.Inparticular,<br />
<br />
MetaIEclaimsthat,indoing so, the assessment made by these supervisory authoritiesis incorrectto<br />
the extentit only takesintoaccount financialcostsanddoes not consider reputationalcosts 773.<br />
<br />
<br />
396. The EDPB recalls that any risk assessment addresses future outcomes which are to some degree<br />
uncertain 774. Contrary to Meta IE’s views, the objections reflect specifically on Meta IE’s future<br />
<br />
approachintheevent the DraftDecisionisadoptedasit standsandgobeyondproviding “speculative<br />
argumentbasedon theputativelackofa generalpreventiveimpactonothercontrollers” 775. TheEDPB<br />
<br />
also notes that the DE, FR, NL, NOandSE SAs 776considered both of the aspects that are entailedby<br />
dissuasiveness of the fine, i.e.specific deterrenceand generaldeterrence 777.<br />
<br />
<br />
<br />
<br />
768AT SAObjection,pp.11;DESAs Objection,p.10;FRSAObjection,paragraph50;NOSAObjectionpp.9-11;<br />
SE SAObjectionp.4.<br />
769AT SAObjection,pp.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs44-45;NOSAObjection<br />
<br />
77013;SE SAObjection,p.4<br />
Meta IEArticle65Submissions,Annex1,paragraphs1.36-1.40,2.24-2.27,5.22-5.25,9.25-9.27,and10.18-<br />
10.20.<br />
771Meta IEArticle65Submissions,Annex1,paragraphs2.24and5.22.<br />
772<br />
773Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.255.23,9.26,and10.18.<br />
Meta IEArticle65Submissions,Annex1,paragraphs1.38,2.26,5.24,and10.19.Meta IEaddsthat,inany<br />
case,it‘’doesnotconsiderthatfinessuchastheoneproposedintheDraftDecisioncouldencourageother<br />
companiesnottocomplywiththeGDPR’’.<br />
774SeeSection9.1.4.1ofthisBindingDecision.<br />
775<br />
Meta IEArticle65Submissions,Annex1,paragraph10.18(SESA).<br />
776DESAs Objection,p.12(referringtothe‘’undertakinginquestion’’),FRSAObjection,paragraph47(referring<br />
to ‘’the controller’’); IT SA Objection pp.8-9 (referring to ‘’the controller’’); NL SA Objection, paragraph52<br />
(referringto the risks in relation to ‘’the illegal processing at hand’’);NO SA Objection, p.12 (referring to<br />
<br />
‘’incentivesforMetaIE’’).<br />
777TheCJEUhas consistentlyheldthata dissuasivefineisonethathasa genuinedeterrenteffect,<br />
encompassingbothspecificdeterrence(discouragingtheaddresseeofthefinefromcommittingthesame<br />
<br />
<br />
<br />
103<br />
Adopted397. The EDPB finds that the AT, DE, FR, NO, and SE SAs articulate an adverse effect on the rights and<br />
<br />
freedomsof datasubjectsifthe DraftDecisionis leftunchanged,by referringtoa failuretoguarantee<br />
a highlevelof protectioninthe EU for the rightsand interestsof the individuals 77.<br />
<br />
<br />
398. Therefore,theEDPBconsiders the AT,DE,FR, NO, andSE SAsobjectionsconcerning the impositionof<br />
a fine for the alleged additional infringements of Article 6/6(1)(b) and/or Article 9 GDPR to be<br />
<br />
reasoned.<br />
<br />
<br />
***<br />
<br />
399. With respect tothe objection raisedby the IT SA concerning the imposition of anadministrative fine<br />
<br />
for the infringement of the fairness principle enshrined in Article 5(1)(a) GDPR, the EDPB finds,<br />
contrarytoMetaIE’sviews 77, thatit standsin connection withthe substance of the DraftDecision,<br />
asit concerns the imposition of a correctivemeasure for anadditionalinfringement, whichwould be<br />
<br />
found asaconsequence ofincorporatingthefinding putforwardbythe objection.Clearly,thedecision<br />
on the merits of the demand to take corrective measures for a proposed additional infringement is<br />
<br />
affectedby the EDPB’sdecision onwhether toinstruct theLSA toinclude anadditionalinfringement.<br />
<br />
<br />
400. If followed, the IT SA’s objection would lead to a different conclusion in terms of corrective<br />
measuresimposed 78. Taking note of Meta IE’sposition 781, the EDPB finds the objections raisedby<br />
the ITSA tobe relevant.<br />
<br />
<br />
401. MetaIE arguesthe IT SA’s objection does not put forward reasonable doubt as tothe validityof the<br />
<br />
LSA’s calculation of the fine and claims there is no basis in the GDPR for suggesting that an<br />
administrativefine must havea ‘’generaldeterrenteffect’’ 78.TheEDPBfindsthattheITSAadequately<br />
<br />
argueswhy theypropose amending the DraftDecisionandhow this leadstoa different conclusion in<br />
termsofadministrative fine imposed 783.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
infringementagain)andgeneraldeterrence(discouragingothersfromcommittingthesameinfringementin<br />
<br />
thefuture).See,interalia,C-511/11,Versalis,paragraph94.<br />
778AT SAObjection,p.11-12;DESAs Objection,p.12;FRSAObjection,paragraphs47-48;NOSAObjection,p.<br />
12; SESAObjection,p.5.SeealsoEDPBGuidelinesonRRO,paragraph37.<br />
779Meta IEArticle65Submissions,paragraph7.13.AccordingtoMeta IE,theITSAobjectionsisnotrelevant<br />
<br />
giventhattheLSAhas notfoundanyinfringementofthefairness,purposelimitationanddata minimisation<br />
principles(Article5(1)(a)-(c)GDPR).<br />
780ITSAObjection,p.7.<br />
781Meta IE Article65 Submissions, paragraph 7.13. According to Meta IE, given theIE SA has not found any<br />
infringementofthefairnessprinciple,thereisnobasisfortheimpositionofa fineonthisground.EDPBalready<br />
<br />
782pondedtothislineofreasoningaboveinSection8.4.2.<br />
Meta IEArticle65Submissions,paragraphs7.15-16.<br />
783TheITSAargues thatthefindingofsuchinfringement“shouldresultintoincreasingtheamountofthesaid<br />
finesubstantiallybyhavingregardtotherequirementthateachfineshouldbeproportionateanddissuasive’’<br />
insofaras‘’thegravityoftheinfringementwouldbefactuallycompounded.”(ITSAObjection,pp.6-7).<br />
<br />
<br />
<br />
104<br />
Adopted402. MetaIEarguesthe objectionof theIT SA fails todemonstrate the riskposed by the DraftDecision,as<br />
required 784 and,indoing so, MetaIEdismisses the concernsarticulatedbythe ITSA ontheprecedent<br />
785<br />
the DraftDecisionsetsfor othercontrollers .<br />
<br />
403. The EDPBfindsthattheITSA articulatesanadverse effectonthe rightsandfreedomsof datasubjects<br />
<br />
ifthe DraftDecision isleft unchanged, byreferringtoa failure toguaranteea highlevelofprotection<br />
inthe EU for the rightsandinterestsofthe individuals 78.<br />
<br />
<br />
404. Therefore, the EDPB considers the IT SA’s objection concerning the imposition of a fine for the<br />
additionalinfringement of theprinciple of fairnessenshrined in Article5(1)(a) GDPRtobe reasoned.<br />
<br />
<br />
***<br />
<br />
<br />
405. The EDPB recallsits analysis of whether the objection raisedby the IT SA in respect of the proposed<br />
additionalinfringements ofArticle 5(1)(b) andArticle 5(1)(c)GDPRmeetsthe threshold set by Article<br />
<br />
4(24)GDPR(see Section7.4.1above).Inlight ofthe conclusion thatsuchobjection isnot relevantand<br />
reasoned, theEDPBdoes not need tofurtherexamine thislinked objection.<br />
<br />
<br />
9.2.4.2 Assessmenton themerits<br />
406. In accordance with Article 65(1)(a) GDPR, the EDPB shall take a Binding Decision concerning all the<br />
<br />
matters which are the subject of the relevant and reasoned objections, in particular whether the<br />
envisagedactioninrelationtothe controller or processor complies withthe GDPR.Morespecifically,<br />
the EDPB needs to assess whether an administrative fine should be imposed for the additional<br />
<br />
infringementsof Article 6(1)GDPRandthe principle of fairnessunder Article 5(1)(a)GDPR.However,<br />
in light of its findings in Section 5.4.2 above, the EDPB does not need to examine the merits of the<br />
<br />
objections ofthe DEand FR SAs requesting the imposition of a fine for the allegedadditional breach<br />
of Article9 GDPR.<br />
<br />
<br />
407. The EDPB recalls that the consistency mechanism may also be used to promote a consistent<br />
application of administrative fines 787 and that the objective pursued by the corrective measure<br />
788<br />
chosen canbe tore-establish compliance withthe rulesor topunish unlawful behaviour (or both) .<br />
The EDPB responds above toMeta IE’sposition that the LSA has sole discretion to determine which<br />
correctivemeasuresare appropriate(see Section 8.4.2).<br />
<br />
<br />
9.2.4.2.1 Assessment of whether an administrative fine should be imposed for the infringement of<br />
Article6(1) GDPR<br />
<br />
<br />
<br />
<br />
<br />
784Meta IEArticle65Submissions,paragraph7.18.<br />
785Meta IEArticle65Submissions,paragraph7.19.Onthis,theEDPBhassetoutitspositionaboveinSection<br />
9.1.4.1above.<br />
786ITSAObjection,p.7.<br />
787<br />
Recital150GDPR.EDPBGuidelinesonRRO,paragraph34;EDPBGuidelinesonAdministrativefinesp.7<br />
(“Whentherelevantandreasonedobjectionraisestheissueofthecomplianceofthecorrectivemeasurewith<br />
theGDPR,the decisionofEDPBwillalsodiscusshowtheprinciplesofeffectiveness,proportionalityand<br />
deterrence areobservedintheadministrativefineproposedinthedraftdecisionofthecompetentsupervisory<br />
authority”). Seealsoaboveparagraph344.<br />
788<br />
EDPBGuidelinesonAdministrativeFines,p.6.Seealsoparagraph354ofthisBindingDecision.<br />
<br />
<br />
105<br />
Adopted408. The EDPB recallsits conclusion in this Binding Decision on the infringement of Article 6(1) GDPR 789<br />
<br />
and that the objections raised by the AT, DE, FR, NOand SE SAs found to be relevant and reasoned<br />
requestedthe IESA toexercise itspower toimpose anadministrative fine 790.<br />
<br />
<br />
409. The EDPBtakesnote of MetaIE’sviewsthat,evenifaninfringement isfound, the appropriatecourse<br />
would be to refer the matter back to the LSA to determine whether to impose any appropriate<br />
<br />
correctivemeasures 791,andthattheLSA hassole competenceanddiscretionregardingtheamountof<br />
the fine792. The EDPB responds toMeta IE’sargument that the LSA has sole discretion todetermine<br />
<br />
the appropriatecorrectivemeasures inthe event ofa finding ofinfringement above in Section8.4.2.<br />
<br />
<br />
410. The EDPBconcurs thatthe decision toimpose anadministrativefine needs tobe takenon a case-by-<br />
case basis in light ofthe circumstancesand is not anautomaticone 793. Inthe case athand, however,<br />
<br />
the EDPBagreeswiththe reasoning put forwardby theAT, DE, FR, NOandSE SAsintheir objections.<br />
The EDPB reiterates that lawfulness of processing is one of the fundamental pillars of the data<br />
protectionlaw and considers that processing of personal data without anappropriate legalbasis isa<br />
<br />
clearandserious violationof the datasubjects’ fundamental righttodataprotection 794.<br />
<br />
<br />
411. Several of the factors listed in Article 83(2) GDPR speak strongly in favour of the imposition of an<br />
administrative fine for the infringement of Article6(1)GDPR.<br />
<br />
<br />
Thenature,gravityand duration of theinfringement(Article83(2)(a) GDPR)<br />
<br />
412. Asmentionedabove andoutlined below 795,the natureandgravityoftheinfringementclearlytipthe<br />
<br />
balance infavour of imposing anadministrativefine.<br />
<br />
<br />
413. Withrespecttothe scopeofprocessing,theEDPBnotestheIESA’sassessment thatthepersonaldata<br />
processing carriedout by MetaIEon thebasis of Article6(1)(b) GDPRis extensive,adding that“Meta<br />
<br />
Irelandprocessesavarietyofdatain ordertoprovideInstagramuserswitha‘personalised’experience,<br />
including byway ofserving personalised advertisements.Theprocessing is centralto and essentialto<br />
796<br />
thebusiness modeloffered[...]’’ .<br />
<br />
<br />
<br />
789Section4.4.2ofthisBindingDecision.<br />
790<br />
Paragraph390and398ofthisBindingDecision.<br />
791Meta IEArticle65Submissions,paragraph8.13<br />
792Meta IEArticle65Submissions,paragraph9.2,10.4,<br />
793EDPB Guidelines onAdministrativefines, p. 6 (“Like all corrective measures in general, administrative fines<br />
<br />
should adequately respond to the nature, gravity and consequences of the breach, and supervisory authorities<br />
must assess all the facts of the case in a mannerthat is consistent andobjectively justified. The assessment of<br />
whatis effective, proportionalanddissuasiveineachcasewillhaveto alsoreflect the objectivepursuedbythe<br />
corrective measure chosen, that is either to re-establish compliance with the rules, or to punish unlawful<br />
behaviour(or both)”), p. 7 (“The Regulation requires assessment of each case individually”;“Fines are an<br />
<br />
importanttoolthatsupervisoryauthoritiesshoulduseinappropriatecircumstances.Thesupervisoryauthorities<br />
are encouraged to use a considered and balancedapproach in theiruse of corrective measures, in order to<br />
achieve both an effective and dissuasiveas well as a proportionate reactionto the breach. The point is to not<br />
qualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhandnottousetheminsuch<br />
<br />
794ywhichwoulddevaluetheireffectivenessasatool.”).<br />
Article8(2),EUCharterofFundamentalRights.SeeNOSAobjection,p.10.<br />
795Inparticular,seeSection4.4.2ofthisBindingDecisionaswellasparagraphs408,413-415.<br />
796DraftDecision,paragraphs221.<br />
<br />
<br />
<br />
106<br />
Adopted414. Inthisrespect,theEDPBalsorecallsthattheinfringementatissuerelatestotheprocessingofpersonal<br />
dataof asignificant numberofpeople 797andthatthe impacton them hastobe considered.<br />
<br />
<br />
415. Thoughthe damageis very difficult toexpress intermsof a monetaryvalue, it remainsthe case that<br />
data subjects have been faced with data processing that should not have occurred (by relying<br />
<br />
inappropriately on Article 6(1)(b) GDPR as a legal basis as established in Section 4.4.2). The data<br />
processing in question - behavioural advertising - entails decisions about information that data<br />
<br />
subjects are exposed to or excluded from receiving. The EDPB recalls that non-material damage is<br />
explicitly regardedasrelevant in Recital75 and thatsuch damagemay result from situations “where<br />
data subjectsmight bedeprivedoftheirrightsand freedomsor preventedfromexercisingcontrolover<br />
<br />
their personaldata”. Given the nature and gravityofthe infringement of Article 6(1)(b) GDPR, a risk<br />
of damage caused todata subjects is, in such circumstances, consubstantial with the finding of the<br />
<br />
infringement itself.<br />
<br />
Theintentionalor negligentcharacterofthe infringement(Article83(2)(b) GDPR)<br />
<br />
<br />
416. The SE SA arguesthe infringement of Article 6(1)(b) GDPRshould be considered intentionalon Meta<br />
IE’spart,whichis anaggravatingfactor 798.<br />
<br />
<br />
417. The EDPBtakesnote ofMetaIE’sposition thatit did not actintentionally withtheaim toinfringe the<br />
GDPR,nor wasnegligent- but “has reliedon what it has consistentlyconsidered in good faith to be a<br />
<br />
valid legalbasis for thepurpose ofprocessing ofpersonal data for behaviouraladvertising andwhich<br />
now requiresescalation to theEDPBfor resolution” 799.Beforeaddressing eachofthe elementsofthis<br />
claim, the EDPB first notes that establishing either intent or negligence is not a requirement for<br />
<br />
imposing a fine, but deserves “due regard”. Second, contrary to what Meta IE implies, the mere<br />
circumstancethat a dispute betweenthe LSA and the CSAs hasescalatedtothe EDPBdoes not serve<br />
<br />
asevidence thata controller actedingoodfaithwithrespect tothe disputedissues. First, the dispute<br />
arisesonly (long)afterthe controllerhas decidedonitscourse of action,andthereforecannot inform<br />
it. Second, a dispute may simply bring to light that an LSA has decided to challenge a position<br />
<br />
commonly held by(a majorityof) theCSAs.<br />
<br />
<br />
418. The EDPB Guidelines on calculation of fines confirm that there are two cumulative elements on the<br />
basis of which aninfringement canbe considered intentional: the knowledge of the breach andthe<br />
willfulness inrelationtosuchact 800.Bycontrast,aninfringementis “unintentional”whentherewasa<br />
<br />
breachofthe dutyof care,withouthaving intentionally causedthe infringement.<br />
<br />
419. The characterisation of an infringement as intentional or negligent shall be done on the basis of<br />
<br />
objective elements of conduct gatheredfrom the facts of the case 801. It is worthnoting the broader<br />
<br />
<br />
797DraftDecision,paragraph253,theInstagramserviceisprovidedtoa significantportionofthepopulationof<br />
theEEA. This aspectwasalsohighlightedbytheobjectionsraisedbytheNOSA(NOSAObjection,pp.10-11)<br />
andDESAs (DESAs Objection,pp.9and11).<br />
798SESAObjection,pp.4-5.<br />
799<br />
Meta IEArticle65Submissions,paragraph8.28.<br />
800 The EDPB Guidelines on calculation of fines, paragraphs 56, referring to the EDPB Guidelines on<br />
AdministrativeFines:“ingeneral,‘intent’includesbothknowledgeandwilfulnessinrelationtothecharacteristics<br />
ofanoffence,whereas‘unintentional’meansthattherewasnointentiontocausetheinfringementalthoughthe<br />
controller/processorbreachedthedutyofcarewhichisrequiredinthelaw”.<br />
801<br />
EDPBGuidelinesoncalculationoffines,paragraph57andEDPBGuidelinesonAdministrativeFinesp.12.<br />
<br />
<br />
107<br />
Adopted approachadopted withrespect to the concept of negligence,since it also encompasses situations in<br />
which the controller or processor has failedtoadopt the requiredpolicies, whichpresumes a certain<br />
802<br />
degree of knowledge about a potential infringement . This provides an indication that non-<br />
compliance insituations inwhichthe controlleror processor should have beenawareofthepotential<br />
breach(inthe exampleprovided, due tothelackofthenecessarypolicies) mayamount tonegligence.<br />
<br />
<br />
420. The SE SA arguesthatMetaIE “hascontinued to relyon Article6(1)(b) for theprocessing, despite the<br />
<br />
aforementioned[EDPB Guidelines2/2019 on Article 6(1)(b) GDPR]– which clearlygives doubt to the<br />
legalityoftheprocessing–which werefirstadoptedon9 April2019and madefinalon 8October2019.<br />
Theinfringement must inall casesbeconsidered intentionalfromthat laterdate” 803.<br />
<br />
<br />
421. The EDPB recalls that even prior to the adoption EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR,<br />
<br />
therewereclearindicatorsthatspoke againstrelyingon contractaslegalbasis. First, inWP29 Opinion<br />
02/2010 on online behavioural advertising, only consent - asrequired by Article 5(3) of the ePrivacy<br />
Directive-is put forwardaspossible legalbasis for thisactivity.As Article6 GDPRresembles Article7<br />
<br />
ofthe DataProtectionDirectivetoalargeextent,WP29 Opinion 02/2010 remaineda relevantsource<br />
onthismatterfor controllerspreparingfor theGDPRtoenter intoapplication. Second, WP29 Opinion<br />
<br />
06/2014 onthenotion oflegitimateinterestsexplicitlystatesthat“thefactthatsomedata processing<br />
is covered by a contract does not automatically mean that the processing is necessary for its<br />
performance.Forexample,Article7(b)is nota suitable legalground for building a profile ofthe user’s<br />
<br />
tastes and lifestyle choices based on his click-stream on a website and the items purchased. This is<br />
because the data controller has not been contracted to carry out profiling, but rather to deliver<br />
<br />
particular goods and services, for example. Even if these processing activities are specifically<br />
mentionedin the small print of the contract, thisfact alone does not make them ‘necessary’ for the<br />
performanceofthecontract” 804.<br />
<br />
<br />
422. Itstems from the above thatMetaIE had(or should have had)knowledge about the infringement of<br />
<br />
Article 6(1)(b) GDPR. However, this mere element is not sufficient to consider an infringement<br />
intentional, asstatedabove, since the “aim” or “wilfulness” of the actionshould be demonstrated.<br />
<br />
<br />
423. TheEDPBrecallsthatthathavingknowledge ofaspecific matterdoesnotnecessarily implyhavingthe<br />
“will” to reacha specific outcome. This is in fact the approach adopted in the EDPB Guidelines on<br />
<br />
calculation of fines and WP29 Guidelines on Administrative Fines, where the knowledge and the<br />
“wilfulness” are considered two distinctive elements of the intentionality 805. While it may prove<br />
difficult todemonstrateasubjective element suchasthe “will” toactina certainmanner,thereneed<br />
806<br />
tobe some objective elementsthatindicate theexistence of such intentionality .<br />
<br />
<br />
424. TheEDPBrecallsthattheCJEU hasestablisheda highthreshold inorder toconsider anactintentional.<br />
Infact,evenincriminalproceedingstheCJEU hasacknowledgedtheexistenceof“seriousnegligence”,<br />
<br />
<br />
802The EDPB Guidelines on calculation of fines, paragraph 56 (Example4) quote the EDPB Guidelines on<br />
Administrative Fines, which mention, among the circumstances indicative of negligence, “failure to adopt<br />
<br />
policies(ratherthansimplyfailuretoapplythem)”.<br />
803SESAObjection,p.4.<br />
804WP29Opinion06/2014onthenotionoflegitimateinterests,p.16-17.<br />
805EDPBGuidelinesoncalculationoffines,paragraph56,andEDPBGuidelines onAdministrativeFines,p.11.<br />
806SeeEDPBGuidelinesoncalculationoffines,paragraphs56and57,andWP29GuidelinesonAdministrative<br />
<br />
Fines,p.12.<br />
<br />
<br />
108<br />
Adopted ratherthan“intentionality”when“thepersonresponsible commitsapatentbreachofthedutyofcare<br />
whichhe should have andcould have compliedwith in view ofhis attributes,knowledge,abilitiesand<br />
807<br />
individual situation” . In this regard, while the EDPB confirms that a company for whom the<br />
processing of personal data is at the core of its business activities is expected to have sufficient<br />
measures in place for the safeguard of personal data 80, this does not, however, per se change the<br />
<br />
natureof the infringement from negligenttointentional.<br />
<br />
425. Inthisregard,theSESA putsforwardthatMetaIEbaseditsprocessing ofpersonalised advertisement<br />
<br />
on consent until the GDPR came intoforce on 25 May2018, and at this time switchedto relying on<br />
Article6(1)(b) GDPRfor the processing inquestion instead. Thetiming andthe logisticsfor thisswitch<br />
<br />
suggeststhis act wasdone withthe intention of circumventing the new rights of users under Article<br />
6(1)(a) GDPR. The SE SA adds that “[the] proposed finding of infringement concerning information<br />
deficitsabout the processing, namelyonwhat legal basis it is based, furthersupports thisconclusion,<br />
<br />
since it goes to show that MetaIrelandwas aware ofthe questionable legalityof thatbasis and tried<br />
to concealthe infringementto avoidscrutinybysupervisory authoritiesand data subjects” 809.<br />
<br />
<br />
426. The EDPB considers the timing of the changes made by Meta IE toits Instagram Termsof Use asan<br />
objective element, however this alone does not indicate intention. Around this time period, many<br />
<br />
controllers updated their data protection policies. The objection suggests that the conclusion on<br />
intentionalityiscorroboratedbythe shortcomingstothetransparencyobligations.Inthe EDPB’sview,<br />
thecombinationofthetimingofthechangeoflegalbasiswiththelackoftransparencyisnotsufficient<br />
<br />
toindicate intentioneither.<br />
<br />
427. Therefore,on the basis of the available information, the EDPBis not able to identify awill of MetaIE<br />
<br />
toactinbreachofthe lawasit cannotbe concluded thatMetaIEintentionallyactedtocircumvent its<br />
legalobligations.<br />
<br />
<br />
428. Therefore,theEDPBconsidersthattheargumentsputforwardbytheSE SA donotmeetthethreshold<br />
to demonstrate the intentionality of the behaviour of Meta IE. Accordingly, the EDPB is of the view<br />
<br />
thatthe DraftDecisiondoes not needtoinclude thiselement.<br />
<br />
429. At the same time, the EDPB notes that, even establishing that the infringement was committed<br />
<br />
negligently,acompanyfor whom theprocessing ofpersonaldataisatthecoreofitsbusiness activities<br />
should have inplace sufficient proceduresfor ensuring compliance withthe GDPR 810.<br />
<br />
<br />
430. The EDPBdoesnot acceptMetaIE’sclaimof“good faith”,butis oftheview thatMetaIEwascertainly<br />
seriously negligent in not taking adequate action, within a reasonable time period, following the<br />
<br />
adoption of the EDPB Guidelines 2/2019 on Article 6(1)(b) GDPR on 9 April 2019. Even before that<br />
date, the EDPB considers there was at the very least negligence on Meta IE’s part considering the<br />
<br />
contentsof WP29 Opinion 02/2010 on online behaviouraladvertising andWP29 Opinion 06/2014 on<br />
the notion of legitimateinterests(see paragraph421 of this Binding Decision), whichmeans MetaIE<br />
had (or should have had) knowledge about the infringement of Article 6(1)(b) GDPR, giventhe fact<br />
<br />
<br />
807JudgementoftheCourtofJusticeof3June2008,TheQueen,ontheapplicationofInternationalAssociation<br />
of Independent Tanker Owners (Intertanko) and Others v. Secretary of State for Transport, C-308/06,<br />
ECLI:EU:C:2008:312,paragraph77.<br />
808<br />
809EDPBBindingDecision1/2020,adoptedon9November2020,paragraph195.<br />
SESAObjection,p.4.<br />
810SeeEDPBBindingDecision1/2020,paragraph195.<br />
<br />
109<br />
Adopted thatprocessing ofpersonal dataisat thecore of itsbusiness practices,andtheresources availableto<br />
<br />
MetaIEtoadaptits practicesso astocomply withdataprotectionlegislation.<br />
<br />
<br />
The degree of responsibility of the controller taking into account technical and organisational<br />
measuresimplementedpursuantto Articles25 and 32(Article83(2)(d) GDPR)<br />
<br />
431. The EDPB considers the degree of responsibility of Meta IE’spart to be of a high level, on the same<br />
811<br />
grounds asset inthe DraftDecisionwithregardstothe transparencyinfringements .<br />
<br />
<br />
Thefinancial benefit obtainedfrom the infringement(Article83(2)(k) GDPR)<br />
<br />
432. TheSE SA arguesMetaIEgainedfinancialbenefitsfrom theirdecision torelyoncontractaslegalbasis<br />
for behavioural advertising,rather thanobtaining consent from the users of Instagram 812.While not<br />
<br />
providing an estimate of its size, the SE SA considers the existence of financial benefit sufficiently<br />
provenonthe basisof“theself-evidentfactthatMetaIrelandhasmadesignificant financialgain from<br />
<br />
being able to provide personal advertisement aspart of a whole take it or leave it offer for its social<br />
mediaplatform service,as opposed to establishing a separate legalbasis for it.Byalso being unclear<br />
in the informationto data subjects, it is a reasonable assumption that more data subjectshave been<br />
<br />
misled into being subject to the processing, thus increasing the financial benefits gained by Meta<br />
Irelandpursuant to personaladvertisement” 813.<br />
<br />
<br />
433. As explicitly statedin Article 83(2)(k) GDPR, financialbenefits gaineddirectly or indirectly from the<br />
<br />
infringement can be considered an aggravating element for the calculation of the fine. The aim of<br />
Article 83(2)(k) GDPRis toensure that the sanctionapplied is effective,proportionate and dissuasive<br />
814<br />
ineachindividual case .<br />
<br />
434. Inparticular,in view of ensuring fines that areeffective, proportionate and deterrent,andin light of<br />
<br />
common acceptedpracticeinthe fieldof EU competitionlaw 81,whichinspired the fining framework<br />
under the GDPR, the EDPB isof the view that, whencalculating the administrative fine, supervisory<br />
<br />
authorities could take account of the financial benefits obtained from the infringement, in order to<br />
impose a fine thataim at“counterbalancing thegains from theinfringement” 816.<br />
<br />
<br />
435. When applying this provision, the supervisory authorities must “assess all the facts of the case in a<br />
817<br />
manner that is consistent and objectively justified” . Therefore, financial benefits from the<br />
infringement could be an aggravating circumstance if the case provides information about profit<br />
obtainedasa result of theinfringement of the GDPR 818.<br />
<br />
<br />
<br />
<br />
<br />
<br />
811DraftDecision,paragraph240.Inthisrespect,theEDPBnotes thatthehighdegreeofresponsibilityofMeta<br />
<br />
IEforthenon-compliancewiththeGDPRwasconsideredasanaggravatingfactorbyLSAforthecalculationof<br />
thefine.<br />
812SESAObjection,p.4.<br />
813SESAObjectionp.4.<br />
814<br />
815EDPBGuidelinesoncalculationoffines,paragraph107.<br />
SeetheCJEUrulingscitedinEDPBBindingDecision2/2022,paragraph219.<br />
816EDPBGuidelinesoncalculationoffines,examples7cand7d.<br />
817 EDPB Guidelines on Administrative Fines, p. 6 (emphasis added), quoted in Binding Decision 1/2021,<br />
paragraph403.<br />
818<br />
EDPBGuidelinesoncalculationoffines,paragraph110.<br />
<br />
110<br />
Adopted436. In the present case, the EDPB considers that it does not have sufficiently precise information to<br />
evaluatethe specific weightofthe financialbenefit obtainedfrom the infringement.<br />
<br />
<br />
437. Nonetheless, the EDPBacknowledgesthe needtoprevent thatthe fineshave littletono effectifthey<br />
are disproportionally low compared to the benefits obtained with the infringement. The EDPB<br />
<br />
considers thattheIESAshould ascertainifanestimationofthefinancialbenefit fromtheinfringement<br />
ispossible inthis case.Insofar asthisresultsin theneedtoincrease theamount of thefine proposed,<br />
the EDPBrequeststhe IESA toincrease the amount of thefine proposed.<br />
<br />
<br />
Competitiveadvantage -otherfactor (Article83(2)(k) GDPR)<br />
<br />
438. The NOSA identifies anaggravatingfactorinthat“thatthe unlawfulprocessing ofpersonaldata in all<br />
<br />
likelihood hascontributedtothedevelopmentofalgorithmswhich maybe harmfulon an individualor<br />
societal level, andwhich may have considerable commercialvalue to [Meta IE]. The algorithms may<br />
have contributedto giving[MetaIE]acompetitiveadvantage vis-à-vis its competitors” 81.<br />
<br />
<br />
439. Onprinciple, the EDPBagreesthatacompetitive advantagecouldbe anaggravatingfactorifthe case<br />
820<br />
provides objective information thatthis wasobtained asa result of the infringement of the GDPR .<br />
In the present case, the EDPB considers that it does not have sufficiently precise information to<br />
evaluate the existence of a competitive advantage resulting from the infringement. The EDPB<br />
<br />
considers that the IESA should ascertainif anestimation ofthe competitive advantagederived from<br />
the infringement is possible in this case.Insofar asthis results inthe need toincrease the amount of<br />
the fine proposed, the EDPBrequeststhe IESA toincrease the amount of thefine proposed.<br />
<br />
<br />
***<br />
<br />
<br />
440. Takinginto accountthe nature andgravityofthe infringement aswellasother aspectsinaccordance<br />
with Article 83(2) GDPR, the EDPB considers that the IE SA must exercise its power to impose an<br />
<br />
additionaladministrative fine. Also, covering this additionalinfringement witha fine would be in line<br />
with the IE SA’s (proposed) decision toimpose administrative fines in this case for the transparency<br />
821<br />
infringements relating to processing carried out in reliance on Article 6(1)(b) GDPR . The EDPB<br />
underlines that, in order to be effective, proportionate and dissuasive, a fine should reflect the<br />
circumstances of the case. Such circumstances not only refer to the specific elements of the<br />
<br />
infringement,but alsothose ofthe controller or processor whocommittedthe infringement,namely<br />
itsfinancialposition.<br />
<br />
<br />
9.2.4.2.2 Assessmentof whetheranadministrativefineshouldbeimposedfor theinfringementofthe<br />
fairnessprincipleunderArticle5(1)(a) GDPR<br />
<br />
441. The EDPBrecallsits conclusion in thisBinding Decision onthe infringement byMetaIEof the fairness<br />
principle under Article 5(1)(a)GDPR 822andthatthe objection raisedbythe ITSA, which wasfound to<br />
<br />
<br />
<br />
<br />
<br />
<br />
819NOSAObjection,p.11.<br />
820EDPBGuidelinesoncalculationoffines,paragraph109.Seealsoparagraphs433ofthisBindingDecision.<br />
821DraftDecision,paragraphs253-258.<br />
822<br />
Section4.4.2ofthisBindingDecision.<br />
<br />
<br />
111<br />
Adopted be relevant and reasoned, requested the IE SA to exercise its power to impose an administrative<br />
fine823.<br />
<br />
<br />
442. The EDPBtakesnote of MetaIE’sviewsthat it would not be appropriatefor the EDPBtoinstruct the<br />
<br />
LSA to take corrective measures in relation to the additional infringement of the fairness principle<br />
under Article5(1)(a)GDPRconsidering thatthisissue does not fallwithinthescope ofthe Inquiry.The<br />
824<br />
EDPBresponds tothese argumentsabove inSection6.4.2 .<br />
<br />
443. The EDPB recallsthat the decision to impose an administrative fine needs tobe takenon a case-by-<br />
825<br />
case basis in light of the circumstances andis not an automatic one . Inthe same vein, the EDPB’s<br />
assessment ofMetaIE’scompliance withthe principle of fairnessis carriedout bytakinginto account<br />
<br />
the specificities of the case, ofthe particular social networking service at handand of the processing<br />
of personaldatacarriedout,namelyfor thepurpose of online behaviouraladvertising 826.<br />
<br />
<br />
444. As previously established, the principle of fairness under Article 5(1)(a) GDPR, althoughintrinsically<br />
linked tothe principles oflawfulness andtransparencyunder thesame provision, hasanindependent<br />
827<br />
meaning . It underpins the whole data protection framework and plays a key role for securing a<br />
balance ofpower in thecontroller-data subject relationship 828.<br />
<br />
<br />
445. Considering the EDPB’sfindingsin Section6.4.2thatMetaIEhasnot compliedwithkeyrequirements<br />
ofthe principle offairness asdefinedbythe EDPB,namelyallowing for autonomyofthe datasubjects<br />
<br />
as tothe processing of their personal data, fulfilling data subjects’ reasonable expectation, ensuring<br />
power balance,avoiding deceptionandensuring ethicalandtruthfulprocessing, aswellastheoverall<br />
effect of the infringement by Meta IE of the transparencyobligations and of Article 6(1) GDPR, the<br />
<br />
EDPBreiteratesitsview thatMetaIEhasinfringed theprinciple offairness under Article5(1)(a)GDPR<br />
andagreeswiththeITSA thatthisinfringement should be adequatelytakenintoaccount bythe IESA<br />
<br />
in the calculationofthe amount ofthe administrative fine tobe imposed following the conclusion of<br />
thisinquiry.<br />
<br />
<br />
446. Therefore,theEDPBinstructstheIESAtotakeintoaccounttheinfringementbyMetaIEofthefairness<br />
principle enshrined inArticle5(1)(a) GDPRasestablished above whenre-assessing the administrative<br />
<br />
fines for the transparencyinfringements andthe determinationof the fine for the lack oflegalbasis.<br />
If, however, the IE SA considers an additional fine for the breach of the principle of fairness is an<br />
<br />
appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany<br />
case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it<br />
is effective,proportionate anddissuasive inline withArticle 83(1)GDPR.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
823Paragraphs399-404ofthisBindingDecision.<br />
824Meta IEArticle65Submissions,paragraph8.15.<br />
825Seeaboveparagraph410.<br />
826Seeabovesection6.4.2<br />
827<br />
828Seeabovesection6.4.2,paragraph224.<br />
Seeabovesection6.4.2<br />
<br />
112<br />
Adopted 10 BINDINGDECISION<br />
<br />
447. Inlightof theabove, andinaccordancewiththetaskof theEDPBunder Article 70(1)(t)GDPRtoissue<br />
binding decisions pursuant to Article 65 GDPR, the EDPB issues the following Binding Decision in<br />
<br />
accordancewithArticle65(1)(a) GDPR.<br />
<br />
448. The EDPB addresses this Binding Decision to the LSA in this case (the IE SA) and to all the CSAs, in<br />
<br />
accordancewithArticle65(2) GDPR.<br />
<br />
On the objections concerning whether the LSA should have found an infringement for lack of<br />
appropriatelegalbasis<br />
<br />
449. The EDPBdecidesthattheobjections ofthe AT,DE,ES,FI,FR,HU,NL,NO, andSE SAs regardingMeta<br />
<br />
IE’sreliance onArticle 6(1)(b) GDPRin thecontext of itsoffering of the InstagramTermsof Use meet<br />
the requirementsofArticle 4(24)GDPR.<br />
<br />
450. Onthepartsofthe DESAs’objectionrequesting thefinding ofaninfringementofArticle5(1)(a)GDPR,<br />
<br />
and the partsof the DE andNO SAs objections requesting specific correctivemeasures under Article<br />
58 GDPR for the infringement of Article 6(1) or 6(1)(b) GDPR, namely the imposition of an<br />
administrative fine, a ban of the processing of personal data for the purpose of behavioural<br />
advertising, anorder to delete personal data processed under Article 6(1)(b) GDPR, andan order to<br />
<br />
identify a valid legal basis for future behavioural advertising or to abstain from such processing<br />
activities, the EDPB decides that these partsof their objections do not meet the threshold of Article<br />
4(24)GDPR.Similarly,thepartofthe FISA objection concerningthe imposition ofa specific corrective<br />
<br />
measures, namely anadministrative fine is not reasoned anddoes not meet the threshold of Article<br />
4(24)GDPR.<br />
<br />
451. The EDPB instructsthe IESA to alterits Finding 2 of itsDraftDecision, which concludes that MetaIE<br />
<br />
mayrelyonArticle6(1)(b)GDPRinthecontextofitsoffering ofInstagramTermsofUse,andtoinclude<br />
aninfringement of Article 6(1) GDPR,basedon the shortcomings that the EDPBhas identified in this<br />
Binding Decision.<br />
<br />
<br />
On theobjectionsconcerningwhethertheLSA’sDraftDecisionincludessufficientanalysis andevidence<br />
to concludethat MetaIEis not obliged to relyon consentto processtheComplainant’spersonal data<br />
<br />
452. The EDPB decidesthat the objections of the AT,DE, FI,FR, andNL SAs regardingthe LSA’sFinding 1<br />
thatMetaIEisnot legallyobligedtorelyon consent toprocesspersonal datatodeliver the Instagram<br />
<br />
TermsofUse meetthe requirementsofArticle 4(24)GDPR.<br />
<br />
453. On the part of the NL SA objection asking the IE SA to include in its Draft Decision the elements<br />
concerning the need torely on consent for the placing of tracking technology on end users devices<br />
<br />
under ePrivacy legislation, the EDPB decides that this part falls outside the scope of the EDPB’s<br />
mandate.The objection raisedby the ESSA regardingthe potentialinfringement of Article9 GDPRis<br />
not sufficiently reasoned and, therefore, the EDPB decides that the objection of the ES SA does not<br />
meetthe threshold provided for by Article4(24) GDPR.<br />
<br />
<br />
454. The EDPBinstructs the IE SA toremove from its DraftDecisionits conclusion on Finding 1. The EDPB<br />
decides that the IE SA shall carry out a new investigationinto Meta IE’sprocessing operations in its<br />
<br />
<br />
<br />
113<br />
Adopted Instagramservicetodetermineifit processesspecialcategoriesofpersonaldata(Article9GDPR),and<br />
<br />
complies with the relevant obligations under the GDPR to the extent that the investigation<br />
complements the findings made in the IE SA’s Final Decision adopted on the basis of this Binding<br />
Decision; and,basedon theresults ofthisinvestigation, issue anew draftdecision inaccordancewith<br />
Article60(3) GDPR.<br />
<br />
<br />
Onthe objectionconcerningthepotentialadditional infringementof theprinciple offairness<br />
<br />
455. TheEDPBdecidesthattheobjectionofthe ITSAregardingtheinfringementbyMetaIEofthe principle<br />
of fairnessunder Article5(1)(a)GDPR,meetsthe requirementsof Article4(24) GDPR.<br />
<br />
<br />
456. The EDPBinstructs the IE SA to find in itsfinal decision anadditionalinfringement of the principle of<br />
fairness under Article 5(1)(a)GDPRbyMetaIE.<br />
<br />
<br />
On the objection concerning the potential additional infringement of the principles of purpose<br />
limitationanddataminimisation<br />
<br />
457. On the objection by the IT SA concerning the possible additional infringements of the principles of<br />
purpose limitation and data minimisation under Article 5(1)(b) and (c) GDPR, the EDPB decides this<br />
<br />
objection does not meetthe requirementsofArticle 4(24)GDPR.<br />
<br />
Onthe objectionsconcerningcorrectivemeasuresotherthan administrativefines<br />
<br />
458. The EDPB decidesthat the objections of the AT and NL SAs requesting additional and/or alternative<br />
<br />
specific correctivemeasurestobe imposed meet the requirementsofArticle 4(24)GDPR.<br />
<br />
459. The EDPBinstructsthe IESA toinclude inits finaldecision anorder for MetaIEtobring its processing<br />
of personal data for the purposes of behavioural advertising in the context of the Instagram service<br />
<br />
intocompliance withArticle 6(1)GDPRwithinthree months.<br />
<br />
460. TheEDPBalsoinstructstheLSA toadjust itsorder toMetaIEtobring InstagramDataPolicyandTerms<br />
<br />
of Use into compliance with Article 5(1)(a), Article 12(1) and Article 13(1)(c) GDPR within three<br />
months, torefernot only toinformationprovided ondataprocessedpursuant toArticle6(1)(b)GDPR,<br />
but also to data processed for the purposes of behavioural advertising in the context of Instagram<br />
service (toreflect thefinding of theEDPBthat for thisprocessing thecontroller cannot relyon Article<br />
<br />
6(1)(b) GDPR).<br />
<br />
On the objections concerning the determination of the administrative fine for the transparency<br />
<br />
infringements<br />
<br />
461. The EDPBdecidesthatthe objections oftheDE,FR,IT,NL,andNOSAsregardingthedeterminationof<br />
the administrative fine for the transparencyinfringements, meet the requirements of Article 4(24)<br />
GDPR.<br />
<br />
<br />
462. The EDPBconsiders thatthe Final Decisiondoes not needtorefer tothe infringementsby WhatsApp<br />
IrelandLimited,as established in DecisionIN-18-12-2, as anaggravatingfactorunder Article 83(2)(e)<br />
GDPRfor the calculationofthe fine.<br />
<br />
<br />
463. The EDPB instructs the IE SA to modify its Draft Decision to elaborate on the manner in which the<br />
turnover of the undertakingconcernedhas beentakenintoaccount for the calculationofthe fine, as<br />
<br />
<br />
114<br />
Adopted appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article<br />
<br />
83(1)GDPR.<br />
<br />
464. The EDPB considers that the proposed fine does not adequatelyreflect the seriousness and severity<br />
of the infringements nor has a dissuasive effect on Meta IE. Therefore, the fine does not fulfil the<br />
<br />
requirement ofbeing effective,proportionate anddissuasive inaccordance withArticle83(1) and(2)<br />
GDPR. Inlight ofthis, the EDPB directsthe IE SA toset out a significantly higher fine amount for the<br />
transparencyinfringementsidentified, incomparison withthe upper limit for the administrative fine<br />
<br />
envisaged in the Draft Decision. In doing so, the IE SA must remain in line with the criteria of<br />
effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR in its overall<br />
reassessment of the amount ofthe administrative fine.<br />
<br />
<br />
Onthe objectionsconcerningtheimposition ofan administrativefine for the lackoflegal basis<br />
<br />
465. The EDPBdecidesthattheobjections of theAT,DE,FR,NO,andSE SAs regardingthe impositionofan<br />
administrative fine for the infringement ofArticle 6(1)or Article 6(1)(b)GDPRmeetthe requirements<br />
of Article4(24)GDPR.<br />
<br />
<br />
466. Inrelation tointentionality under Article 83(2)(b) GDPR, the EDPB considersthat the argumentsput<br />
forwardby the SE SA in their objection do not containsufficient objective elementsto demonstrate<br />
<br />
the intentionalityofthe behaviour ofMetaIE.<br />
<br />
467. Regarding the possible financial benefit obtained from the infringement as well as the competitive<br />
advantage (Article 83(2)(k) GDPR), the EDPB instructs the IE SA to ascertain if an estimation of the<br />
<br />
financial benefit from the infringement is possible in this case. Insofar as further estimation of the<br />
financialbenefit from the infringement is possible in thiscase and resultsin the needto increasethe<br />
amountofthefine proposed, theEDPBrequeststheIESAtoincreasetheamount ofthefineproposed.<br />
<br />
<br />
468. The EDPB instructs the IE SA to cover the additional infringement of Article 6(1) GDPR with an<br />
administrative fine which is effective, proportionate and dissuasive in accordance with Article 83(1)<br />
GDPR. Indetermining the fine amount, the IE SA must give due regardto all the applicable factors<br />
<br />
listed in Article 83(2) GDPR, inparticular the nature and gravityof the infringement, the number of<br />
datasubjects affectedand theseriously negligentcharacteroftheinfringement.<br />
<br />
<br />
On the objection concerning the imposition of an administrative fine for the infringement of the<br />
fairness principleunder Article5(1)(a) GDPR<br />
<br />
469. The EDPBdecidesthatthe objectionofthe ITSA regardingtheimposition ofanadministrative fine for<br />
the infringement ofArticle 5(1)(a)GDPRmeetsthe requirementsof Article4(24) GDPR.<br />
<br />
<br />
470. TheEDPBinstructstheIESA tofactortheadditionalinfringementoftheprinciple offairnessenshrined<br />
in Article5(1)(a) GDPRintoits adoptionof appropriate correctivemeasures. Inthisrespect,the IE SA<br />
is instructed totake due account of this infringement when re-assessing the administrative fines for<br />
<br />
the transparency infringements and the determination of the fine for the lack of legal basis. If,<br />
however, the IE SA considers an additional fine for the breach of the principle of fairness is an<br />
appropriatecorrectivemeasure,the EDPBrequeststhe IE SA toinclude thisinitsfinaldecision. Inany<br />
<br />
case,the IESA must take into account the criteriaprovided for by Article83(2) GDPRand ensuring it<br />
is effective,proportionate anddissuasive inline withArticle 83(1)GDPR.<br />
<br />
<br />
<br />
115<br />
Adopted On the objection concerning the imposition of an administrative fine for the infringement of Article<br />
5(1)(b) and(c)GDPR<br />
<br />
471. The EDPBdecidesthatit doesnot needtoexamine theobjectionof theITSA regardingthe imposition<br />
<br />
of anadministrative fine for the infringement ofArticle 5(1)(b) andArticle5(1)(c) GDPR.<br />
<br />
<br />
11 FINAL REMARKS<br />
<br />
<br />
472. ThisBinding Decision isaddressed tothe IESA andtheCSAs. TheIE SA shalladopt itsfinal decision on<br />
the basis ofthis Binding Decisionpursuant toArticle 65(6)GDPR.<br />
<br />
<br />
473. Regardingtheobjections deemednot tomeetthe requirementsstipulatedby Article4(24)GDPR,the<br />
EDPB does not take any position on the merit of any substantial issues raised therein. The EDPB<br />
<br />
reiteratesthatitscurrentdecisioniswithoutanyprejudice toanyassessments theEDPBmaybecalled<br />
upon tomake inother cases, including withthesame parties,taking intoaccount the contentsofthe<br />
relevantdraft decision andthe objections raisedby the CSAs.<br />
<br />
<br />
474. According to Article 65(6) GDPR, the IE SA shall adopt its final decision on the basis of the Binding<br />
Decision without undue delayandat the latestby one monthafter the Boardhas notified itsBinding<br />
<br />
Decision.<br />
<br />
475. The IESA shall inform the Boardof the datewhen itsfinal decision is notified tothe controller or the<br />
829<br />
processor . This Binding Decisionwill be made public pursuant toArticle 65(5)GDPRwithout delay<br />
afterthe IESA hasnotified itsfinaldecision tothe controller 830.<br />
<br />
<br />
476. The IESA will communicateits finaldecision tothe Board 831.PursuanttoArticle 70(1)(y) GDPR,theIE<br />
SA’sfinal decision communicatedtothe EDPBwillbe included in the registerofdecisions whichhave<br />
<br />
beensubject totheconsistency mechanism.<br />
<br />
For the EuropeanDataProtectionBoard<br />
<br />
The Chair<br />
<br />
<br />
<br />
<br />
(Andrea Jelinek)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
829<br />
Art. 65(6)GDPR.<br />
830Art. 65(5)and(6)GDPR.<br />
831Art. 60(7)GDPR.<br />
<br />
116<br />
Adopted<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Instagram)_-_IN-18-5-7&diff=30699
DPC (Ireland) - Meta Platforms Ireland Limited (Instagram) - IN-18-5-7
2023-01-25T13:41:27Z
<p>AK: /* English Summary */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Ireland<br />
|DPA-BG-Color=background-color:#013d35;<br />
|DPAlogo=LogoIE.png<br />
|DPA_Abbrevation=DPC<br />
|DPA_With_Country=DPC (Ireland)<br />
<br />
|Case_Number_Name=IN-18-5-7<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=noyb website<br />
|Original_Source_Link_1=https://noyb.eu/sites/default/files/2023-01/DPCDecision_Instagram.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=25.05.2018<br />
|Date_Decided=31.12.2022<br />
|Date_Published=11.01.2023<br />
|Year=2022<br />
|Fine=180,000,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 7 GDPR<br />
|GDPR_Article_Link_4=Article 7 GDPR<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
|GDPR_Article_9=Article 24 GDPR<br />
|GDPR_Article_Link_9=Article 24 GDPR<br />
|GDPR_Article_10=Article 56 GDPR<br />
|GDPR_Article_Link_10=Article 56 GDPR<br />
|GDPR_Article_11=Article 58 GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR<br />
|GDPR_Article_12=Article 60 GDPR<br />
|GDPR_Article_Link_12=Article 60 GDPR<br />
|GDPR_Article_13=Article 65 GDPR<br />
|GDPR_Article_Link_13=Article 65 GDPR<br />
|GDPR_Article_14=Article 77 GDPR<br />
|GDPR_Article_Link_14=Article 77 GDPR<br />
|GDPR_Article_15=Article 79 GDPR<br />
|GDPR_Article_Link_15=Article 79 GDPR<br />
|GDPR_Article_16=Article 83 GDPR<br />
|GDPR_Article_Link_16=Article 83 GDPR<br />
|GDPR_Article_17=<br />
|GDPR_Article_Link_17=<br />
|GDPR_Article_18=<br />
|GDPR_Article_Link_18=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Belgian Instagram user (represented by noyb - European Centre for Digital Rights)<br />
|Party_Link_1=https://noyb.eu/en<br />
|Party_Name_2=Meta Platforms Ireland Limited<br />
|Party_Link_2=https://about.meta.com/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=LR<br />
|<br />
}}<br />
<br />
Following a complaint filed by a Belgian Instagram user, the Irish DPA found Meta IE’s processing of personal data for behavioral advertising to be unlawful, and fined the company €180 million.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a user was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).<br />
<br />
Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. [[Article 6 GDPR#1|Article 6(1) GDPR]] details the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.<br />
<br />
A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (DSB), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.<br />
<br />
Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives. <br />
<br />
Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. [[Article 7 GDPR#4|Article 7(4) GDPR]], which defines the conditions for consent, specifically states that “''utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract''”. As such, the “consent” upon which the controller seeks to rely is invalid.<br />
<br />
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.<br />
<br />
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.<br />
<br />
The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].<br />
<br />
In response to the complaint Meta IE submitted, among other points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The company stated that it “''does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use''” (Para 41).<br />
<br />
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with [[Article 60 GDPR#3|Article 60(3) GDPR]]. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with [[Article 60 GDPR#4|Article 60(4) GDPR]], to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.<br />
<br />
=== Holding ===<br />
In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).<br />
<br />
<br />
<u>Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be considered consent for the purposes of the GDPR and, if so, whether it is valid consent for the purposes of the GDPR</u><br />
<br />
The DPC identified the first issue as consisting of two parts: “''first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes''” (34).<br />
<br />
On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “''as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing''” (46).<br />
<br />
Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “''inherently problematic''”, and “[no] ''one ground has normative priority over the others''” (51). <br />
<br />
However, in its binding decision the EDPB instructed the DPC to remove its conclusion on finding 1 (EDPB - 203), stating as follows:<blockquote>“''The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under [[Article 6 GDPR]] if it is appropriate for the processing at stake''" (EDPB - 107).<br />
<br />
“[The DPC] ''cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve''” (EDPB - 202).</blockquote>Accordingly, the DPC made no finding on the matters encompassed by their assessment of issue 1.<br />
<br />
<br />
<u>Issue 2 – Whether Meta Ireland could rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for processing of personal data in the context of the Terms of Use and/or Data Policy</u><br />
<br />
The second issue concerned whether Meta IE could rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller had to demonstrate that such “''processing is necessary for the performance of a contract to which the data subject is a party''”.<br />
<br />
Taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b), the DPC acknowledged that “''consideration of the meaning of the term ‘contract’ within a data protection context is required''”. However, the DPC also asserted that an assessment of the terms “''necessary''” and “''performance''” is also required, and they ''“do not have competence to consider substantive issues of contract law, and, accordingly'' [their] ''analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service''” (87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “''reflected in the terms of the precise contract between those parties''” (95). The DPC explained that, in their view, “''the core of the service offered is premised on the delivery of personalised advertising''” (106) and proposed to conclude that “''Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising''” (116).<br />
<br />
When issuing its Binding Decision, the EDPB, emphasised "''the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service''" (EDPB - 99). With regard to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:<blockquote>"''The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model''” (EDPB - 108).<br />
<br />
"''The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR… the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not''" (EDPB - 112).<br />
<br />
"''...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR''" (EDPB - 119).</blockquote>Turning to the facts of the case, the EDPB outlined a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "''Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to share content and communicate with others''" (EDPB - 120). The EDPB also takes into account Article 21(2) and (3) GDPR, "''the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes''". Because this right exists, "''the processing cannot be necessary to perform a contract'' [as the] ''subject has the possibility to opt out from it at any time, and without providing any reason''" (EDPB - 125).<br />
<br />
The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Meta IE can process personal data on the basis of Article 6(1)(b):<blockquote>“''...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject''" (EDPB - 134).<br />
<br />
"''As a result, owing to the number of users of the Instagram service, the market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the Complainant and the millions of users of Instagram service in the EEA and affect the protection of the hundreds of millions of people covered by the GDPR''" (EDPB - 135).</blockquote>In light of all of the above, the EDPB directed the following:<blockquote>“..''.behavioural adveritising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it''" (EDPB - 136).<br />
<br />
"''Meta has inappropriately relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the complainant's personal data in the context of the Instagram Terms of Use and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Use for the purpose of behavioural advertising. Meta IE has consequently infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by unlawfully processing personal data''” (EDPB - 137).</blockquote>Accordingly, under instruction from the EDPB, The DPC altered “''Finding 2''” of its Draft Decision, finding that “''Meta Ireland was not entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the Complainant’s personal data for the purpose of behavioural advertising in the context of the Instagram Terms of Use''”.<br />
<br />
<br />
<u>Issue 3 – Whether Meta Ireland provided the requisite information on the legal basis for<br />
processing on foot of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and whether it did so in a transparent manner</u><br />
<br />
On the issue of transparency, [[Article 13 GDPR#1|Article 13(1) GDPR]] outlines the information the controller must provide to a data subject at the time when personal data are obtained and [[Article 12 GDPR#1|Article 12(1) GDPR]] details the manner in which this data must be provided.<br />
<br />
Describing the information provided by Meta IE to Instagram users, the DPC stated:<blockquote>“''Meta Ireland has not provided meaningful information as to the processing operation(s) and/or set(s) of operations that occur in the context of the Instagram service, either on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] or any other legal basis. Indeed, I would go so far as to say that it is impossible for the user to identify with any degree of specificity what processing is carried out on what data, on foot of the specified lawful bases, in order to fulfil these objectives… Indeed, it could be said that there is a significant deficit of information made available to data subjects''” (188).<br />
<br />
“''Taking into account the circular, disjointed nature of the information provided by Meta Ireland and the generalised, high-level overview it provided, I am not satisfied that the information was clear and concise''” (190).</blockquote>The DPC also describes the “''significant link''” (194) between the principle of transparency and the principle of fairness in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], and finds that, with regards to the issue of transparency, it is appropriate to made a finding of an infringement of the principle of Article 5(1)(a) (Para 197).<br />
<br />
In light of the above, the DPC found that “''In relation to processing for which Meta Ireland indicated reliance upon [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], Articles 5(1)(a), 12(1) and 13(1)(c) have been infringed''”.<br />
<br />
<br />
<u>Issue 4 (Additional Issue) – Whether Meta Ireland Infringed the Article 5(1)(a) Principle of Fairness</u><br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] principle of fairness. The DPC decided not to follow the objection, as the “''principle of fairness was not examined during the course of this inquiry and, consequently, Meta Ireland was not afforded the opportunity to be heard in response to a particularised area of wrongdoing''” (200). The matter was referred to the EDPB, who determined as follows:<blockquote>"''the principle of fairness has an independent meaning and… an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too''" (EDPB - 224).<br />
<br />
"''the concept of fairness stems from the EU Charter of Fundamental Rights''" (EDPB - 225).<br />
<br />
“''Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject…'' [it] ''underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights''” ( EDPB - 225, 226).<br />
<br />
"''The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights''” (EDPB - 234).</blockquote>Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to adopt the "''appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement''” (EDPB - 235).<br />
<br />
As directed by the EDPB, the DPC found that “''Meta Ireland has infringed the principle of fairness pursuant to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]''”.<br />
<br />
<br />
<u>Summary of Envisaged Action</u><br />
<br />
The DPC made an order pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], requiring Meta IE to bring processing into compliance in accordance with its transparency obligations under Articles 5(1)(a), 12(1) and 12(1)(c) GDPR, within 3 months of the date of the date of notification of any final decision. The order also requires Meta IE to address the EDPB’s finding that it is not entitled to carry out data processing on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], and to bring its processing into compliance with [[Article 6 GDPR#1|Article 6(1) GDPR]].<br />
<br />
Furthermore, pursuant to Articles 58(2)(i) and 83 GDPR, and under the direction of the EDPB, the DPC imposed an administrative fine in the amount of €180 million. This fine is made up of an €70 million fine for failing to provide sufficient information on processing operations (Articles 5(1)(a) and 13(1)(c) GDPR); a €60 million fine for failing to provide this information in a concise, transparent, intelligent, and easily accessible form, using clear and plain language (Articles 5(1)(a) and 12(1) GDPR); and a €50 million fine for the unlawful processing of personal data (Article 6(1) GDPR).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=DPC_(Ireland)_-_Meta_Platforms_Ireland_Limited_(Instagram)_-_IN-18-5-7&diff=30698
DPC (Ireland) - Meta Platforms Ireland Limited (Instagram) - IN-18-5-7
2023-01-25T13:32:04Z
<p>AK: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Ireland<br />
|DPA-BG-Color=background-color:#013d35;<br />
|DPAlogo=LogoIE.png<br />
|DPA_Abbrevation=DPC<br />
|DPA_With_Country=DPC (Ireland)<br />
<br />
|Case_Number_Name=IN-18-5-7<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=noyb website<br />
|Original_Source_Link_1=https://noyb.eu/sites/default/files/2023-01/DPCDecision_Instagram.pdf<br />
|Original_Source_Language_1=English<br />
|Original_Source_Language__Code_1=EN<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=25.05.2018<br />
|Date_Decided=31.12.2022<br />
|Date_Published=11.01.2023<br />
|Year=2022<br />
|Fine=180,000,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5 GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR<br />
|GDPR_Article_3=Article 6 GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR<br />
|GDPR_Article_4=Article 7 GDPR<br />
|GDPR_Article_Link_4=Article 7 GDPR<br />
|GDPR_Article_5=Article 9 GDPR<br />
|GDPR_Article_Link_5=Article 9 GDPR<br />
|GDPR_Article_6=Article 12 GDPR<br />
|GDPR_Article_Link_6=Article 12 GDPR<br />
|GDPR_Article_7=Article 13 GDPR<br />
|GDPR_Article_Link_7=Article 13 GDPR<br />
|GDPR_Article_8=Article 21 GDPR<br />
|GDPR_Article_Link_8=Article 21 GDPR<br />
|GDPR_Article_9=Article 24 GDPR<br />
|GDPR_Article_Link_9=Article 24 GDPR<br />
|GDPR_Article_10=Article 56 GDPR<br />
|GDPR_Article_Link_10=Article 56 GDPR<br />
|GDPR_Article_11=Article 58 GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR<br />
|GDPR_Article_12=Article 60 GDPR<br />
|GDPR_Article_Link_12=Article 60 GDPR<br />
|GDPR_Article_13=Article 65 GDPR<br />
|GDPR_Article_Link_13=Article 65 GDPR<br />
|GDPR_Article_14=Article 77 GDPR<br />
|GDPR_Article_Link_14=Article 77 GDPR<br />
|GDPR_Article_15=Article 79 GDPR<br />
|GDPR_Article_Link_15=Article 79 GDPR<br />
|GDPR_Article_16=Article 83 GDPR<br />
|GDPR_Article_Link_16=Article 83 GDPR<br />
|GDPR_Article_17=<br />
|GDPR_Article_Link_17=<br />
|GDPR_Article_18=<br />
|GDPR_Article_Link_18=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Belgian Instagram user (represented by noyb - European Centre for Digital Rights)<br />
|Party_Link_1=https://noyb.eu/en<br />
|Party_Name_2=Meta Platforms Ireland Limited<br />
|Party_Link_2=https://about.meta.com/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=LR<br />
|<br />
}}<br />
<br />
Following a complaint filed by a Belgian Instagram user, the Irish DPA found Meta IE’s processing of personal data for behavioral advertising to be unlawful, and fined the company €180 million.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In order to access Instagram, an online social network service operated in the EU by “Meta IE”, a prospective user had to create an Instagram account and was required to provide certain information and accept a series of terms and conditions (the “Terms of Use”).<br />
<br />
Under the GDPR, Instagram was obliged to have a lawful basis for the processing of personal data of its users. [[Article 6 GDPR#1|Article 6(1) GDPR]] details the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Instagram platform, all users were required to accept the updated Terms of Use prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Instagram account.<br />
<br />
A Belgian Instagram user, the “data subject” and “complainant”, filed a complaint against Meta IE, the controller. The complainant was represented by “''noyb'' – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Meta IE’s data processing practices on the Instagram platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Belgian DPA (DSB), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.<br />
<br />
Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleges that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives. <br />
<br />
Secondly, the use of the Instagram service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. [[Article 7 GDPR#4|Article 7(4) GDPR]], which defines the conditions for consent, specifically states that “''utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract''”. As such, the “consent” upon which the controller seeks to rely is invalid.<br />
<br />
Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.<br />
<br />
Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.<br />
<br />
The Belgian DPA (APD) referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]].<br />
<br />
In response to the complaint Meta IE submitted, among other points, that agreeing to the Terms of Use amounts to a contractual agreement and is not an act of consent for the purposes of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]]. The company stated that it “''does not in any way seek to ‘infer’ consent from a user to process personal data based on their agreement to the Terms of Use''” (Para 41).<br />
<br />
On 1 April 2022, the DPC shared its Draft Decision with the other Data Protection Authorities (DPAs) in accordance with [[Article 60 GDPR#3|Article 60(3) GDPR]]. Ten DPAs (AT, DE, ES, FI, FR, HU, IT, NL, NO, SE) raised objections, in accordance with [[Article 60 GDPR#4|Article 60(4) GDPR]], to the Draft Decision. On 11 August 2022, the matter was referred to the European Data Protection Board (EDPB). The EDPB adopted a binding decision on 5 December 2022 and the DPC issued its Final Decision on 31 December 2022, published on 11 January 2023.<br />
<br />
=== Holding ===<br />
In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).<br />
<br />
<br />
<u>Issue 1 – Whether clicking on the “Agree to Terms” button constitutes or must be considered consent for the purposes of the GDPR and, if so, whether it is valid consent for the purposes of the GDPR</u><br />
<br />
The DPC identified the first issue as consisting of two parts: “''first, whether clicking the ‘Agree to Terms’ button actually constitutes consent for the purposes of the GDPR and, second, whether the act of clicking ‘Agree to Terms’ necessarily must be considered consent for such purposes''” (34).<br />
<br />
On the first point, the DPC accepted Meta IE’s argument and proposed, by way of its Draft Decision, to conclude that “''as a matter of fact, Meta Ireland did not – and did not seek – to rely on consent as the legal basis for all processing''” (46).<br />
<br />
Regarding the second point, the DPC held that Meta IE was also not legally obliged to rely on consent as the legal basis for processing of personal data in this context. The DPC emphasized that there is no hierarchy of legal bases for the processing of personal data under the GDPR, any implication otherwise would be “''inherently problematic''”, and “[no] ''one ground has normative priority over the others''” (51). <br />
<br />
However, in its binding decision the EDPB instructed the DPC to remove its conclusion on finding 1 (EDPB - 203), stating as follows:<blockquote>“''The EDPB agrees with the IE SA and Meta IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Meta IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under [[Article 6 GDPR]] if it is appropriate for the processing at stake''" (EDPB - 107).<br />
<br />
“[The DPC] ''cannot categorically conclude… that Meta IE is not legally obliged to rely on consent to carry out the personal data processing… without further investigating its processing operations, the categories of data processed, and the purposes they serve''” (EDPB - 202).</blockquote>Accordingly, the DPC made no finding on the matters encompassed by their assessment of issue 1.<br />
<br />
<br />
<u>Issue 2 – Whether Meta Ireland could rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for processing of personal data in the context of the Terms of Use and/or Data Policy</u><br />
<br />
The second issue concerned whether Meta IE could rely on Article 6(1)(b) GDPR as the lawful basis for processing of personal data. In order to do so, the controller had to demonstrate that such “''processing is necessary for the performance of a contract to which the data subject is a party''”.<br />
<br />
Taking into account the complainant’s submissions, the EDPB guidelines and the framing of Article 6(1)(b), the DPC acknowledged that “''consideration of the meaning of the term ‘contract’ within a data protection context is required''”. However, the DPC also asserted that an assessment of the terms “''necessary''” and “''performance''” is also required, and they ''“do not have competence to consider substantive issues of contract law, and, accordingly'' [their] ''analysis is limited to the specific contract entered into by the named data subject and Meta Ireland in respect of the Instagram service''” (87). The DPC took a broad approach in determining what is necessary for the performance of a contract based on what is “''reflected in the terms of the precise contract between those parties''” (95). The DPC explained that, in their view, “''the core of the service offered is premised on the delivery of personalised advertising''” (106) and proposed to conclude that “''Meta Ireland may in principle rely on Article 6(1)(b) as a legal basis of the processing of users’ data necessary for the provision of the Instagram service, including through the provision of behavioural advertising''” (116).<br />
<br />
When issuing its Binding Decision, the EDPB, emphasised "''the complexity, massive scale and intrusiveness of the behavioural advertising practice that Meta IE conducts through the Instagram service''" (EDPB - 99). With regard to [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:<blockquote>"''The GDPR makes Meta IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Meta IE and its business model''” (EDPB - 108).<br />
<br />
"''The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR… the SAs would thus be obliged to always consider a contract valid, even in situations where it is manifestly evident it is not''" (EDPB - 112).<br />
<br />
"''...the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR''" (EDPB - 119).</blockquote>Turning to the facts of the case, the EDPB outlined a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for personalised advertising is not essential to the contract between Meta IE and users of Instagram. Firstly, "''Meta IE promotes... the perception that the main purpose of the Instagram service serves and for which it processes its users' data is to enable them to share content and communicate with others''" (EDPB - 120). The EDPB also takes into account Article 21(2) and (3) GDPR, "''the absolute right available to data subjects... to object to the processing of their personal data for direct marketing purposes''". Because this right exists, "''the processing cannot be necessary to perform a contract'' [as the] ''subject has the possibility to opt out from it at any time, and without providing any reason''" (EDPB - 125).<br />
<br />
The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Meta IE can process personal data on the basis of Article 6(1)(b):<blockquote>“''...there is a risk that the Draft Decision’s failure to establish Meta IE's infringement of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], pursuant to the [DPC]'s interpretation of it, nullifies this provision and makes lawful theoretically any collection and reuse of personal data in connection with the performance of a contract with a data subject''" (EDPB - 134).<br />
<br />
"''As a result, owing to the number of users of the Instagram service, the market power, and influence of Meta IE and its economically attractive business model, the risks derived from the current findings of the Draft Decision could go beyond the Complainant and the millions of users of Instagram service in the EEA and affect the protection of the hundreds of millions of people covered by the GDPR''" (EDPB - 135).</blockquote>In light of all of the above, the EDPB directed the following:<blockquote>“..''.behavioural adveritising performed by Meta in the context of the Instagram service is objectively not necessary for the performance of Meta IE's alleged contract with data users for the Instagram service and is not an essential or core element of it''" (EDPB - 136).<br />
<br />
"''Meta has inappropriately relied on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the complainant's personal data in the context of the Instagram Terms of Use and therefore lacks a legal basis to process these data for the purpose of behavioural advertising. Meta IE has not relied on any other legal basis to process personal data in the context of the Instagram Terms of Use for the purpose of behavioural advertising. Meta IE has consequently infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by unlawfully processing personal data''” (EDPB - 137).</blockquote>Accordingly, under instruction from the EDPB, The DPC altered “''Finding 2''” of its Draft Decision, finding that “''Meta Ireland was not entitled to rely on [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] to process the Complainant’s personal data for the purpose of behavioural advertising in the context of the Instagram Terms of Use''”.<br />
<br />
<br />
<u>Issue 3 – Whether Meta Ireland provided the requisite information on the legal basis for<br />
processing on foot of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] and whether it did so in a transparent manner</u><br />
<br />
On the issue of transparency, [[Article 13 GDPR#1|Article 13(1) GDPR]] outlines the information the controller must provide to a data subject at the time when personal data are obtained and [[Article 12 GDPR#1|Article 12(1) GDPR]] details the manner in which this data must be provided.<br />
<br />
Describing the information provided by Meta IE to Instagram users, the DPC stated:<blockquote>“''Meta Ireland has not provided meaningful information as to the processing operation(s) and/or set(s) of operations that occur in the context of the Instagram service, either on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] or any other legal basis. Indeed, I would go so far as to say that it is impossible for the user to identify with any degree of specificity what processing is carried out on what data, on foot of the specified lawful bases, in order to fulfil these objectives… Indeed, it could be said that there is a significant deficit of information made available to data subjects''” (188).<br />
<br />
“''Taking into account the circular, disjointed nature of the information provided by Meta Ireland and the generalised, high-level overview it provided, I am not satisfied that the information was clear and concise''” (190).</blockquote>The DPC also describes the “''significant link''” (194) between the principle of transparency and the principle of fairness in [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], and finds that, with regards to the issue of transparency, it is appropriate to made a finding of an infringement of the principle of Article 5(1)(a) (Para 197).<br />
<br />
In light of the above, the DPC found that “''In relation to processing for which Meta Ireland indicated reliance upon [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], Articles 5(1)(a), 12(1) and 13(1)(c) have been infringed''”.<br />
<br />
<br />
<u>Issue 4 (Additional Issue) – Whether Meta Ireland Infringed the Article 5(1)(a) Principle of Fairness</u><br />
<br />
During the course of the [[Article 60 GDPR]] consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] principle of fairness. The DPC decided not to follow the objection, as the “''principle of fairness was not examined during the course of this inquiry and, consequently, Meta Ireland was not afforded the opportunity to be heard in response to a particularised area of wrongdoing''” (200). The matter was referred to the EDPB, who determined as follows:<blockquote>"''the principle of fairness has an independent meaning and… an assessment of Meta IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Meta IE’s compliance with the principle of fairness too''" (EDPB - 224).<br />
<br />
"''the concept of fairness stems from the EU Charter of Fundamental Rights''" (EDPB - 225).<br />
<br />
“''Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject…'' [it] ''underpins the entire data protection framework and seeks to address power asymmetries between the data controllers and the data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights''” ( EDPB - 225, 226).<br />
<br />
"''The combination of factors, such as the asymmetry of the information created by Meta IE with regard to the Instagram service users, combined with the ‘take it or leave it’ situation that they are faced with… systematically disadvantages the Instagram service users, limits their control over the processing of their personal data and undermines the exercise of their rights''” (EDPB - 234).</blockquote>Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Meta IE, and to adopt the "''appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement''” (EDPB - 235).<br />
<br />
As directed by the EDPB, the DPC found that “''Meta Ireland has infringed the principle of fairness pursuant to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]''”.<br />
<br />
<br />
<u>Summary of Envisaged Action</u><br />
<br />
The DPC made an order pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], requiring Meta IE to bring processing into compliance in accordance with its transparency obligations under Articles 5(1)(a), 12(1) and 12(1)(c) GDPR, within 3 months of the date of the date of notification of any final decision. The order also requires Meta IE to address the EDPB’s finding that it is not entitled to carry out data processing on the basis of [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]], and to bring its processing into compliance with [[Article 6 GDPR#1|Article 6(1) GDPR]].<br />
<br />
Furthermore, pursuant to Articles 58(2)(i) and 83 GDPR, and under the direction of the EDPB, the DPC imposed an administrative fine in the amount of €180 million. This fine is made up of an €70 million fine for failing to provide sufficient information on processing operations (Articles 5(1)(a) and 13(1)(c) GDPR); a €60 million fine for failing to provide this information in a concise, transparent, intelligent, and easily accessible form, using clear and plain language (Articles 5(1)(a) and 12(1) GDPR); and a €50 million fine for the unlawful processing of personal data (Article 6(1) GDPR).<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the English original. Please refer to the English original for more details.<br />
<br />
<pre><br />
<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202898&diff=30470
AEPD (Spain) - EXP202202898
2023-01-18T15:17:17Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS/00286/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00286-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=14.02.2022<br />
|Date_Decided=03.11.2022<br />
|Date_Published=29.12.2022<br />
|Year=2022<br />
|Fine=24,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Spanish DPA fined an electricity and gas company €24,000 for the lack of a legal basis under [[Article 6 GDPR|Article 6(1) GDPR]] to process the personal data of its client which was caused by an internal error in registering the data subject's will to enter into contract. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The electricity and gas company (controller) billed a data subject illegally, in absence of a valid contract for that. <br />
<br />
On 14 February 2022, the data subject filed a complaint to the Spanish DPA. The data subject provided several invoices and transaction data from his bank account, which were related to a contract that he had not agreed to. The data subject also showed that he had complained about this issue to the controller several times. <br />
<br />
On 18 April 2022, the controller acknowledged that there had been an internal error which had resulted in the unjustified contracting. The controller used a two-step system for contract-signings over the phone. The first step was informing data subjects on the phone about the nature of the service provided by the controller. The second step followed after data subjects accepted the conditions on the phone, after which the controller would send a contract to the data subject by SMS for a signature in order to give consent. According to the controller, the data subject had accepted the conditions, but did not sign the contract and did therefore also not consent to the contract. However, due to an internal synchronisation error at the side of the controller, it seemed that the data subject had signed the contract by SMS and had consented to the contract. <br />
<br />
=== Holding ===<br />
The DPA determined that the controller had violated [[Article 6 GDPR|Article 6(1) GDPR]] because of a lack of a legal basis for processing. The DPA determined that this was a fraudulent contract because of a missing signature from the data subject. The processing by the controller was carried out without a legitimate reason. <br />
<br />
The DPA originally fined the controller €30,000. That amount was reduced to €24,000 due to a voluntary payment by the controller.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202202898<br />
<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
<br />
to the following<br />
BACKGROUND<br />
<br />
FIRST: On September 9, 2022, the Director of the Spanish Agency<br />
of Data Protection agreed to start a sanctioning procedure against SUPPLIER<br />
<br />
IBÉRICO DE ENERGÍA, S.L. (hereinafter the claimed party). Notified the agreement<br />
beginning and after analyzing the allegations presented, on November 3,<br />
In 2022, the resolution proposal that is transcribed below was issued:<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: EXP202202898<br />
<br />
<br />
PROPOSED RESOLUTION OF SANCTION PROCEDURE<br />
<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following:<br />
<br />
BACKGROUND<br />
<br />
<br />
<br />
FIRST: D.A.A.A. (hereinafter, the claiming party) on February 14,<br />
2022 filed a claim with the Spanish Data Protection Agency. The<br />
The claim is directed against SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. with NIF<br />
B67421867 (hereinafter, the claimed party or SIE). The reasons on which the<br />
<br />
claim are as follows:<br />
<br />
The claimant states that there has been a change in the company of the<br />
electricity and gas supply without your consent.<br />
<br />
<br />
Provide invoices associated with non-consensual contracting, charges made on your<br />
bank account and claims filed with the claimed party.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
<br />
forward LOPDGDD), said claim was transferred to the claimed party, for<br />
to proceed with its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
Data Protection.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
<br />
Public (hereinafter, LPACAP), was collected on March 14, 2022 as<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
On April 18, 2022, this Agency received a written response<br />
indicating:<br />
<br />
<br />
<<According to the Complainant, during the call the salesperson pretended to work for a<br />
third company, with the aim of misleading him and hiring his services<br />
without knowing that he was changing electricity supplier.<br />
<br />
Notwithstanding the foregoing, it is necessary to indicate that the procedures for the<br />
<br />
formalization of the electricity supply contract in SIE require, of course,<br />
the verification and authentication of the manifestation of the client's willingness to proceed<br />
upon signing the contract. This implies that, when a service provider<br />
telemarketing formalizes a supply contract on behalf of SIE, it must provide the<br />
Recording of the sales process. In this way, SIE can verify that the contracting<br />
has been carried out properly.<br />
<br />
<br />
After reviewing the recordings of the phone call, we were able to<br />
verify that the commercial at no time said that he worked for the third<br />
company in question, but rather carried out the contracting process indicating to the<br />
Claimant that said contracting would be carried out with Más Energía, which is a<br />
<br />
brand that sells SIE.<br />
<br />
Regarding the origin of the personal data referred to by the Complainant,<br />
The following considerations should be made about the contracting process when<br />
This is done by a company that provides telemarketing services:<br />
<br />
<br />
- The telemarketing service provider transfers to SIE the personal data of<br />
stakeholders to whom SIE products and services will be offered. Later,<br />
The telemarketing service provider acts as the person in charge of the<br />
treatment of SIE to carry out the activities of offering its products and<br />
services and contracting of the corresponding products and services.<br />
<br />
<br />
- Notwithstanding the foregoing, the telemarketing service provider may only<br />
carry out commercial actions on those interested parties who have provided them with<br />
your consent for the transfer of your personal data to SIE for said purpose.<br />
<br />
<br />
Taking into account the above, from SIE it is not possible to determine where the<br />
telemarketing service provider the personal data of the Complainant, since<br />
that he obtained them as the person responsible for the independent treatment of SIE.<br />
<br />
However, at the time of signing the contract for the provision of services, said<br />
<br />
provider of telemarketing services acquired the commitment to assign only<br />
the personal data of those interested who have given their consent<br />
for said purpose.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Additionally, the service provider undertook to inform the interested parties<br />
duly and in accordance with the regulations on data protection about<br />
of the transfer to SIE of your data.<br />
<br />
<br />
2. As a result of the receipt of the transfer of claim and request for information that<br />
motivates this writing, from SIE an internal investigation was initiated, in order to<br />
determine whether there had been any non-compliance with the regulations on<br />
of data protection in the organization during the contracting process with the<br />
claimant.<br />
<br />
<br />
However, this party acknowledges an error in the contract signing process, which<br />
caused unjustified hiring and, therefore, the issuance of invoices that<br />
did not correspond either: SIE has a contract signing process with two<br />
steps: A first step in which the conditions of the service are reported via<br />
<br />
telephone and that, if the client accepts said conditions by the same means,<br />
The contract is sent to you for your signature via SMS.<br />
<br />
In the case of this claim, the interested party accepted the conditions of the<br />
service by telephone and, despite not having signed the contract via SMS, it appeared<br />
as formalized in the SIE information systems due to an error in<br />
<br />
synchronization of these systems.<br />
<br />
4. SIE is the first party interested in having its services contracted<br />
always in accordance with current legislation.<br />
<br />
<br />
Therefore, and although in this case it has been possible to determine after the investigations<br />
made that their action has been in accordance with the data protection regulations<br />
personal, because incidents of a different nature have been detected in the<br />
contracting procedure for its services, SIE has adopted as a measure the<br />
total stoppage of the contracting procedure for its services since the past<br />
<br />
March 4, 2022 and until they are resolved>>.<br />
<br />
THIRD: In accordance with article 65 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights<br />
(LOPDGDD), when submitted to the Spanish Data Protection Agency<br />
(hereinafter, AEPD) a claim, it must evaluate its admissibility for processing,<br />
<br />
must notify the claimant of the decision on the admission or non-admission to<br />
procedure, within three months from the date the claim was entered into this<br />
Agency.<br />
<br />
If, after this period, said notification does not take place, it will be understood that<br />
<br />
the processing of the claim continues in accordance with the provisions of Title VIII of<br />
Law. Said provision is also applicable to the procedures that the<br />
AEPD would have to process in exercise of the powers that were attributed to it by<br />
other laws.<br />
<br />
<br />
In this case, taking into account the foregoing and that the claim is<br />
filed with this Agency, on February 14, 2022, it is communicated that your<br />
The claim has been admitted for processing on May 14, 2022, having elapsed<br />
three months from the time it entered the AEPD.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FOURTH: On September 9, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate disciplinary proceedings against the claimed party,<br />
<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,<br />
of the Common Administrative Procedure of Public Administrations (in<br />
hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in<br />
Article 83.5 of the GDPR.<br />
<br />
FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in<br />
<br />
Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP), the claimed party submitted a written<br />
of allegations in which, in summary, he stated that: <<as we already explained in<br />
our response to the request for information sent to the AEPD, our<br />
procedure for contracting our services consists of a process of<br />
<br />
verification and authentication of the manifestation of the client's willingness to proceed<br />
to the formalization of the supply contract. This implies that, when the service provider<br />
telemarketing services formalizes a supply contract on behalf of SIE, the latter<br />
must provide the recording of the sale process, in this way, SIE can verify that<br />
recruitment has been carried out properly.<br />
<br />
<br />
Once we have reviewed the recording of the telephone call, we can affirm that: 1. The<br />
commercial at no time indicated that he worked for a third company. The<br />
indicates that the contract will be carried out with Más Luz Energía, a<br />
brand marketed by SIE.<br />
<br />
<br />
2. The interested party expresses his will during the call to hire both<br />
supplies (electricity and gas) with the SIE company through the Más Luz Energía brand.<br />
<br />
We attach as Annex I the transcript of the call where the interested party<br />
expresses its willingness to contract both supplies.<br />
<br />
<br />
This party explained that the contracting process for the services offered by SIE is<br />
is done by means of a double acceptance, a first acceptance occurs during the<br />
phone call and a second by sending an SMS to finish<br />
formalize the contract. Although in this specific case this second acceptance is not<br />
was carried out when the SMS was not sent to the interested party, to which they had to respond with a “YES”.<br />
<br />
<br />
This party understands that, although the formalization of the contract was not carried out through the<br />
sending of the corresponding SMS due to a human error not attributable to SIE, yes<br />
the claimant clearly stated his willingness to contract with SIE (as<br />
can be seen in the transcript of the call provided), and consequently the<br />
<br />
treatment carried out would fall within the expectation of the interested party.<br />
<br />
For this reason, as a result of the internal investigations into what happened in the process of<br />
contracting its services, SIE halted the contracting of its services with<br />
undefined character.<br />
<br />
<br />
For all of the foregoing, that the Proceedings File be filed by the<br />
AEPD>>.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SIXTH: On October 3, 2022, the procedure instructor agreed<br />
perform the following tests:<br />
<br />
<br />
<<1. The claim filed by D.<br />
A.A.A. and its documentation, the documents obtained and generated during the phase<br />
admission to process the claim.<br />
<br />
2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement<br />
initiation of the referenced sanctioning procedure, presented by<br />
<br />
SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., and the documentation that they<br />
accompanies>>.<br />
<br />
SEVENTH: A list of documents in the file is attached as an annex.<br />
process.<br />
<br />
<br />
Of the actions carried out in this procedure and of the documentation<br />
in the file, the following have been accredited:<br />
<br />
PROVEN FACTS<br />
<br />
<br />
FIRST: On February 14, 2022, it has entered the Spanish Agency for<br />
Data Protection a letter from the complaining party in which it states that it has been<br />
carried out a change of the electricity and gas supply company without your<br />
<br />
consent.<br />
<br />
Provide invoices associated with non-consensual contracting, charges made on your<br />
bank account and claims filed with the claimed party.<br />
<br />
<br />
SECOND: SIE acknowledges in its brief of April 18, 2022 and in the allegations to the<br />
present proceeding on September 30 of the same year, which at the time<br />
of the signing of the contract an error occurred which caused a contracting<br />
unjustified and, therefore, the issuance of invoices that did not correspond either.<br />
<br />
That SIE has a contract signing process with two steps: A first step<br />
<br />
in which the conditions of the service are informed by telephone and that, in the case<br />
If the client accepts said conditions in the same way, the contract is sent to him for<br />
your signature via SMS.<br />
<br />
THIRD: It is clear that despite not having signed the contract via SMS, the party<br />
<br />
claimant, it appeared as formalized in the information systems of the party<br />
claimed.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
II<br />
<br />
In response to the allegations presented by the respondent entity, it should be noted<br />
the next:<br />
<br />
<br />
Article 6.1 of the GDPR establishes the assumptions that allow the use of<br />
processing of personal data.<br />
<br />
<br />
"one. Processing will only be lawful if it meets at least one of the following<br />
<br />
conditions:<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the treatment is necessary for the execution of a contract in which the interested party<br />
is part of or for the application at the request of the latter of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect the vital interests of the data subject or of another<br />
Physical person.<br />
<br />
e) the treatment is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the data controller;<br />
<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued<br />
by the person in charge of the treatment or by a third party, provided that on said<br />
<br />
interests do not outweigh the interests or fundamental rights and freedoms of the<br />
interested party that require the protection of personal data, in particular when the<br />
interested is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the treatment<br />
carried out by public authorities in the exercise of their functions.”<br />
<br />
On this question of the legality of the treatment, Recital 40 also affects<br />
<br />
of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the<br />
Personal data must be processed with the consent of the interested party or on<br />
some other legitimate basis established in accordance with Law, either in the present<br />
Regulation or by virtue of another Law of the Union or of the Member States to which<br />
referred to in this Regulation, including the need to comply with the legal obligation<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
applicable to the data controller or the need to perform a contract with<br />
to which the interested party is a party or in order to take measures at the request of the<br />
concerned prior to the conclusion of a contract."<br />
<br />
Well then, in response to the allegations presented by the defendant, it is<br />
<br />
It should be noted that there is evidence that the data processing of the person who<br />
appears in the contract object of this claim has been made without cause<br />
legitimizing the data collected in article 6 of the GDPR.<br />
<br />
The GDPR applies to personal data, which is defined as "personal data":<br />
any information about an identified or identifiable natural person ("data subject");<br />
<br />
An identifiable natural person shall be considered any person whose identity can be<br />
be determined, directly or indirectly, in particular by means of an identifier, such as<br />
for example a name, an identification number, location data, a<br />
online identifier or one or more elements of physical identity,<br />
physiological, genetic, psychological, economic, cultural or social of said person.<br />
<br />
It has been verified, as the defendant acknowledges, that the data of the person<br />
<br />
claimant "However, this party acknowledges an error in the process of signing the<br />
contract, which caused an unjustified hiring and, therefore, the issuance of some<br />
invoices that did not correspond either: SIE has a contract signing process<br />
with two steps: A first step in which the conditions of service are reported by<br />
by telephone and that, if the client accepts said conditions for the same<br />
via, the contract is sent to you for your signature via SMS.<br />
<br />
<br />
In the case of this claim, the interested party accepted the conditions of the<br />
service by telephone and, despite not having signed the contract via SMS, it appeared<br />
as formalized in the SIE information systems due to an error in<br />
synchronization of said systems" were treated without legitimizing basis and without<br />
<br />
The signature of the complaining party was recorded in the contract, and that there was a contract<br />
fraudulent.<br />
<br />
And, in the allegations to the present procedure of September 30, 2022,<br />
The defendant states that <<Although in this specific case this second<br />
<br />
Acceptance was not made as the SMS to which it was due was not sent to the interested party.<br />
answer with a “YES”>>.<br />
<br />
According to what has been stated, data processing requires the existence of a<br />
legal basis that legitimizes it, such as the consent of the interested party provided<br />
validly, and in this specific case there is no legitimating basis since the contract<br />
<br />
it was not formalized.<br />
<br />
II<br />
<br />
In accordance with the available evidence, it is considered that the<br />
facts exposed do not comply with the provisions of article 6.1. of the GDPR, therefore<br />
<br />
could involve the commission of an offense classified in article 83.5 of the GDPR,<br />
which provides the following:<br />
<br />
Violations of the following provisions will be penalized, in accordance with the<br />
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
<br />
consent under articles 5, 6, 7 and 9;<br />
<br />
b) the rights of the interested parties in accordance with articles 12 to 22; […].”<br />
<br />
For the purposes of the limitation period for infringements, the infringement indicated in the<br />
previous paragraph is considered very serious and prescribes after three years, in accordance with the<br />
Article 72.1 of the LOPDGDD, which establishes that:<br />
<br />
According to what is established in article 83.5 of Regulation (EU) 2016/679<br />
<br />
are considered very serious and will prescribe after three years the infractions that suppose<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
b) The processing of personal data without the fulfillment of any of the conditions of<br />
legality of the treatment established in article 6 of Regulation (EU) 2016/679.<br />
<br />
(…)»<br />
<br />
<br />
IV.<br />
<br />
In order to determine the administrative fine to be imposed, the<br />
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:<br />
<br />
“Each control authority will guarantee that the imposition of administrative fines<br />
under this Article for infringements of this Regulation<br />
<br />
indicated in sections 4, 9 and 6 are effective in each individual case,<br />
proportionate and dissuasive.”<br />
<br />
"Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, in addition to or in lieu of the measures contemplated in<br />
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
<br />
administration and its amount in each individual case shall be duly taken into account:<br />
<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
as well as the number of stakeholders affected and the level of damage and<br />
damages they have suffered;<br />
<br />
b) intentionality or negligence in the infringement;<br />
<br />
c) any measure taken by the controller or processor<br />
<br />
to alleviate the damages and losses suffered by the interested parties;<br />
<br />
d) the degree of responsibility of the controller or the person in charge of the<br />
processing, taking into account the technical or organizational measures that have<br />
applied under articles 25 and 32;<br />
<br />
e) any previous infringement committed by the person in charge or in charge of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
treatment;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to put<br />
remedy the breach and mitigate the potential adverse effects of the breach;<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
<br />
h) the way in which the supervisory authority became aware of the infringement,<br />
in particular if the person in charge or the person in charge notified the infringement and, in such<br />
case, to what extent;<br />
<br />
i) when the measures indicated in article 58, paragraph 2, have been<br />
previously ordered against the person in charge or in charge in question<br />
in relation to the same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to mechanisms<br />
<br />
of certification approved in accordance with article 42, and<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the<br />
case, such as the financial benefits obtained or the losses avoided, direct<br />
or indirectly, through the infraction.”<br />
<br />
Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,<br />
"Sanctions and corrective measures", provides:<br />
<br />
<br />
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679<br />
may also be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
<br />
b) The link between the activity of the offender and the performance of data processing.<br />
personal information.<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
<br />
d) The possibility that the conduct of the affected party could have led to the commission<br />
<br />
of the offence.<br />
<br />
e) The existence of a merger by absorption process subsequent to the commission of the<br />
violation, which cannot be attributed to the absorbing entity.<br />
<br />
f) The affectation of the rights of minors.<br />
<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
<br />
alternative conflict resolution mechanisms, in those cases in which<br />
there are controversies between those and any interested party.”<br />
<br />
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in article 83.2 of the GDPR:<br />
<br />
As aggravating factors:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
That it is a company whose main activity is linked to the<br />
processing of personal data, in accordance with the provisions of article<br />
<br />
76.2.b) of the LOPDGDD. The development of business activity<br />
The defendant performs requires continuous data processing<br />
customer personal.<br />
<br />
V<br />
<br />
It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 30,000<br />
€ for violation of article 83.5 a) GDPR.<br />
<br />
<br />
In view of the foregoing, the following is issued<br />
<br />
PROPOSED RESOLUTION<br />
<br />
<br />
That the Director of the Spanish Agency for Data Protection sanctions<br />
SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., with NIF B67421867, for a<br />
infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, with a<br />
a fine of 30,000 euros (thirty thousand euros).<br />
<br />
<br />
Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be<br />
informs that it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
It will mean a reduction of 20% of the amount of the same. With the application of this<br />
reduction, the sanction would be established at 24,000 euros (twenty-four thousand euros) and<br />
<br />
Your payment will imply the termination of the procedure. The effectiveness of this reduction<br />
will be conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
In case you choose to proceed to the voluntary payment of the specified amount<br />
<br />
above, in accordance with the provisions of the aforementioned article 85.2, you must do it<br />
effective by entering the restricted account IBAN number: 0000 0000 0000 0000<br />
0000 0000 open in the name of the Spanish Data Protection Agency in the<br />
banking entity CAIXABANK, S.A., indicating the reference number in the concept<br />
of the procedure that appears in the heading of this document and the cause, for<br />
<br />
voluntary payment, reduction of the amount of the sanction. You must also send the<br />
Proof of admission to the Sub-Directorate General of Inspection to proceed to close<br />
The file.<br />
<br />
By virtue of this, you are notified of the foregoing, and the procedure is revealed.<br />
<br />
so that within TEN DAYS you can allege whatever you consider in your defense and<br />
present the documents and information that it deems pertinent, in accordance with<br />
Article 89.2 of the LPACAP.<br />
<br />
B.B.B.<br />
<br />
INSPECTOR/INSTRUCTOR<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
EXHIBIT<br />
File index EXP202202898<br />
<br />
02/14/2022 A.A.A.<br />
03/14/2022 Transfer of claim to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
04/14/2022 Communication from SUMINISTRADOR IBERICO DE ENERGIA S.L.<br />
05/14/2022 Communication to A.A.A.<br />
09/09/2022 A. opening of SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
<br />
09/12/2022 Info. Complainant to A.A.A.<br />
09/15/2022 Request for extension of term of SUMINISTRADOR IBERICO DE<br />
ENERGY S.L.<br />
09/16/2022 Amp. Term to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
09/30/2022 Response to IBERICO ENERGY SUPPLIER requirement<br />
GIA S.L.<br />
<br />
10/03/2022 Notification p. evidence to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
<br />
<br />
<br />
<br />
<br />
>><br />
<br />
SECOND: On November 15, 2022, the claimed party has proceeded to the<br />
payment of the penalty in the amount of 24,000 euros using the reduction<br />
provided for in the motion for a resolution transcribed above.<br />
<br />
<br />
THIRD: The payment made entails the waiver of any action or resource in the<br />
against the sanction, in relation to the facts referred to in the<br />
resolution proposal.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
Competence<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Termination of the procedure<br />
<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter LPACAP), under the heading<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
According to what has been stated,<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure EXP202202898, in<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
SECOND: NOTIFY this resolution to SUMINISTRADOR IBÉRICO DE<br />
ENERGY, S.L.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
<br />
968-171022<br />
Mar Spain Marti<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202898&diff=30468
AEPD (Spain) - EXP202202898
2023-01-18T15:11:18Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS/00286/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00286-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=14.02.2022<br />
|Date_Decided=03.11.2022<br />
|Date_Published=29.12.2022<br />
|Year=2022<br />
|Fine=24,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Spanish DPA fined an electricity and gas company €24,000 for the lack of a legal basis under [[Article 6 GDPR|Article 6(1) GDPR]] to process the personal data of its client which was caused by an internal error in registering the data subject's will to enter into contract. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The electricity and gas company (controller) billed a data subject illegally in absence of a valid contract between the controller and the data subject. <br />
<br />
On 14 February 2022, the data subject filed a complaint to the Spanish DPA. The data subject provided several invoices and transaction data from his bank account, which were related to a contract that he had not agreed to. The data subject also showed that he had complained about this issue to the controller several times. <br />
<br />
On 18 April 2022, the controller acknowledged that there had been an internal error which had resulted in the unjustified contracting. The controller used a two-step system for contract-signings over the phone. The first step was informing data subjects on the phone about the nature of the service provided by the controller. The second step followed after data subjects accepted the conditions on the phone, after which the controller would send a contract to the data subject by SMS for a signature in order to give consent. According to the controller, the data subject had accepted the conditions, but did not sign the contract and did therefore also not consent to the contract. However, due to an internal synchronisation error at the side of the controller, it seemed that the data subject had signed the contract by SMS and had consented to the contract. <br />
<br />
=== Holding ===<br />
The DPA determined that the controller had violated [[Article 6 GDPR|Article 6(1) GDPR]] because of a lack of a legal basis for processing. The DPA determined that this was a fraudulent contract because of a missing signature from the data subject. The processing by the controller was carried out without a legitimate reason. <br />
<br />
The DPA originally fined the controller €30,000. That amount was reduced to €24,000 due to a voluntary payment by the controller.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202202898<br />
<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
<br />
to the following<br />
BACKGROUND<br />
<br />
FIRST: On September 9, 2022, the Director of the Spanish Agency<br />
of Data Protection agreed to start a sanctioning procedure against SUPPLIER<br />
<br />
IBÉRICO DE ENERGÍA, S.L. (hereinafter the claimed party). Notified the agreement<br />
beginning and after analyzing the allegations presented, on November 3,<br />
In 2022, the resolution proposal that is transcribed below was issued:<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: EXP202202898<br />
<br />
<br />
PROPOSED RESOLUTION OF SANCTION PROCEDURE<br />
<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following:<br />
<br />
BACKGROUND<br />
<br />
<br />
<br />
FIRST: D.A.A.A. (hereinafter, the claiming party) on February 14,<br />
2022 filed a claim with the Spanish Data Protection Agency. The<br />
The claim is directed against SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. with NIF<br />
B67421867 (hereinafter, the claimed party or SIE). The reasons on which the<br />
<br />
claim are as follows:<br />
<br />
The claimant states that there has been a change in the company of the<br />
electricity and gas supply without your consent.<br />
<br />
<br />
Provide invoices associated with non-consensual contracting, charges made on your<br />
bank account and claims filed with the claimed party.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
<br />
forward LOPDGDD), said claim was transferred to the claimed party, for<br />
to proceed with its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
Data Protection.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
<br />
Public (hereinafter, LPACAP), was collected on March 14, 2022 as<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
On April 18, 2022, this Agency received a written response<br />
indicating:<br />
<br />
<br />
<<According to the Complainant, during the call the salesperson pretended to work for a<br />
third company, with the aim of misleading him and hiring his services<br />
without knowing that he was changing electricity supplier.<br />
<br />
Notwithstanding the foregoing, it is necessary to indicate that the procedures for the<br />
<br />
formalization of the electricity supply contract in SIE require, of course,<br />
the verification and authentication of the manifestation of the client's willingness to proceed<br />
upon signing the contract. This implies that, when a service provider<br />
telemarketing formalizes a supply contract on behalf of SIE, it must provide the<br />
Recording of the sales process. In this way, SIE can verify that the contracting<br />
has been carried out properly.<br />
<br />
<br />
After reviewing the recordings of the phone call, we were able to<br />
verify that the commercial at no time said that he worked for the third<br />
company in question, but rather carried out the contracting process indicating to the<br />
Claimant that said contracting would be carried out with Más Energía, which is a<br />
<br />
brand that sells SIE.<br />
<br />
Regarding the origin of the personal data referred to by the Complainant,<br />
The following considerations should be made about the contracting process when<br />
This is done by a company that provides telemarketing services:<br />
<br />
<br />
- The telemarketing service provider transfers to SIE the personal data of<br />
stakeholders to whom SIE products and services will be offered. Later,<br />
The telemarketing service provider acts as the person in charge of the<br />
treatment of SIE to carry out the activities of offering its products and<br />
services and contracting of the corresponding products and services.<br />
<br />
<br />
- Notwithstanding the foregoing, the telemarketing service provider may only<br />
carry out commercial actions on those interested parties who have provided them with<br />
your consent for the transfer of your personal data to SIE for said purpose.<br />
<br />
<br />
Taking into account the above, from SIE it is not possible to determine where the<br />
telemarketing service provider the personal data of the Complainant, since<br />
that he obtained them as the person responsible for the independent treatment of SIE.<br />
<br />
However, at the time of signing the contract for the provision of services, said<br />
<br />
provider of telemarketing services acquired the commitment to assign only<br />
the personal data of those interested who have given their consent<br />
for said purpose.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Additionally, the service provider undertook to inform the interested parties<br />
duly and in accordance with the regulations on data protection about<br />
of the transfer to SIE of your data.<br />
<br />
<br />
2. As a result of the receipt of the transfer of claim and request for information that<br />
motivates this writing, from SIE an internal investigation was initiated, in order to<br />
determine whether there had been any non-compliance with the regulations on<br />
of data protection in the organization during the contracting process with the<br />
claimant.<br />
<br />
<br />
However, this party acknowledges an error in the contract signing process, which<br />
caused unjustified hiring and, therefore, the issuance of invoices that<br />
did not correspond either: SIE has a contract signing process with two<br />
steps: A first step in which the conditions of the service are reported via<br />
<br />
telephone and that, if the client accepts said conditions by the same means,<br />
The contract is sent to you for your signature via SMS.<br />
<br />
In the case of this claim, the interested party accepted the conditions of the<br />
service by telephone and, despite not having signed the contract via SMS, it appeared<br />
as formalized in the SIE information systems due to an error in<br />
<br />
synchronization of these systems.<br />
<br />
4. SIE is the first party interested in having its services contracted<br />
always in accordance with current legislation.<br />
<br />
<br />
Therefore, and although in this case it has been possible to determine after the investigations<br />
made that their action has been in accordance with the data protection regulations<br />
personal, because incidents of a different nature have been detected in the<br />
contracting procedure for its services, SIE has adopted as a measure the<br />
total stoppage of the contracting procedure for its services since the past<br />
<br />
March 4, 2022 and until they are resolved>>.<br />
<br />
THIRD: In accordance with article 65 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights<br />
(LOPDGDD), when submitted to the Spanish Data Protection Agency<br />
(hereinafter, AEPD) a claim, it must evaluate its admissibility for processing,<br />
<br />
must notify the claimant of the decision on the admission or non-admission to<br />
procedure, within three months from the date the claim was entered into this<br />
Agency.<br />
<br />
If, after this period, said notification does not take place, it will be understood that<br />
<br />
the processing of the claim continues in accordance with the provisions of Title VIII of<br />
Law. Said provision is also applicable to the procedures that the<br />
AEPD would have to process in exercise of the powers that were attributed to it by<br />
other laws.<br />
<br />
<br />
In this case, taking into account the foregoing and that the claim is<br />
filed with this Agency, on February 14, 2022, it is communicated that your<br />
The claim has been admitted for processing on May 14, 2022, having elapsed<br />
three months from the time it entered the AEPD.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FOURTH: On September 9, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate disciplinary proceedings against the claimed party,<br />
<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,<br />
of the Common Administrative Procedure of Public Administrations (in<br />
hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in<br />
Article 83.5 of the GDPR.<br />
<br />
FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in<br />
<br />
Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP), the claimed party submitted a written<br />
of allegations in which, in summary, he stated that: <<as we already explained in<br />
our response to the request for information sent to the AEPD, our<br />
procedure for contracting our services consists of a process of<br />
<br />
verification and authentication of the manifestation of the client's willingness to proceed<br />
to the formalization of the supply contract. This implies that, when the service provider<br />
telemarketing services formalizes a supply contract on behalf of SIE, the latter<br />
must provide the recording of the sale process, in this way, SIE can verify that<br />
recruitment has been carried out properly.<br />
<br />
<br />
Once we have reviewed the recording of the telephone call, we can affirm that: 1. The<br />
commercial at no time indicated that he worked for a third company. The<br />
indicates that the contract will be carried out with Más Luz Energía, a<br />
brand marketed by SIE.<br />
<br />
<br />
2. The interested party expresses his will during the call to hire both<br />
supplies (electricity and gas) with the SIE company through the Más Luz Energía brand.<br />
<br />
We attach as Annex I the transcript of the call where the interested party<br />
expresses its willingness to contract both supplies.<br />
<br />
<br />
This party explained that the contracting process for the services offered by SIE is<br />
is done by means of a double acceptance, a first acceptance occurs during the<br />
phone call and a second by sending an SMS to finish<br />
formalize the contract. Although in this specific case this second acceptance is not<br />
was carried out when the SMS was not sent to the interested party, to which they had to respond with a “YES”.<br />
<br />
<br />
This party understands that, although the formalization of the contract was not carried out through the<br />
sending of the corresponding SMS due to a human error not attributable to SIE, yes<br />
the claimant clearly stated his willingness to contract with SIE (as<br />
can be seen in the transcript of the call provided), and consequently the<br />
<br />
treatment carried out would fall within the expectation of the interested party.<br />
<br />
For this reason, as a result of the internal investigations into what happened in the process of<br />
contracting its services, SIE halted the contracting of its services with<br />
undefined character.<br />
<br />
<br />
For all of the foregoing, that the Proceedings File be filed by the<br />
AEPD>>.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SIXTH: On October 3, 2022, the procedure instructor agreed<br />
perform the following tests:<br />
<br />
<br />
<<1. The claim filed by D.<br />
A.A.A. and its documentation, the documents obtained and generated during the phase<br />
admission to process the claim.<br />
<br />
2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement<br />
initiation of the referenced sanctioning procedure, presented by<br />
<br />
SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., and the documentation that they<br />
accompanies>>.<br />
<br />
SEVENTH: A list of documents in the file is attached as an annex.<br />
process.<br />
<br />
<br />
Of the actions carried out in this procedure and of the documentation<br />
in the file, the following have been accredited:<br />
<br />
PROVEN FACTS<br />
<br />
<br />
FIRST: On February 14, 2022, it has entered the Spanish Agency for<br />
Data Protection a letter from the complaining party in which it states that it has been<br />
carried out a change of the electricity and gas supply company without your<br />
<br />
consent.<br />
<br />
Provide invoices associated with non-consensual contracting, charges made on your<br />
bank account and claims filed with the claimed party.<br />
<br />
<br />
SECOND: SIE acknowledges in its brief of April 18, 2022 and in the allegations to the<br />
present proceeding on September 30 of the same year, which at the time<br />
of the signing of the contract an error occurred which caused a contracting<br />
unjustified and, therefore, the issuance of invoices that did not correspond either.<br />
<br />
That SIE has a contract signing process with two steps: A first step<br />
<br />
in which the conditions of the service are informed by telephone and that, in the case<br />
If the client accepts said conditions in the same way, the contract is sent to him for<br />
your signature via SMS.<br />
<br />
THIRD: It is clear that despite not having signed the contract via SMS, the party<br />
<br />
claimant, it appeared as formalized in the information systems of the party<br />
claimed.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
II<br />
<br />
In response to the allegations presented by the respondent entity, it should be noted<br />
the next:<br />
<br />
<br />
Article 6.1 of the GDPR establishes the assumptions that allow the use of<br />
processing of personal data.<br />
<br />
<br />
"one. Processing will only be lawful if it meets at least one of the following<br />
<br />
conditions:<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the treatment is necessary for the execution of a contract in which the interested party<br />
is part of or for the application at the request of the latter of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect the vital interests of the data subject or of another<br />
Physical person.<br />
<br />
e) the treatment is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the data controller;<br />
<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued<br />
by the person in charge of the treatment or by a third party, provided that on said<br />
<br />
interests do not outweigh the interests or fundamental rights and freedoms of the<br />
interested party that require the protection of personal data, in particular when the<br />
interested is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the treatment<br />
carried out by public authorities in the exercise of their functions.”<br />
<br />
On this question of the legality of the treatment, Recital 40 also affects<br />
<br />
of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the<br />
Personal data must be processed with the consent of the interested party or on<br />
some other legitimate basis established in accordance with Law, either in the present<br />
Regulation or by virtue of another Law of the Union or of the Member States to which<br />
referred to in this Regulation, including the need to comply with the legal obligation<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
applicable to the data controller or the need to perform a contract with<br />
to which the interested party is a party or in order to take measures at the request of the<br />
concerned prior to the conclusion of a contract."<br />
<br />
Well then, in response to the allegations presented by the defendant, it is<br />
<br />
It should be noted that there is evidence that the data processing of the person who<br />
appears in the contract object of this claim has been made without cause<br />
legitimizing the data collected in article 6 of the GDPR.<br />
<br />
The GDPR applies to personal data, which is defined as "personal data":<br />
any information about an identified or identifiable natural person ("data subject");<br />
<br />
An identifiable natural person shall be considered any person whose identity can be<br />
be determined, directly or indirectly, in particular by means of an identifier, such as<br />
for example a name, an identification number, location data, a<br />
online identifier or one or more elements of physical identity,<br />
physiological, genetic, psychological, economic, cultural or social of said person.<br />
<br />
It has been verified, as the defendant acknowledges, that the data of the person<br />
<br />
claimant "However, this party acknowledges an error in the process of signing the<br />
contract, which caused an unjustified hiring and, therefore, the issuance of some<br />
invoices that did not correspond either: SIE has a contract signing process<br />
with two steps: A first step in which the conditions of service are reported by<br />
by telephone and that, if the client accepts said conditions for the same<br />
via, the contract is sent to you for your signature via SMS.<br />
<br />
<br />
In the case of this claim, the interested party accepted the conditions of the<br />
service by telephone and, despite not having signed the contract via SMS, it appeared<br />
as formalized in the SIE information systems due to an error in<br />
synchronization of said systems" were treated without legitimizing basis and without<br />
<br />
The signature of the complaining party was recorded in the contract, and that there was a contract<br />
fraudulent.<br />
<br />
And, in the allegations to the present procedure of September 30, 2022,<br />
The defendant states that <<Although in this specific case this second<br />
<br />
Acceptance was not made as the SMS to which it was due was not sent to the interested party.<br />
answer with a “YES”>>.<br />
<br />
According to what has been stated, data processing requires the existence of a<br />
legal basis that legitimizes it, such as the consent of the interested party provided<br />
validly, and in this specific case there is no legitimating basis since the contract<br />
<br />
it was not formalized.<br />
<br />
II<br />
<br />
In accordance with the available evidence, it is considered that the<br />
facts exposed do not comply with the provisions of article 6.1. of the GDPR, therefore<br />
<br />
could involve the commission of an offense classified in article 83.5 of the GDPR,<br />
which provides the following:<br />
<br />
Violations of the following provisions will be penalized, in accordance with the<br />
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
<br />
consent under articles 5, 6, 7 and 9;<br />
<br />
b) the rights of the interested parties in accordance with articles 12 to 22; […].”<br />
<br />
For the purposes of the limitation period for infringements, the infringement indicated in the<br />
previous paragraph is considered very serious and prescribes after three years, in accordance with the<br />
Article 72.1 of the LOPDGDD, which establishes that:<br />
<br />
According to what is established in article 83.5 of Regulation (EU) 2016/679<br />
<br />
are considered very serious and will prescribe after three years the infractions that suppose<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
b) The processing of personal data without the fulfillment of any of the conditions of<br />
legality of the treatment established in article 6 of Regulation (EU) 2016/679.<br />
<br />
(…)»<br />
<br />
<br />
IV.<br />
<br />
In order to determine the administrative fine to be imposed, the<br />
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:<br />
<br />
“Each control authority will guarantee that the imposition of administrative fines<br />
under this Article for infringements of this Regulation<br />
<br />
indicated in sections 4, 9 and 6 are effective in each individual case,<br />
proportionate and dissuasive.”<br />
<br />
"Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, in addition to or in lieu of the measures contemplated in<br />
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
<br />
administration and its amount in each individual case shall be duly taken into account:<br />
<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
as well as the number of stakeholders affected and the level of damage and<br />
damages they have suffered;<br />
<br />
b) intentionality or negligence in the infringement;<br />
<br />
c) any measure taken by the controller or processor<br />
<br />
to alleviate the damages and losses suffered by the interested parties;<br />
<br />
d) the degree of responsibility of the controller or the person in charge of the<br />
processing, taking into account the technical or organizational measures that have<br />
applied under articles 25 and 32;<br />
<br />
e) any previous infringement committed by the person in charge or in charge of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
treatment;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to put<br />
remedy the breach and mitigate the potential adverse effects of the breach;<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
<br />
h) the way in which the supervisory authority became aware of the infringement,<br />
in particular if the person in charge or the person in charge notified the infringement and, in such<br />
case, to what extent;<br />
<br />
i) when the measures indicated in article 58, paragraph 2, have been<br />
previously ordered against the person in charge or in charge in question<br />
in relation to the same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to mechanisms<br />
<br />
of certification approved in accordance with article 42, and<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the<br />
case, such as the financial benefits obtained or the losses avoided, direct<br />
or indirectly, through the infraction.”<br />
<br />
Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,<br />
"Sanctions and corrective measures", provides:<br />
<br />
<br />
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679<br />
may also be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
<br />
b) The link between the activity of the offender and the performance of data processing.<br />
personal information.<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
<br />
d) The possibility that the conduct of the affected party could have led to the commission<br />
<br />
of the offence.<br />
<br />
e) The existence of a merger by absorption process subsequent to the commission of the<br />
violation, which cannot be attributed to the absorbing entity.<br />
<br />
f) The affectation of the rights of minors.<br />
<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
<br />
alternative conflict resolution mechanisms, in those cases in which<br />
there are controversies between those and any interested party.”<br />
<br />
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in article 83.2 of the GDPR:<br />
<br />
As aggravating factors:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
That it is a company whose main activity is linked to the<br />
processing of personal data, in accordance with the provisions of article<br />
<br />
76.2.b) of the LOPDGDD. The development of business activity<br />
The defendant performs requires continuous data processing<br />
customer personal.<br />
<br />
V<br />
<br />
It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 30,000<br />
€ for violation of article 83.5 a) GDPR.<br />
<br />
<br />
In view of the foregoing, the following is issued<br />
<br />
PROPOSED RESOLUTION<br />
<br />
<br />
That the Director of the Spanish Agency for Data Protection sanctions<br />
SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., with NIF B67421867, for a<br />
infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, with a<br />
a fine of 30,000 euros (thirty thousand euros).<br />
<br />
<br />
Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be<br />
informs that it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
It will mean a reduction of 20% of the amount of the same. With the application of this<br />
reduction, the sanction would be established at 24,000 euros (twenty-four thousand euros) and<br />
<br />
Your payment will imply the termination of the procedure. The effectiveness of this reduction<br />
will be conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
In case you choose to proceed to the voluntary payment of the specified amount<br />
<br />
above, in accordance with the provisions of the aforementioned article 85.2, you must do it<br />
effective by entering the restricted account IBAN number: 0000 0000 0000 0000<br />
0000 0000 open in the name of the Spanish Data Protection Agency in the<br />
banking entity CAIXABANK, S.A., indicating the reference number in the concept<br />
of the procedure that appears in the heading of this document and the cause, for<br />
<br />
voluntary payment, reduction of the amount of the sanction. You must also send the<br />
Proof of admission to the Sub-Directorate General of Inspection to proceed to close<br />
The file.<br />
<br />
By virtue of this, you are notified of the foregoing, and the procedure is revealed.<br />
<br />
so that within TEN DAYS you can allege whatever you consider in your defense and<br />
present the documents and information that it deems pertinent, in accordance with<br />
Article 89.2 of the LPACAP.<br />
<br />
B.B.B.<br />
<br />
INSPECTOR/INSTRUCTOR<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
EXHIBIT<br />
File index EXP202202898<br />
<br />
02/14/2022 A.A.A.<br />
03/14/2022 Transfer of claim to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
04/14/2022 Communication from SUMINISTRADOR IBERICO DE ENERGIA S.L.<br />
05/14/2022 Communication to A.A.A.<br />
09/09/2022 A. opening of SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
<br />
09/12/2022 Info. Complainant to A.A.A.<br />
09/15/2022 Request for extension of term of SUMINISTRADOR IBERICO DE<br />
ENERGY S.L.<br />
09/16/2022 Amp. Term to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
09/30/2022 Response to IBERICO ENERGY SUPPLIER requirement<br />
GIA S.L.<br />
<br />
10/03/2022 Notification p. evidence to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.<br />
<br />
<br />
<br />
<br />
<br />
>><br />
<br />
SECOND: On November 15, 2022, the claimed party has proceeded to the<br />
payment of the penalty in the amount of 24,000 euros using the reduction<br />
provided for in the motion for a resolution transcribed above.<br />
<br />
<br />
THIRD: The payment made entails the waiver of any action or resource in the<br />
against the sanction, in relation to the facts referred to in the<br />
resolution proposal.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
Competence<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Termination of the procedure<br />
<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter LPACAP), under the heading<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
According to what has been stated,<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure EXP202202898, in<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
SECOND: NOTIFY this resolution to SUMINISTRADOR IBÉRICO DE<br />
ENERGY, S.L.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
<br />
968-171022<br />
Mar Spain Marti<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_(Island)_-_Case_no._2021101963&diff=30466
Persónuvernd (Island) - Case no. 2021101963
2023-01-18T14:54:46Z
<p>AK: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Island)<br />
<br />
|Case_Number_Name=Case no. 2021101963<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Icelandic DPA<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/birting-leitarnidurstadna-i-leitarvel-google-2<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=11.01.2023<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Google LLC<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Icelandic DPA ordered Google LLC to remove a search result containing an article with a data subject's personal data due to the time that has passed since the events covered in the article occurred and the fact that the data subject no longer held a position of public relevance.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject is an individual whose personal data was shared through a news article. As the news article was findable by a search query through Google's search engine, Google LLC being the controller, the data subject requested the controller to remove the search result from its database pursuant the data subject's right to be forgotten (Article 17 GDPR). Google denied the request, justifying it by the fact that the news article concerns the data subject's employment in a public setting, which is relevant for the public interest. <br />
<br />
Following Google's response, the data subject submitted a complaint to the Icelandic DPA.<br />
<br />
=== Holding ===<br />
In its decision, the DPA noted that it is necessary to assess the legality of the continued processing of the data subject's personal data by weighing the legitimate interests of third parties against the interests and fundamental rights of the data subject. In the case at hand, the financial interests of Google LLC related to its search engine as well as the public interest in being able to access the concerned information were weighed against the data subject's interest in privacy and data protection. <br />
<br />
For such an assessment, the DPA noted that it is particularly relevant if the concerned data subject is a public figure or if they hold a public position. Should that be the case, this may result in the data subject not enjoying the same privacy protection as private persons due to the importance of the freedom to discuss public matters openly. Although the data subject held a public position at the time when the news article was published, the data subject was not involved with projects of public importance at the time when the complaint was filed. <br />
<br />
Due to the amount of time that has passed since the events covered in the news article took place and due the fact that the data subject no longer retained a public decision, the DPA held that the data subject's interest in privacy superseded the public's interest in the information and Google LLC's financial interests. The DPA concluded that the controller should have removed the search result based on the data subject's right to be forgotten and ordered it to do so.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
Solutions<br />
<br />
Display of search results in the Google search engine<br />
<br />
Case no. 2021101963<br />
<br />
11.1.2023<br />
<br />
In certain cases, people may have the right to have information displayed about them in search engines, e.g. on Google, will be removed. Although the results are removed from search engines, the content will still be on the Internet, but in some cases it is also possible to get it removed.<br />
<br />
In this case, it was considered that the complainant's privacy interests and his right to be forgotten outweighed the public's interest in having access to the said information about him. It was therefore proposed to Google LLC to remove certain websites from the search results for the complainant's name in the Google search engine.<br />
<br />
----<br />
<br />
Personal protection ruled in a case that dealt with the right of a person to have information about him deleted that was published in the search results of the Google search engine, when searching for the person's name.<br />
<br />
The conclusion of the Data Protection Authority was that, taking into account the circumstances of the case, the situation of the complainant and the time that has passed since the event discussed in the specified search results, the privacy interests of the complainant and his right to be forgotten were stronger and took precedence over the public's interest in having access to said information about the complainant. It was therefore also the conclusion of the Personal Protection Authority that Google LLC should remove the websites that the complaint covered from the search results for the complainant's name in the Google search engine.<br />
<br />
Given that the decision contains detailed information about the complainant, even if personal identifiers were erased, the Personal Protection Agency has decided not to publish the decision in its entirety. However, Personal Protection has compiled an extract from the ruling, which follows.<br />
<br />
A complaint was made about the publication of search results in the Google search engine, which referred to articles where the complainant was discussed. The articles discussed a unique incident where a complainant was involved, but nothing criminal took place. Google LLC denied the Complainant's request to remove the aforementioned search results on the basis that the information was related to the Complainant's employment status and his role in the public domain where the Complainant currently holds a management position. In Google's opinion, the personal information that appeared in the press coverage was still considered to serve the public interest.<br />
<br />
Personal protection considered that when assessing whether the complainant has the right to delete certain search results that appear when his name is entered into the Google search engine, it is first necessary to examine whether the processing of personal information that takes place during the use of the search engine is supported with authorization according to law no. 90/2018 on personal protection and processing of personal information. Secondly, it would have to be assessed whether the complainant has the right to receive the personal information, i.e. the links and the information that would be published with the search results, deleted on the basis of Article 20 of the same law, cf. also Article 17 of regulation (EU) 2016/679.<br />
<br />
The conclusion of the Personal Protection Authority states that it will not be seen that the said processing of personal information can rely on other sources in Article 9. Act no. 90/2018 but No. 6 of the provision. It stipulates that the processing of personal data is permitted if it is necessary for the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, in particular when the data subject is a child. In the case, on the one hand, the financial interests of Google LLC related to the search engine, as well as the interests of the public in being able to access information on the Internet, were tested. On the other hand, the complainant's privacy protection interests were tested, but Personal Protection considered that the goal of Act no. 90/2018 to promote the handling of personal data in accordance with the basic principles and rules on personal protection and privacy, cf. Paragraph 1 Article 1 of the law.<br />
<br />
In the decision of the Personal Protection Authority, it is stated that when assessing whether the right to be forgotten according to Article 20. Act no. 90/2018, cf. Article 17 of Regulation (EU) 2016/679, is available, can determine whether processing is necessary to exercise the right to freedom of expression and information according to point a, paragraph 3. Article 17, cf. also Article 6 Act no. 90/2018, which stipulates that the provisions of the law and the regulation may be deviated from in favor of the media, art or literature to the extent that it is necessary to harmonize views on the right to privacy on the one hand and freedom of expression and information on the other. It would therefore also have to be considered whether the aforementioned processing by Google LLC was necessary for the public to enforce the right to freedom of information and it could thus set aside the complainant's right to be forgotten according to Article 20. Act no. 90/2018 and Article 17 of regulation (EU) 2016/679, cf. point a, paragraph 3 of the article.<br />
<br />
It is stated in the ruling of the Personal Protection Authority that the conclusion on whether the processing of Google LLC is supported by authorization in Act no. 90/2018, on the one hand, and on the other hand, whether the complainant's right to be forgotten should be set aside, turns on an assessment of the different interests weighed in the case. In both cases, the public's interest in being able to access information about the complainant on the Internet, and thus in being able to exercise their right to freedom of information, must be assessed against the complainant's privacy interests. In such an assessment of interests, it is particularly relevant whether the person registered is a public figure or has played a public role. This can lead to the fact that the registered person, due to his position, does not enjoy the same privacy protection as unknown persons due to the importance of discussions on issues that may be relevant to the public. In the opinion of the Data Protection Authority, it was not considered that the complainant was in a similar employment position as he was in when the event that was discussed in the news articles that required removal from search results on the Google web search engine took place. It was also not considered that the complainant's current employment status involved projects that affected the important interests of the public.<br />
<br />
The conclusion of the Data Protection Authority was that, taking into account the circumstances of the case, the situation of the complainant and the time that has passed since the event discussed in the specified articles, the privacy protection interests of the complainant would be considered to outweigh the interests of the public in having access to the relevant information. Was the processing by Google LLC of personal information about the complainant that was under review therefore not considered compatible with law no. 90/2018, on personal protection and processing of personal information. In accordance with the complainant's right to be forgotten under Article 20 of the law, cf. c- and d-points 1. paragraph Article 17 Regulation (EU) 2016/679, it was the conclusion of the Data Protection Authority that Google LLC should remove the websites to which the complaint relates from the search results for the complainant's name in the Google search engine.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_(Island)_-_Case_no._2021101963&diff=30465
Persónuvernd (Island) - Case no. 2021101963
2023-01-18T14:54:01Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Island)<br />
<br />
|Case_Number_Name=Case no. 2021101963<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Icelandic DPA<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/birting-leitarnidurstadna-i-leitarvel-google-2<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=11.01.2023<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Google LLC<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Icelandic DPA ordered Google LLC to remove a search result containing an article with a data subject's personal data due to the time that has passed since the events covered in the article occurred and the fact that the data subject no longer held a position of public relevance.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject is an individual whose personal data was shared through a news article. As the news article was findable by a search query through Google's search engine, Google LLC being the controller, the data subject requested the controller to remove the search result from its database pursuant the data subject's right to be forgotten (Article 17 GDPR). Google denied the request, justifying it by the fact that the news article concerns the data subject's employment in a public setting, which is relevant for the public interest. <br />
<br />
Following Google's response, the data subject submitted a complaint to the Icelandic DPA.<br />
<br />
=== Holding ===<br />
In its decision, the DPA noted that it is necessary to assess the legality of the continued processing of the data subject's personal data by weighing the legitimate interests of third parties against the interests and fundamental rights of the data subject. In the case at hand, the financial interests of Google LLC related to its search engine as well as the public interest in being able to access the concerned information were weighed against the data subject's interest in privacy and data protection. <br />
<br />
For such an assessment, the DPA noted that it is particularly relevant if the concerned data subject is a public figure or if they occupy a public position. Should that be the case, this may result in the data subject not enjoying the same privacy protection as private persons due to the importance of the freedom to discuss public matters openly. Although the data subject occupied a public position at the time when the news article was published, the data subject was not involved with projects of public importance at the time when the complaint was filed. <br />
<br />
Due to the amount of time that has passed since the events covered in the news article took place and due the fact that the data subject no longer retained a public decision, the DPA held that the data subject's interest in privacy superseded the public's interest in the information and Google LLC's financial interests. The DPA concluded that the controller should have removed the search result based on the data subject's right to be forgotten and ordered it to do so.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
Solutions<br />
<br />
Display of search results in the Google search engine<br />
<br />
Case no. 2021101963<br />
<br />
11.1.2023<br />
<br />
In certain cases, people may have the right to have information displayed about them in search engines, e.g. on Google, will be removed. Although the results are removed from search engines, the content will still be on the Internet, but in some cases it is also possible to get it removed.<br />
<br />
In this case, it was considered that the complainant's privacy interests and his right to be forgotten outweighed the public's interest in having access to the said information about him. It was therefore proposed to Google LLC to remove certain websites from the search results for the complainant's name in the Google search engine.<br />
<br />
----<br />
<br />
Personal protection ruled in a case that dealt with the right of a person to have information about him deleted that was published in the search results of the Google search engine, when searching for the person's name.<br />
<br />
The conclusion of the Data Protection Authority was that, taking into account the circumstances of the case, the situation of the complainant and the time that has passed since the event discussed in the specified search results, the privacy interests of the complainant and his right to be forgotten were stronger and took precedence over the public's interest in having access to said information about the complainant. It was therefore also the conclusion of the Personal Protection Authority that Google LLC should remove the websites that the complaint covered from the search results for the complainant's name in the Google search engine.<br />
<br />
Given that the decision contains detailed information about the complainant, even if personal identifiers were erased, the Personal Protection Agency has decided not to publish the decision in its entirety. However, Personal Protection has compiled an extract from the ruling, which follows.<br />
<br />
A complaint was made about the publication of search results in the Google search engine, which referred to articles where the complainant was discussed. The articles discussed a unique incident where a complainant was involved, but nothing criminal took place. Google LLC denied the Complainant's request to remove the aforementioned search results on the basis that the information was related to the Complainant's employment status and his role in the public domain where the Complainant currently holds a management position. In Google's opinion, the personal information that appeared in the press coverage was still considered to serve the public interest.<br />
<br />
Personal protection considered that when assessing whether the complainant has the right to delete certain search results that appear when his name is entered into the Google search engine, it is first necessary to examine whether the processing of personal information that takes place during the use of the search engine is supported with authorization according to law no. 90/2018 on personal protection and processing of personal information. Secondly, it would have to be assessed whether the complainant has the right to receive the personal information, i.e. the links and the information that would be published with the search results, deleted on the basis of Article 20 of the same law, cf. also Article 17 of regulation (EU) 2016/679.<br />
<br />
The conclusion of the Personal Protection Authority states that it will not be seen that the said processing of personal information can rely on other sources in Article 9. Act no. 90/2018 but No. 6 of the provision. It stipulates that the processing of personal data is permitted if it is necessary for the legitimate interests of the responsible party or a third party, unless the interests or fundamental rights and freedoms of the data subject that require the protection of personal data outweigh, in particular when the data subject is a child. In the case, on the one hand, the financial interests of Google LLC related to the search engine, as well as the interests of the public in being able to access information on the Internet, were tested. On the other hand, the complainant's privacy protection interests were tested, but Personal Protection considered that the goal of Act no. 90/2018 to promote the handling of personal data in accordance with the basic principles and rules on personal protection and privacy, cf. Paragraph 1 Article 1 of the law.<br />
<br />
In the decision of the Personal Protection Authority, it is stated that when assessing whether the right to be forgotten according to Article 20. Act no. 90/2018, cf. Article 17 of Regulation (EU) 2016/679, is available, can determine whether processing is necessary to exercise the right to freedom of expression and information according to point a, paragraph 3. Article 17, cf. also Article 6 Act no. 90/2018, which stipulates that the provisions of the law and the regulation may be deviated from in favor of the media, art or literature to the extent that it is necessary to harmonize views on the right to privacy on the one hand and freedom of expression and information on the other. It would therefore also have to be considered whether the aforementioned processing by Google LLC was necessary for the public to enforce the right to freedom of information and it could thus set aside the complainant's right to be forgotten according to Article 20. Act no. 90/2018 and Article 17 of regulation (EU) 2016/679, cf. point a, paragraph 3 of the article.<br />
<br />
It is stated in the ruling of the Personal Protection Authority that the conclusion on whether the processing of Google LLC is supported by authorization in Act no. 90/2018, on the one hand, and on the other hand, whether the complainant's right to be forgotten should be set aside, turns on an assessment of the different interests weighed in the case. In both cases, the public's interest in being able to access information about the complainant on the Internet, and thus in being able to exercise their right to freedom of information, must be assessed against the complainant's privacy interests. In such an assessment of interests, it is particularly relevant whether the person registered is a public figure or has played a public role. This can lead to the fact that the registered person, due to his position, does not enjoy the same privacy protection as unknown persons due to the importance of discussions on issues that may be relevant to the public. In the opinion of the Data Protection Authority, it was not considered that the complainant was in a similar employment position as he was in when the event that was discussed in the news articles that required removal from search results on the Google web search engine took place. It was also not considered that the complainant's current employment status involved projects that affected the important interests of the public.<br />
<br />
The conclusion of the Data Protection Authority was that, taking into account the circumstances of the case, the situation of the complainant and the time that has passed since the event discussed in the specified articles, the privacy protection interests of the complainant would be considered to outweigh the interests of the public in having access to the relevant information. Was the processing by Google LLC of personal information about the complainant that was under review therefore not considered compatible with law no. 90/2018, on personal protection and processing of personal information. In accordance with the complainant's right to be forgotten under Article 20 of the law, cf. c- and d-points 1. paragraph Article 17 Regulation (EU) 2016/679, it was the conclusion of the Data Protection Authority that Google LLC should remove the websites to which the complaint relates from the search results for the complainant's name in the Google search engine.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=ANSPDCP_(Romania)_-_12.01.2023&diff=30462
ANSPDCP (Romania) - 12.01.2023
2023-01-18T14:41:22Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Romania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoRO.jpg<br />
|DPA_Abbrevation=ANSPDCP<br />
|DPA_With_Country=ANSPDCP (Romania)<br />
<br />
|Case_Number_Name=Press Communication 12/01/2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Romanian DPA<br />
|Original_Source_Link_1=https://www.dataprotection.ro/?page=Comunicat_Presa_12_01_2023&lang=ro<br />
|Original_Source_Language_1=Romanian<br />
|Original_Source_Language__Code_1=RO<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=<br />
|Date_Published=12.01.2023<br />
|Year=<br />
|Fine=9,828<br />
|Currency=RON<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 33 GDPR<br />
|GDPR_Article_Link_3=Article 33 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=Bristol Logistics SA<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Romanian DPA imposed a fine of ca. €2000 on a logistics company for failing to implement adequate security measures ([[Article 32 GDPR]]) to safeguard its employees' personal data against a data breach by a bookshelf theft.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On an unspecified date, a logistics firm (controller) notified the Romanian DPA of two data breaches in line with [[Article 33 GDPR|Article 33 GDPR]]. Following the notifications, the DPA launched an investigation which concluded that the security breaches were caused by the theft of a bookshelf containing the files of 12 employees. The theft allowed unauthorised third parties access the personal data contained therein. The breach occurred on 3 June 2021 and included data concerning contact information, academic and professional training, employment details, information on tax deductions and dependents, and employees' health status. The investigation was concluded in December 2022.<br />
<br />
=== Holding ===<br />
The DPA held that the controller did not implement adequate technical and organisational measures in order to ensure a level of security corresponding to the processing risk generated in particular by the destruction, loss, modification, unauthorised disclosure or unauthorised access to personal data. Hence, the controller violated Articles 32(1)(b) and 32(2) GDPR. <br />
<br />
Pursuant to its [[Article 58 GDPR#2|Article 58(2) GDPR]] statutory powers, the DPA ordered the controller to implement corrective measures and to review and update the technical and organisational measures implemented as a result of the risk assessment, including the work procedures related to the protection of personal data, as well as to carry out a training for all individuals authorised to process personal data. <br />
<br />
The DPA fined the controller 9,828.00 lei (ca. €2000) for its violation.<br />
<br />
== Comment ==<br />
Unfortunately, the Romanian DPA is only publishing abridged Press Releases and not full decisions.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Romanian original. Please refer to the Romanian original for more details.<br />
<br />
<pre><br />
12.01.2023<br />
<br />
Penalty for GDPR violation<br />
<br />
<br />
<br />
The National Supervisory Authority completed an investigation at BRISTOL LOGISTICS SA in December 2022 and found a violation of the provisions of art. 32 para. (1) lit. b) and para. (2) from Regulation (EU) no. 2016/679.<br />
<br />
As such, the operator BRISTOL LOGISTICS SA was fined 9,828.00 lei (equivalent to 2000 EURO) for contravention.<br />
<br />
The investigation was started as a result of the transmission by the operator of two data security breach notifications, based on the provisions of art. 33 of Regulation (EU) 2016/679.<br />
<br />
During the investigation, it was found that the security breach incident consisted in the theft of a biblioraft containing the personnel files of 12 employees, which led to the access of personal data by unauthorized persons.<br />
<br />
As such, it was held that the operator Bristol Logistics SA did not implement adequate technical and organizational measures in order to ensure a level of security corresponding to the risk of processing generated in particular, accidentally or illegally, by destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data, on 03.06.2021, personal data being accessed without authorization (contact/identification data, academic and professional training, employment details, information on tax deductions and dependents, qualification labor medicine).<br />
<br />
At the same time, under the provisions of art. 58 para. (2) of Regulation (EU) 2016/679, the operator was ordered and the corrective measure to review and update the technical and organizational measures implemented as a result of the risk assessment for the rights and freedoms of individuals, including the work procedures related to the protection of personal data personal, as well as carrying out a training for the persons authorized to process data on the risks and consequences that the disclosure of personal data implies.<br />
<br />
<br />
<br />
Legal and Communication Department<br />
<br />
A.N.S.P.D.C.P<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=VG_Ansbach_-_AN_14_K_22.00468&diff=30458
VG Ansbach - AN 14 K 22.00468
2023-01-18T14:22:07Z
<p>AK: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Ansbach<br />
|Court_Original_Name=Verwaltungsgericht Ansbach<br />
|Court_English_Name=Administrative Court Ansbach<br />
|Court_With_Country=VG Ansbach (Germany)<br />
<br />
|Case_Number_Name=AN 14 K 22.00468<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=openJur<br />
|Original_Source_Link_1=https://openjur.de/u/2460452.html<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=02.11.2022<br />
|Date_Published=<br />
|Year=2022<br />
<br />
|GDPR_Article_1=Article 2(2) GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR#2<br />
|GDPR_Article_2=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1f<br />
|GDPR_Article_3=Article 58 GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Julia<br />
|<br />
}}<br />
<br />
The Administrative Court Ansbach held that reporting parking offences with pictures taken by phone to the police is lawful pursuant to [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and does not constitute a household activity.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller is a cyclist who took pictures of parking offences and, together with a short description, sent it to the police authority in charge to report the offence. The case at hand concerned photographs taken in June 2020 of various vehicles that showed the parking situation and the vehicles' license plates. <br />
<br />
In June 2021, the competent DPA issued a reprimand against the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The DPA argued that taking and redirecting pictures of the parking offences constitutes processing of personal data and that the controller did not fulfil their duties under the GDPR. The authority claimed that there was no legitimate legal basis under Article 6(1) GDPR for the processing, as the controller neither obtained a consent of the vehicle owners nor had a legitimate interest that would justify the processing. The controller was requested to pay an administrative fee of 100 euros. The controller requested to annul the reprimand of the data protection authority.<br />
<br />
=== Holding ===<br />
The Administrative Court Ansbach overturned the DPA's decision. It held that the reprimand issued by the DPA is unlawful because the claimant did not violate any provisions of the GDPR, which is a condition for a reprimand pursuant to [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. <br />
<br />
'''Material scope of the GDPR''' <br />
<br />
According to the court, the GDPR applies in the case at hand since taking pictures of vehicles and forward them to the police constitutes the processing of personal data in accordance with [[Article 2 GDPR#1|Article 2(1) GDPR]] and [[Article 4 GDPR#1|Article 4(1) GDPR]]. A license plate is information that allows the identification of a natural person, despite the fact that the provision of additional information from authorities is necessary to identify the data subject. Furthermore, the household exemption laid down in [[Article 2 GDPR#2|Article 2(2) GDPR]] is not applicable since the processing of personal data is leaving the private sphere. The pictures taken were intended to be forwarded to the police which is not a purely personal activity. <br />
<br />
'''Legal basis of processing'''<br />
<br />
The court states that the controller could rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process the personal data at stake as the controller had a legitimate interest in being able to report an offence, which includes the submission of photographs to the police. Reference point for this claim is Recital 50, which states that "''Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller''." Although the first part of Recital 50 is referring to a change of purpose in the processing activity, the court held that the reporting of criminal offences generally constituted a legitimate interest on which controllers may rely. <br />
<br />
The court further noted that within the scope of the GDPR (consequently, also within the scope of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and Recital 50 GDPR), the notion of "criminal offences" has to be interpreted autonomously under EU law. In accordance with the common legal tradition of the Member States, the notion "criminal offence" is not defined quantitatively (in terms of the severity of the sanction imposed), but qualitatively (in terms of the form of the imposed legal consequences). Since the commission of an administrative offence is punishable by a fine and the prosecution of an administrative offence has a "repressive character" under German law, the court held that a German administrative offence has to be regarded as a criminal act within the GDPR. For the processing to be in accordance with [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], the controller does not have to be personally affected. Furthermore, a claim to anonymity within road traffic does not exist under German law, rather the license plate has to be visible at all times (see § 23 StVO). <br />
<br />
The court stated that the controller's information requirements under the GDPR and other rights of the data subjects were not relevant in this case since the reprimand of the DPA only addressed allegedly illegal processing of the personal data by the transmission of the photographs. No other data protection obligations, rights or violations of the GDPR were touched upon.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Rubrum<br />
<br />
Bavarian Administrative Court AnsbachIn the name of the peopleIn the administrative matter...- Plaintiff -authorized: Lawyers...against Bavarian State Office for Data Protection SupervisionPromenade 18, 91522 Ansbach- Defendant-due to data protection law, law of the census, the Bavarian Administrative Court Ansbach, 14th chamber, by the presiding judge at the administrative court dr S...the judge at the administrative court P...the judge R...and by honorary judge...honorary judge...on the basis of the hearing on November 2, 2022on November 2, 2022the following judgment:<br />
<br />
tenor<br />
1. The defendant's decision of January 28, 2022 is rescinded.2. The defendant bears the costs of the procedure.3. The judgment is provisionally enforceable with regard to the costs. The defendant can avert enforcement by providing security or a deposit in the amount of the fixed costs if the plaintiff does not provide security in the same amount before enforcement.<br />
facts<br />
The plaintiff objects to a warning under data protection law. The plaintiff lives in Munich and regularly rides a bicycle. He photographed several vehicles that he drove past and that were illegally parked. He then forwarded the photographs together with reports of administrative offenses by email to the responsible police station, sometimes using a website that provides forms for this and sends them to the responsible authorities after they have been filled out (cf. https://www.w.. ./). At issue are six e-mails with a total of twelve photographs of six illegal parkers, which the plaintiff sent to the responsible Munich 15 police station on September 17 and 20, 2021. Vehicles that are parked in the absolute no-stopping zone can be seen in the photographs with their license plates; other personal data, such as people or license plates of other vehicles, cannot be seen. Some of the vehicles are parked on the street, some on a sidewalk in such a way that it would no longer be possible to pass on the sidewalk at this point. The texts The e-mails also contain the license plate number in question, as well as the place and time the photo was taken, and the make and model of the vehicle. Two of the ads refer to the same vehicle on different occasions. In none of the e-mails did the plaintiff explain that he was affected as a road user due to the parking violations. With an event report dated September 20, 2021, police inspection 15 (Munich - Sendling) informed the criminal department 11 Munich with the request to examine a violation of the DS- GVO that the plaintiff is acting as a reimburser of mass reports in the area of traffic offenses. With a letter dated September 23, 2021 and six corresponding e-mails from the plaintiff, including photographs, the case was then forwarded to the defendant by Criminal Division 11 Munich for examination In a decision dated January 28, 2022, the plaintiff was warned after a prior hearing because of the data protection violation found. The reason given was, among other things, that photographing and forwarding the license plate number constitutes data processing within the meaning of the GDPR, but for which there is no legal basis under Article 6 (1) GDPR, and in particular there is no sufficiently legitimate interest within the meaning of Article 6 Para. 1 lit. f GDPR. Because the power for anyone to file a complaint, which follows from § 158 StPO, only includes the transmission of data that would be needed to initiate investigations, i.e. the crime scene, the license plate number of the vehicle and the identity of witnesses in the case of parking violations. On the other hand, a further power to collect evidence such as the transmission of crime photos is not part of the right to report. Since the plaintiff has neither presented a specific risk of his own nor has a general right to undisturbed use of the traffic area, there is also no legitimate interest in this respect. In addition, there is also a lack of the demanded in Art Necessity of the data ver<br />
reasons<br />
The lawsuit, for which the Bavarian administrative court in Ansbach is responsible (see 1.), is admissible (see 2.) and justified (see 3.). a legal person and a supervisory authority of the federal government or a state over rights according to Article 78 paragraph 1 and 2 of the regulation (EU) 2016/679 (DS-GVO) given the administrative legal process. The competence of the Administrative Court of Ansbach results objectively from § 45 VwGO and locally from § 20 Para. 3 BDSG as a special provision to § 52 VwGO. According to Section 20 (3) BDSG (cf. also Art. 78 (3) GDPR), the administrative court in whose district the supervisory authority is based is responsible for proceedings under Section 20 (1) sentence 1 BDSG - as here . The Ansbach Administrative Court is therefore the factually and locally competent court, since the defendant, as the supervisory authority pursuant to Art. 51 DS-GVO, Section 40 BDSG and Art. 18 Para. 1 Sentence 1, Para. 2 BayDSG, is based in Ansbach and thus in the administrative district Middle Franconia (cf. Art. 1 Para. 2 No. 4 AGVwGO). The warning from the notification of January 28, 2022 is a declaratory administrative act, since, according to its number I, the defendant has determined a more detailed data protection violation by the plaintiff (cf. also VG Hannover, U.v. 27.11.2019 - 10 A 820/19 - juris marginal note 19; VG Mainz, U.v. 17.12.2020 - 1 K 778/19.MZ - juris marginal note 22; Selmayr in Ehmann/Selmayr, DS-GVO, 2nd edition 2018, Article 58 20; Polenz in Simitis/Hornung/Spiecker by Döhmann, DatenschutzR, 1st edition 2019, paragraph 29, 7 on Article 58 GDPR ). The plaintiff's right to sue results from Art. 78 Para. 1 DS-GVO, according to which every natural person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. The plaintiff is therefore authorized to bring an action against the warning given to the defendant in accordance with Art. 58 DS-GVO of the violation has an incriminating effect on the plaintiff as the addressee of the warning (Körffer in Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, Art. 58 para. 18). timely, been raised. 3. The lawsuit is justified, because the warning of January 28, 2022 is illegal and violates the plaintiff's rights, so that both the warning from paragraph I and its subsequent decisions from paragraphs II to IV of the disputed decision are to be repealed (§ 113 Para. 1 Sentence 1 VwGO).a. The defendant Bavarian State Office for Data Protection Supervision is itself passively legitimate. According to § 20 Para. 5 Sentence 1 No. 2 BDSG, the supervisory authority is directly involved as a defendant lit. There is therefore a special federal regulation vis-à-vis § 78 VwGO due to the independence of the supervisory authority under Union law. b. The warning at issue of January 28, 2022 is illegal GDPR. Accordingly, the supervisory authority responsible under Art. 51 DS-GVO has the power to warn a person responsible if he has violated the DS-GVO with processing operations. Procedural errors in relation to the issuing of the warning are not apparent, in particular the 58(2)(b) GDPR responsible for issuing a warning pursuant to Article 51(1) GDPR and Section 40 BDSG in conjunction with Article 18(1) sentence 1 BayDSG. However, the warning is materially unlawful because the plaintiff has not violated data protection regulations within the meaning of Art. 58 Para. 2 Letter b DS-GVO. 2 letter b DS-GVO, is described in more detail in the justification for the warning in accordance with Section I of the notification of January 28, 2022. The justification for the warning must therefore be used to determine which of the data protection violations is the basis for the warning and which has been identified with it. Accordingly, the plaintiff's data protection violation is said to have consisted in the fact that he processed the personal data of the owners of illegally parked vehicles in an inadmissible manner and thus violated Art. 5 Para. 1 Letter a, Art. 6 Para. 1 DS-GVO by taking pictures of illegally parked vehicles and sending them to the responsible police station. The official files consulted by the defendant show six such transmissions of recordings. Consequently, these six cases of the processing of the personal data of the holders and a violation of the data protection regulations of Art. 5 Para. 1 Letter a, Art. 6 Para January 28, 2022 and thus also the present action for rescission. The warning at issue does not indicate that the processing of other personal data than that of the owner of the illegally parked vehicles or other obligations under the GDPR is found to be a data protection violation parked vehicles to the police inspection does not violate data protection law.aa.The scope of the GDPR is open, because the recordings of photographs of illegally parked vehicles taken by the plaintiff and their forwarding to the police inspection represent a processing of personal data of the vehicle owners as data subjects in the sense by Art. 2 Para. 1, Art. 4 No. 1 and No. 2 DS-GVO. License plates are information relating to an identifiable natural person and are therefore personal data within the meaning of Art. 4 No. 1 GDPR. Because it is possible to determine and identify a person, the owner, based on the license plate number, albeit with the help of official information (cf. Gola in Heckmann/Gola, DS-GVO/BDSG, 3rd edition 2022, para 9 to Article 4 paragraph GDPR; Klar/Kuhling in Kühling/Buchner, DS-GVO/BDSG, 3rd edition 2020, paragraph 30 to Article 4 No. 1 GDPR; sign in BeckOK data protection regulation Wolff/Brink, 41st edition, as of August 1, 2022, paragraph 21 on Article 4 GDPR; see also BGH, U.v. 15.5.2018 - VI ZR 233/17 - juris paragraph 21). By transmitting the recordings of the illegally parked vehicles to the police, the plaintiff processed this personal data of others within the meaning of Art. 2 Para. 1, Art. 4 No. 2 DS-GVO by recording the personal data and transmitting them to the police inspection .This transmission of license plates to the police is not subject to the so-called "household exception" of Art. 2 Para. 2 Letter c GDPR. According to this, the material scope of the GDPR does not apply if personal data is processed by natural persons exclusively for the purpose of carrying out personal or family activities. However, the data processing leaves the purely private sphere to which the "household exception" refers, even if it only partially extends to the public space, and especially if the purpose of taking the photographs is to pass them on (cf. ECJ , U.v. 11.12.2014 - C-212/13 - juris para. 35). As can be seen from the photographs, the plaintiff only took pictures in the public traffic area in order to forward them to the police inspection for the prosecution of the offenses depicted on them. As a result, the recordings have not been processed exclusively as part of the plaintiff's personal or family activities. According to Article 5 (1) (a) GDPR, the plaintiff's processing of personal data must be lawful, with the processing only then is lawful if at least one of the conditions of Art. 6 Para. 1 DS-GVO is fulfilled. (1) The disputed data processing by the plaintiff was lawful according to Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. Processing is lawful in accordance with Art. 6 Para. 1 Sentence 1 Letter f DS-GVO if it is necessary to protect the legitimate interests of the person responsible or a third party, provided that the interests or fundamental rights and freedoms of the data subject do not affect the protection of personal data require, outweigh. In the present case, there is such a legitimate interest of the plaintiff as the person responsible (see (a)), the data processing was to protect this interest also required (see (b)) and no overriding interests of the persons concerned have become apparent (see (c)).(a) The plaintiff has a legitimate interest in being able to report an administrative offense to the police by submitting a photograph .The concept of the legitimate interest of the person responsible within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO is to be understood broadly (cf. Frenzel in Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, para. 28 to Art. 6 DS-GVO, with reference to recital 47 p. 2, 6, 7 DS-GVO). Therefore, legal, factual, economic or non-material interests can be included in the concept of legitimate interest (cf. Buchner/Petri in Kühling/Buchner, DS-GVO/BDSG, 3rd edition 2020, para. 146a to Art. 6 DS-GVO ). The recitals to the DS-GVO provide clues for understanding the concept of legitimate interest within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. The recitals of the DS-GVO are not independent legal norms with a regulatory character, but describe the objective pursued by the legislator with the adoption of the DS-GVO. Therefore, the recitals of the DS-GVO are decisive for the interpretation of the provisions of Union law, because the general legal ideas underlying the DS-GVO can be found in the recitals. In the present case, recitals 47 et seq. provide indications with regard to when the legality of processing personal data can be assumed due to a legitimate interest of the person responsible. According to recital 50 sentence 9 of the DS-GVO, there is a legitimate interest in data processing if the information from the person responsible about possible criminal offenses or threats to public security and the transmission of the relevant personal data in individual cases or in several cases in connection with the same criminal offense or the same threat to public security, is transmitted to a competent authority. In contrast to recital 50 sentence 1 or sentence 8, recital 50 sentence 9, in terms of its content, does not solely refer to previously granted consent to the Data processing and a change in the purpose of this processing that has now taken place. Because then the prerequisite for a legitimate interest in data processing for criminal prosecution would be that the data must always have been previously collected for a different purpose. Processing the collected data for direct reporting would always not be justified. Such a limitation of the admissibility of data processing to provide information in the field of criminal prosecution does not correspond to the broad concept of legitimate interest and would also be absurd. Even if the defendant's view were to assume that sentence 9 of recital 50 of the DS- GMO would only relate directly to change of purpose constellations, the general legal idea could at least be derived from it that data processing that is necessary to give competent authorities information about criminal offenses that have been committed should be considered a legitimate interest of the person responsible. From sentence 9 of the recital 50 of the DS-GVO follows that it can be understood as a legitimate interest of the person responsible in data processing within the scope of the DS-GVO if the data processing serves to inform the competent authorities of a possible criminal offense. The concept of criminal offenses 1 sentence 1 letter f DS-GVO and recital 50 sentence 9 of the DS-GVO, is to be interpreted autonomously according to Union law (cf. Bäcker in BeckOK data protection law, Wolff/Brink, 41st ed., as of November 1st, 2021, para. 25 f. to Art. 2 DS-GVO). There is no reference to the terms "offences" used in the GDPR to those under national legal systems (cf. ECJ, U.v. 22.6.2021 - C-439/19 - juris para. 82). Unlike the understanding in German Legally, the concept of criminal offenses under Union law also includes such facts which would result in an administrative offense within the meaning of German law. According to the case law of the European Court of Justice, the following criteria are decisive for the assessment of the criminal character of infringements: the legal classification of the infringement in domestic law, the type of infringement and the severity of the sanction threatened by the person concerned (cf. ECJ, U.v. 22.6.2021 - C-439/19 - juris para. 87 to Art. 10 GDPR). Violations that are not designated as "criminal" in domestic law can also have such a character from the nature of the violation and the severity of the sanctions threatened by the person concerned (cf. ECJ, loc.cit., para. 88). With regard to the nature of the infringement, what is decisive is whether the sanction in question resulting from the infringement has, inter alia, a repressive aim. A measure that is only intended to compensate for the damage caused by the infringement, on the other hand, is not of a criminal nature (cf. ECJ, U.v. 22.6.2021 - C-439/19 - juris para. 89). Accordingly, the administrative offenses of German law as Criminal offenses in the context of Union law of the DS-GVO, since the commission of an administrative offense is punishable by a fine (cf. § 1 para. 1 OWiG) and the prosecution of an administrative offense has a repressive character (§ 17 OWiG and § 46 para. 1 OWiG; Mitsch in Karlsruhe commentary on the OWiG, 5th edition 2018, § 17 marginal number 8; cf. also BVerfG, Bv Administrative offenses by the police). If the transmission of personal data to a police inspection as the competent authority within the meaning of recital 50 of the GDPR serves to indicate an administrative offense committed, there is consequently a legitimate interest in de r Data processing, which in principle can justify the processing of personal data within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. A personal concern of the complainant is not required for the existence of a legitimate interest. The question of whether an unlimited transmission of data to the police inspection departments is possible on the basis of this understanding is not relevant in the present case. The defendant accuses the plaintiff of having sent recordings to the police inspection in six cases. It has not become apparent that the plaintiff processed personal data in an abusive manner. Even the small number of reprimanded transmissions does not suggest data processing on an unlimited scale. It was therefore not possible to decide here whether the fundamentally existing legitimate interest in cases in which masses of personal data are transmitted to report administrative offenses could be omitted due to abuse of rights Whether the violations of regulatory provisions reported by the plaintiff with the transmission of the personal data are actually prosecuted is ultimately decided by the police as the prosecuting authority in accordance with the principle of opportunity applicable in the law on administrative offenses, exercising their due discretion (§ 47 para. 1 sentence 1 OWiG). Even if other data protection violations than the processing of personal data of the owners of illegally parked vehicles have not become part of the warning at issue here, it is conceivable that when such photographs are taken, data protection violations, for example by photographing other people or license plates of uninvolved vehicles, since there should be no legitimate interest in the processing within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. In this respect, the principle of data minimization (Art. 5 Para. 1 Sentence 1 Letter c DS-GVO) is also required when transmitting recordings of vehicles parked in violation of the prohibition the roadway is partially blocked and thus narrowed, at least the abstract risk of an accident for other road users such as the plaintiff is increased. Therefore, due to the broad understanding of the concept of legitimate interest, such an interest also arises here from the plaintiff's fundamental rights to physical integrity and security from Art. 3 Para. 1, Art. 6 Var. 2 GRCh. (b) Furthermore, the legality of data processing within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO requires that this is also necessary to protect the legitimate interests of the plaintiff as the person responsible. Data processing must be for the specific processing purpose may be necessary in such a way that the legitimate interests of the person responsible cannot be realized to the same extent in a reasonable manner by other means (cf. recital 39 p. 9 DS-GVO, Lehr/Becker, ZD 2022, 370 m.w.N.). Reports of illegally parked vehicles at a police station cannot be carried out to the same extent by an oral or written description of the circumstances - for example by naming the license plate number of the vehicle, the location and possible witnesses cited by the defendant. A description of the circumstances is not suitable to the same extent as a picture to bring about a punishment of the offense: Because a Lichtb ild usually objectively reflects the actual circumstances of the violation, namely the illegally parked vehicle including license plate and the situation from which the person responsible for reporting the offense concludes that an administrative offense has been committed. This makes it easier for the police inspectorates to exercise their discretion regarding the prosecution of administrative offenses compared to a description of an administrative offense that has usually been subjective could not be revealed to the court, at least insofar as the same personal data (license plate number and location data of the vehicles concerned) are to be transmitted. Insofar as, in the defendant's opinion, "more" accompanying information regarding the vehicle (e.g. the general condition of the vehicle) would be transmitted by a photograph, it is questionable to what extent this can be personal data (and only this is relevant in the context of the determination of the necessity according to Art. 6 Para. 1 Sentence 1 Letter f DS-GVO), and on the other hand, a lot of accompanying information can also be contained in a written report. Also the argument that a photograph represents "more" because Evidence would (only) be collected as a result, which is the task of the prosecution authorities, is not convincing, since an object of inspection and a witness are also generated as evidence by sending an e-mail without a photo and by naming the complainant himself. Therefore, when administrative offenses are reported, even without a photo, evidence is likely to arise that could be used in the subsequent proceedings. (c) Finally, there are no interests of the data subjects that conflict with data processing within the meaning of Art. 6 Para. 1 Sentence 1 Letter f GDPR (see (aa)), which could outweigh the plaintiff’s interest in processing the data (see (bb)). The controversial question of the burden of proof and burden of proof for the preponderance of conflicting interests (cf. Lehr/Becker, ZD 2022, 370 (375), with further citations) can remain open, since both parties have submitted extensive statements on this and no questions that would have to be decided according to the principles of the burden of proof , have remained open. (aa) The person concerned within the meaning of Article 6 Paragraph 1 Clause 1 Letter f DS-GVO in conjunction with Article 4 No. 1 DS-GVO is the respective owner of the photographed vehicle. The vehicle owner does not necessarily have to be identical to the driver, because only the owner can ultimately be identified. As a conflicting interest of the vehicle owner, the right to protection of the personal data concerning them according to Art. 8 Para. 1 GRCh or Art. 16 Para 1 TFEU under consideration. The vehicle owners concerned may also have an interest in remaining anonymous on the road. Finally, the vehicle owner also has an interest in not being prosecuted for committing an administrative offense due to the violation documented by the person responsible. In this respect, it is not a matter of data subjects within the meaning of Article 6 Paragraph 1 Clause 1 Letter f GDPR in conjunction with Article 4 No. 1 GDPR. The inclusion of conflicting interests other than those of the persons concerned does not result from the provision of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. In addition, it should be pointed out again that it is ultimately up to the prosecuting authorities to decide which of the administrative offenses reported under the processing of personal data are to be prosecuted (§ 47 Para. 1 Sentence 1 OWiG). (bb) The weighing of the legitimate interests of the plaintiff and the opposing Interests of the vehicle owners as data subjects do not lead to the interests of the vehicle owners overriding. Rather, the interests of the plaintiff weigh more heavily, whereas the interests of the data subjects are of comparatively little weight. With regard to the right of the data subjects to protection of their personal data according to Art. 8 para. 1 GRCh or Art. 16 para. 1 TFEU, the legislator has standardized the lawfulness of the processing of personal data as a restriction of this right by creating the various legal bases of Art. 6 Para. 1 Sentence 1 Letter b to f DS-GVO. Therefore, an encroachment on this right is justified if one of the conditions of Art. 6 Para. 1 DS-GVO is met. Within the meaning of recital 47 sentence 4 of the DS-GVO, the interests and fundamental rights of the data subject can outweigh the interests of the person responsible , when personal data is processed in situations where an individual should not reasonably expect further processing. This is not the case here, since the persons concerned must and can expect that their data will be processed for the purpose of prosecuting an administrative offense. There is no right to anonymity in road traffic, rather the license plate number of a vehicle must always be legible ( cf. § 23 para. 1 sentence 3 StVO) and therefore publicly accessible (cf. BVerwG, U.v. 22.10.2014 - 6 C 7/13 - juris para. 24). A vehicle owner must expect that a parking violation committed with his vehicle will be documented and reported. The fact that such a report can be made not only by the prosecuting authorities but also by private individuals results from Section 46 OWiG in conjunction with Section 158 (1) StPO. If the documentation of the illegally parked vehicle does not lead to the processing of additional personal data from bystanders, a difference between a written notification and the transmission of the vehicle owner's personal data by sending a photograph is not recognizable Protection of personal data through the transmission of photographs showing the vehicle registration number and the situation of the parking violation can be considered as minimal as possible. License plates have only little information content, precisely because a data-processing private individual, such as the plaintiff, would only be able to determine the identity of the vehicle owner after querying the vehicle register (cf. BVerwG, U.v. 22.10.2014 - 6 C 7/13 - juris paras. 23, 25). Finally, the interest of the persons concerned in not being prosecuted for committing an administrative offense must also take a back seat, since this is based on illegal behavior and is therefore not an interest worthy of protection. Overall the interests of the vehicle owners that conflict with the data processing are therefore to be classified as of minor importance. In contrast, the plaintiff's legitimate interests in the processing of the personal data are to be given greater weight. The plaintiff's interest in reporting an administrative offense on the basis of the processing of personal data is to be given some weight because this legitimate interest is explicitly stated in a recital of the GDPR (recital 50 sentence 9 of the GDPR). In addition, the plaintiff's interest in physical integrity and safety, as described above, also has some weight, since on the one hand these are high-ranking legal interests, but on the other hand there was no specific danger to the plaintiff in the parking violations reported here. The weighing of the mutual interests therefore shows that that the interests of the plaintiff as the person responsible for the data processing in the case at issue here outweigh those of the data subjects, so that the requirements of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO were given. Accordingly, the processing of the personal data by the plaintiff was lawful within the meaning of Art. 5 Para. 1 Sentence 1 Letter a, Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. Whether in the present case it corresponded to a dutiful exercise of discretion, the plaintiff because of a single-digit number of advertisements - in which he also carefully made sure not to process any data of uninvolved third parties, among other things by blacking out - not in the Informally pointing out the alleged illegality of the data processing in the sense of a "conclusion without action", but taking a remedial measure according to Art. 58 Para remain. (2) Whether there are information obligations (Art. 13, Art. 14 DS-GVO) or a right of withdrawal (Art. 21 DS-GVO) due to the data processing, it does not apply in this case. In the warning at issue, the defendant only complained about the processing of personal data through the transmission of photographs of the wrongly parked vehicles; other data protection obligations or violations of the DS-GVO were not determined in the warning. The warning issued by the defendant due to a violation of Art January 28, 2022 is therefore illegal.d. The plaintiff's rights have been violated as a result (§ 113 Para. 1 Sentence 1 VwGO). Because at least the plaintiff is warned by the official complaint of a violation of data protection law against continuing to use personal data in the future to process the transmission of photographs. The fact that the plaintiff's behavior constitutes a violation is expressly stated in the warning at issue. This finding is intended to indirectly prevent the plaintiff from making further recordings of illegally parked vehicles and submitting them to police inspections Outflow of the general right of personality from Article 2 Paragraph 1 in conjunction with Article 1 Paragraph 1 GG (cf. Goers in BeckOK StPO with RiStBV and MiStra, 45th ed. Status: October 1st, 2022, Article 158 marginal number 8). If the plaintiff is warned by the defendant state office if he makes use of the opportunity granted to report an administrative offense, this accordingly represents an inadmissible restriction of the plaintiff's rights and thus a violation of the law within the meaning of Section 113 (1) sentence 1 VwGO .In addition, the plaintiff is restricted by the statement underlying the warning and incriminating him at least in his general freedom of action resulting from Art. 2 Para. 1 GG. e. Due to the illegality of the warning as a basic order within the meaning of Art. 16 Para the follow-up decisions from numbers 2 to 4 of the disputed decision of the defendant of January 28, 2022, i.e. the cost decision in number 2 based on Article 19 (6) sentence 1 BayDSG in conjunction with Article 1 and Article 2 BayKG, were also the determination the fee i.H.v. EUR 100.00 according to Art. 6 Para. 1 Sentence 2 and 3, Para. 2 KG in Section 3 and the statement on the expenses in Section 4, illegal .The alternative request for evidence made by the plaintiff's representative in the oral hearing on November 2, 2022 is a conditional request for evidence, which could no longer be decided due to the plaintiff's victory . The statement on the provisional enforceability is based on § 167 paragraph 2, paragraph 1 sentence 1 VwGO in conjunction with § 708 No. 11, § 711 ZPO. Resolution: The amount in dispute is set at EUR 5,000.00. Reasons: According to § 52 paragraph 1 GKG, the value in dispute is to be determined at our discretion according to the importance of the matter for him resulting from the plaintiff's application. In the absence of further indications, the value in dispute was to be set at EUR 5,000.00 in accordance with Section 52 (2) GKG; In particular, the plaintiff's representative also stated in a letter dated February 28, 2022 that there were no concerns in this regard.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=VG_Ansbach_-_AN_14_K_22.00468&diff=30457
VG Ansbach - AN 14 K 22.00468
2023-01-18T14:20:30Z
<p>AK: /* Facts */</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Germany<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=VG Ansbach<br />
|Court_Original_Name=Verwaltungsgericht Ansbach<br />
|Court_English_Name=Administrative Court Ansbach<br />
|Court_With_Country=VG Ansbach (Germany)<br />
<br />
|Case_Number_Name=AN 14 K 22.00468<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=openJur<br />
|Original_Source_Link_1=https://openjur.de/u/2460452.html<br />
|Original_Source_Language_1=German<br />
|Original_Source_Language__Code_1=DE<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=02.11.2022<br />
|Date_Published=<br />
|Year=2022<br />
<br />
|GDPR_Article_1=Article 2(2) GDPR<br />
|GDPR_Article_Link_1=Article 2 GDPR#2<br />
|GDPR_Article_2=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1f<br />
|GDPR_Article_3=Article 58 GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Julia<br />
|<br />
}}<br />
<br />
The Administrative Court Ansbach held that reporting parking offences with pictures taken by phone to the police is lawful pursuant to [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and does not constitute a household activity.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data controller is a cyclist who took pictures of parking offences and, together with a short description, sent it to the police authority in charge to report the offence. The case at hand concerned photographs taken in June 2020 of various vehicles that showed the parking situation and the vehicles' license plates. <br />
<br />
In June 2021, the competent DPA issued a reprimand against the controller in accordance with [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. The DPA argued that taking and redirecting pictures of the parking offences constitutes processing of personal data and that the controller did not fulfil their duties under the GDPR. The authority claimed that there was no legitimate legal basis under Article 6(1) GDPR for the processing, as the controller neither obtained a consent of the vehicle owners nor had a legitimate interest that would justify the processing. The controller was requested to pay an administrative fee of 100 euros. The data controller requested to annul the reprimand of the data protection authority.<br />
<br />
=== Holding ===<br />
The Administrative Court Ansbach overturned the DPA's decision. It held that the reprimand issued by the DPA is unlawful because the claimant did not violate any provisions of the GDPR, which is a condition for a reprimand pursuant to [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. <br />
<br />
'''Material scope of the GDPR''' <br />
<br />
According to the court, the GDPR applies in the case at hand since taking pictures of vehicles and forward them to the police constitutes the processing of personal data in accordance with [[Article 2 GDPR#1|Article 2(1) GDPR]] and [[Article 4 GDPR#1|Article 4(1) GDPR]]. A license plate is information that allows the identification of a natural person, despite the fact that the provision of additional information from authorities is necessary to identify the data subject. Furthermore, the household exemption laid down in [[Article 2 GDPR#2|Article 2(2) GDPR]] is not applicable since the processing of personal data is leaving the private sphere. The pictures taken were intended to be forwarded to the police which is not a purely personal activity. <br />
<br />
'''Legal basis of processing'''<br />
<br />
The court states that the controller could rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to process the personal data at stake as the controller had a legitimate interest in being able to report an offence, which includes the submission of photographs to the police. Reference point for this claim is Recital 50, which states that "''Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller''." Although the first part of Recital 50 is referring to a change of purpose in the processing activity, the court held that the reporting of criminal offences generally constituted a legitimate interest on which controllers may rely. <br />
<br />
The court further noted that within the scope of the GDPR (consequently, also within the scope of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] and Recital 50 GDPR), the notion of "criminal offences" has to be interpreted autonomously under EU law. In accordance with the common legal tradition of the Member States, the notion "criminal offence" is not defined quantitatively (in terms of the severity of the sanction imposed), but qualitatively (in terms of the form of the imposed legal consequences). Since the commission of an administrative offence is punishable by a fine and the prosecution of an administrative offence has a "repressive character" under German law, the court held that a German administrative offence has to be regarded as a criminal act within the GDPR. For the processing to be in accordance with [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]], the data controller does not have to be personally affected. Furthermore, a claim to anonymity within road traffic does not exist under German law, rather the license plate has to be visible at all times (see § 23 StVO). <br />
<br />
The court stated that the controller's information requirements under the GDPR and other rights of the data subjects were not relevant in this case since the reprimand of the DPA only addressed allegedly illegal processing of the personal data by the transmission of the photographs. No other data protection obligations, rights or violations of the GDPR were touched upon.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the German original. Please refer to the German original for more details.<br />
<br />
<pre><br />
Rubrum<br />
<br />
Bavarian Administrative Court AnsbachIn the name of the peopleIn the administrative matter...- Plaintiff -authorized: Lawyers...against Bavarian State Office for Data Protection SupervisionPromenade 18, 91522 Ansbach- Defendant-due to data protection law, law of the census, the Bavarian Administrative Court Ansbach, 14th chamber, by the presiding judge at the administrative court dr S...the judge at the administrative court P...the judge R...and by honorary judge...honorary judge...on the basis of the hearing on November 2, 2022on November 2, 2022the following judgment:<br />
<br />
tenor<br />
1. The defendant's decision of January 28, 2022 is rescinded.2. The defendant bears the costs of the procedure.3. The judgment is provisionally enforceable with regard to the costs. The defendant can avert enforcement by providing security or a deposit in the amount of the fixed costs if the plaintiff does not provide security in the same amount before enforcement.<br />
facts<br />
The plaintiff objects to a warning under data protection law. The plaintiff lives in Munich and regularly rides a bicycle. He photographed several vehicles that he drove past and that were illegally parked. He then forwarded the photographs together with reports of administrative offenses by email to the responsible police station, sometimes using a website that provides forms for this and sends them to the responsible authorities after they have been filled out (cf. https://www.w.. ./). At issue are six e-mails with a total of twelve photographs of six illegal parkers, which the plaintiff sent to the responsible Munich 15 police station on September 17 and 20, 2021. Vehicles that are parked in the absolute no-stopping zone can be seen in the photographs with their license plates; other personal data, such as people or license plates of other vehicles, cannot be seen. Some of the vehicles are parked on the street, some on a sidewalk in such a way that it would no longer be possible to pass on the sidewalk at this point. The texts The e-mails also contain the license plate number in question, as well as the place and time the photo was taken, and the make and model of the vehicle. Two of the ads refer to the same vehicle on different occasions. In none of the e-mails did the plaintiff explain that he was affected as a road user due to the parking violations. With an event report dated September 20, 2021, police inspection 15 (Munich - Sendling) informed the criminal department 11 Munich with the request to examine a violation of the DS- GVO that the plaintiff is acting as a reimburser of mass reports in the area of traffic offenses. With a letter dated September 23, 2021 and six corresponding e-mails from the plaintiff, including photographs, the case was then forwarded to the defendant by Criminal Division 11 Munich for examination In a decision dated January 28, 2022, the plaintiff was warned after a prior hearing because of the data protection violation found. The reason given was, among other things, that photographing and forwarding the license plate number constitutes data processing within the meaning of the GDPR, but for which there is no legal basis under Article 6 (1) GDPR, and in particular there is no sufficiently legitimate interest within the meaning of Article 6 Para. 1 lit. f GDPR. Because the power for anyone to file a complaint, which follows from § 158 StPO, only includes the transmission of data that would be needed to initiate investigations, i.e. the crime scene, the license plate number of the vehicle and the identity of witnesses in the case of parking violations. On the other hand, a further power to collect evidence such as the transmission of crime photos is not part of the right to report. Since the plaintiff has neither presented a specific risk of his own nor has a general right to undisturbed use of the traffic area, there is also no legitimate interest in this respect. In addition, there is also a lack of the demanded in Art Necessity of the data ver<br />
reasons<br />
The lawsuit, for which the Bavarian administrative court in Ansbach is responsible (see 1.), is admissible (see 2.) and justified (see 3.). a legal person and a supervisory authority of the federal government or a state over rights according to Article 78 paragraph 1 and 2 of the regulation (EU) 2016/679 (DS-GVO) given the administrative legal process. The competence of the Administrative Court of Ansbach results objectively from § 45 VwGO and locally from § 20 Para. 3 BDSG as a special provision to § 52 VwGO. According to Section 20 (3) BDSG (cf. also Art. 78 (3) GDPR), the administrative court in whose district the supervisory authority is based is responsible for proceedings under Section 20 (1) sentence 1 BDSG - as here . The Ansbach Administrative Court is therefore the factually and locally competent court, since the defendant, as the supervisory authority pursuant to Art. 51 DS-GVO, Section 40 BDSG and Art. 18 Para. 1 Sentence 1, Para. 2 BayDSG, is based in Ansbach and thus in the administrative district Middle Franconia (cf. Art. 1 Para. 2 No. 4 AGVwGO). The warning from the notification of January 28, 2022 is a declaratory administrative act, since, according to its number I, the defendant has determined a more detailed data protection violation by the plaintiff (cf. also VG Hannover, U.v. 27.11.2019 - 10 A 820/19 - juris marginal note 19; VG Mainz, U.v. 17.12.2020 - 1 K 778/19.MZ - juris marginal note 22; Selmayr in Ehmann/Selmayr, DS-GVO, 2nd edition 2018, Article 58 20; Polenz in Simitis/Hornung/Spiecker by Döhmann, DatenschutzR, 1st edition 2019, paragraph 29, 7 on Article 58 GDPR ). The plaintiff's right to sue results from Art. 78 Para. 1 DS-GVO, according to which every natural person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. The plaintiff is therefore authorized to bring an action against the warning given to the defendant in accordance with Art. 58 DS-GVO of the violation has an incriminating effect on the plaintiff as the addressee of the warning (Körffer in Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, Art. 58 para. 18). timely, been raised. 3. The lawsuit is justified, because the warning of January 28, 2022 is illegal and violates the plaintiff's rights, so that both the warning from paragraph I and its subsequent decisions from paragraphs II to IV of the disputed decision are to be repealed (§ 113 Para. 1 Sentence 1 VwGO).a. The defendant Bavarian State Office for Data Protection Supervision is itself passively legitimate. According to § 20 Para. 5 Sentence 1 No. 2 BDSG, the supervisory authority is directly involved as a defendant lit. There is therefore a special federal regulation vis-à-vis § 78 VwGO due to the independence of the supervisory authority under Union law. b. The warning at issue of January 28, 2022 is illegal GDPR. Accordingly, the supervisory authority responsible under Art. 51 DS-GVO has the power to warn a person responsible if he has violated the DS-GVO with processing operations. Procedural errors in relation to the issuing of the warning are not apparent, in particular the 58(2)(b) GDPR responsible for issuing a warning pursuant to Article 51(1) GDPR and Section 40 BDSG in conjunction with Article 18(1) sentence 1 BayDSG. However, the warning is materially unlawful because the plaintiff has not violated data protection regulations within the meaning of Art. 58 Para. 2 Letter b DS-GVO. 2 letter b DS-GVO, is described in more detail in the justification for the warning in accordance with Section I of the notification of January 28, 2022. The justification for the warning must therefore be used to determine which of the data protection violations is the basis for the warning and which has been identified with it. Accordingly, the plaintiff's data protection violation is said to have consisted in the fact that he processed the personal data of the owners of illegally parked vehicles in an inadmissible manner and thus violated Art. 5 Para. 1 Letter a, Art. 6 Para. 1 DS-GVO by taking pictures of illegally parked vehicles and sending them to the responsible police station. The official files consulted by the defendant show six such transmissions of recordings. Consequently, these six cases of the processing of the personal data of the holders and a violation of the data protection regulations of Art. 5 Para. 1 Letter a, Art. 6 Para January 28, 2022 and thus also the present action for rescission. The warning at issue does not indicate that the processing of other personal data than that of the owner of the illegally parked vehicles or other obligations under the GDPR is found to be a data protection violation parked vehicles to the police inspection does not violate data protection law.aa.The scope of the GDPR is open, because the recordings of photographs of illegally parked vehicles taken by the plaintiff and their forwarding to the police inspection represent a processing of personal data of the vehicle owners as data subjects in the sense by Art. 2 Para. 1, Art. 4 No. 1 and No. 2 DS-GVO. License plates are information relating to an identifiable natural person and are therefore personal data within the meaning of Art. 4 No. 1 GDPR. Because it is possible to determine and identify a person, the owner, based on the license plate number, albeit with the help of official information (cf. Gola in Heckmann/Gola, DS-GVO/BDSG, 3rd edition 2022, para 9 to Article 4 paragraph GDPR; Klar/Kuhling in Kühling/Buchner, DS-GVO/BDSG, 3rd edition 2020, paragraph 30 to Article 4 No. 1 GDPR; sign in BeckOK data protection regulation Wolff/Brink, 41st edition, as of August 1, 2022, paragraph 21 on Article 4 GDPR; see also BGH, U.v. 15.5.2018 - VI ZR 233/17 - juris paragraph 21). By transmitting the recordings of the illegally parked vehicles to the police, the plaintiff processed this personal data of others within the meaning of Art. 2 Para. 1, Art. 4 No. 2 DS-GVO by recording the personal data and transmitting them to the police inspection .This transmission of license plates to the police is not subject to the so-called "household exception" of Art. 2 Para. 2 Letter c GDPR. According to this, the material scope of the GDPR does not apply if personal data is processed by natural persons exclusively for the purpose of carrying out personal or family activities. However, the data processing leaves the purely private sphere to which the "household exception" refers, even if it only partially extends to the public space, and especially if the purpose of taking the photographs is to pass them on (cf. ECJ , U.v. 11.12.2014 - C-212/13 - juris para. 35). As can be seen from the photographs, the plaintiff only took pictures in the public traffic area in order to forward them to the police inspection for the prosecution of the offenses depicted on them. As a result, the recordings have not been processed exclusively as part of the plaintiff's personal or family activities. According to Article 5 (1) (a) GDPR, the plaintiff's processing of personal data must be lawful, with the processing only then is lawful if at least one of the conditions of Art. 6 Para. 1 DS-GVO is fulfilled. (1) The disputed data processing by the plaintiff was lawful according to Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. Processing is lawful in accordance with Art. 6 Para. 1 Sentence 1 Letter f DS-GVO if it is necessary to protect the legitimate interests of the person responsible or a third party, provided that the interests or fundamental rights and freedoms of the data subject do not affect the protection of personal data require, outweigh. In the present case, there is such a legitimate interest of the plaintiff as the person responsible (see (a)), the data processing was to protect this interest also required (see (b)) and no overriding interests of the persons concerned have become apparent (see (c)).(a) The plaintiff has a legitimate interest in being able to report an administrative offense to the police by submitting a photograph .The concept of the legitimate interest of the person responsible within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO is to be understood broadly (cf. Frenzel in Paal/Pauly, DS-GVO/BDSG, 3rd edition 2021, para. 28 to Art. 6 DS-GVO, with reference to recital 47 p. 2, 6, 7 DS-GVO). Therefore, legal, factual, economic or non-material interests can be included in the concept of legitimate interest (cf. Buchner/Petri in Kühling/Buchner, DS-GVO/BDSG, 3rd edition 2020, para. 146a to Art. 6 DS-GVO ). The recitals to the DS-GVO provide clues for understanding the concept of legitimate interest within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. The recitals of the DS-GVO are not independent legal norms with a regulatory character, but describe the objective pursued by the legislator with the adoption of the DS-GVO. Therefore, the recitals of the DS-GVO are decisive for the interpretation of the provisions of Union law, because the general legal ideas underlying the DS-GVO can be found in the recitals. In the present case, recitals 47 et seq. provide indications with regard to when the legality of processing personal data can be assumed due to a legitimate interest of the person responsible. According to recital 50 sentence 9 of the DS-GVO, there is a legitimate interest in data processing if the information from the person responsible about possible criminal offenses or threats to public security and the transmission of the relevant personal data in individual cases or in several cases in connection with the same criminal offense or the same threat to public security, is transmitted to a competent authority. In contrast to recital 50 sentence 1 or sentence 8, recital 50 sentence 9, in terms of its content, does not solely refer to previously granted consent to the Data processing and a change in the purpose of this processing that has now taken place. Because then the prerequisite for a legitimate interest in data processing for criminal prosecution would be that the data must always have been previously collected for a different purpose. Processing the collected data for direct reporting would always not be justified. Such a limitation of the admissibility of data processing to provide information in the field of criminal prosecution does not correspond to the broad concept of legitimate interest and would also be absurd. Even if the defendant's view were to assume that sentence 9 of recital 50 of the DS- GMO would only relate directly to change of purpose constellations, the general legal idea could at least be derived from it that data processing that is necessary to give competent authorities information about criminal offenses that have been committed should be considered a legitimate interest of the person responsible. From sentence 9 of the recital 50 of the DS-GVO follows that it can be understood as a legitimate interest of the person responsible in data processing within the scope of the DS-GVO if the data processing serves to inform the competent authorities of a possible criminal offense. The concept of criminal offenses 1 sentence 1 letter f DS-GVO and recital 50 sentence 9 of the DS-GVO, is to be interpreted autonomously according to Union law (cf. Bäcker in BeckOK data protection law, Wolff/Brink, 41st ed., as of November 1st, 2021, para. 25 f. to Art. 2 DS-GVO). There is no reference to the terms "offences" used in the GDPR to those under national legal systems (cf. ECJ, U.v. 22.6.2021 - C-439/19 - juris para. 82). Unlike the understanding in German Legally, the concept of criminal offenses under Union law also includes such facts which would result in an administrative offense within the meaning of German law. According to the case law of the European Court of Justice, the following criteria are decisive for the assessment of the criminal character of infringements: the legal classification of the infringement in domestic law, the type of infringement and the severity of the sanction threatened by the person concerned (cf. ECJ, U.v. 22.6.2021 - C-439/19 - juris para. 87 to Art. 10 GDPR). Violations that are not designated as "criminal" in domestic law can also have such a character from the nature of the violation and the severity of the sanctions threatened by the person concerned (cf. ECJ, loc.cit., para. 88). With regard to the nature of the infringement, what is decisive is whether the sanction in question resulting from the infringement has, inter alia, a repressive aim. A measure that is only intended to compensate for the damage caused by the infringement, on the other hand, is not of a criminal nature (cf. ECJ, U.v. 22.6.2021 - C-439/19 - juris para. 89). Accordingly, the administrative offenses of German law as Criminal offenses in the context of Union law of the DS-GVO, since the commission of an administrative offense is punishable by a fine (cf. § 1 para. 1 OWiG) and the prosecution of an administrative offense has a repressive character (§ 17 OWiG and § 46 para. 1 OWiG; Mitsch in Karlsruhe commentary on the OWiG, 5th edition 2018, § 17 marginal number 8; cf. also BVerfG, Bv Administrative offenses by the police). If the transmission of personal data to a police inspection as the competent authority within the meaning of recital 50 of the GDPR serves to indicate an administrative offense committed, there is consequently a legitimate interest in de r Data processing, which in principle can justify the processing of personal data within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. A personal concern of the complainant is not required for the existence of a legitimate interest. The question of whether an unlimited transmission of data to the police inspection departments is possible on the basis of this understanding is not relevant in the present case. The defendant accuses the plaintiff of having sent recordings to the police inspection in six cases. It has not become apparent that the plaintiff processed personal data in an abusive manner. Even the small number of reprimanded transmissions does not suggest data processing on an unlimited scale. It was therefore not possible to decide here whether the fundamentally existing legitimate interest in cases in which masses of personal data are transmitted to report administrative offenses could be omitted due to abuse of rights Whether the violations of regulatory provisions reported by the plaintiff with the transmission of the personal data are actually prosecuted is ultimately decided by the police as the prosecuting authority in accordance with the principle of opportunity applicable in the law on administrative offenses, exercising their due discretion (§ 47 para. 1 sentence 1 OWiG). Even if other data protection violations than the processing of personal data of the owners of illegally parked vehicles have not become part of the warning at issue here, it is conceivable that when such photographs are taken, data protection violations, for example by photographing other people or license plates of uninvolved vehicles, since there should be no legitimate interest in the processing within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. In this respect, the principle of data minimization (Art. 5 Para. 1 Sentence 1 Letter c DS-GVO) is also required when transmitting recordings of vehicles parked in violation of the prohibition the roadway is partially blocked and thus narrowed, at least the abstract risk of an accident for other road users such as the plaintiff is increased. Therefore, due to the broad understanding of the concept of legitimate interest, such an interest also arises here from the plaintiff's fundamental rights to physical integrity and security from Art. 3 Para. 1, Art. 6 Var. 2 GRCh. (b) Furthermore, the legality of data processing within the meaning of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO requires that this is also necessary to protect the legitimate interests of the plaintiff as the person responsible. Data processing must be for the specific processing purpose may be necessary in such a way that the legitimate interests of the person responsible cannot be realized to the same extent in a reasonable manner by other means (cf. recital 39 p. 9 DS-GVO, Lehr/Becker, ZD 2022, 370 m.w.N.). Reports of illegally parked vehicles at a police station cannot be carried out to the same extent by an oral or written description of the circumstances - for example by naming the license plate number of the vehicle, the location and possible witnesses cited by the defendant. A description of the circumstances is not suitable to the same extent as a picture to bring about a punishment of the offense: Because a Lichtb ild usually objectively reflects the actual circumstances of the violation, namely the illegally parked vehicle including license plate and the situation from which the person responsible for reporting the offense concludes that an administrative offense has been committed. This makes it easier for the police inspectorates to exercise their discretion regarding the prosecution of administrative offenses compared to a description of an administrative offense that has usually been subjective could not be revealed to the court, at least insofar as the same personal data (license plate number and location data of the vehicles concerned) are to be transmitted. Insofar as, in the defendant's opinion, "more" accompanying information regarding the vehicle (e.g. the general condition of the vehicle) would be transmitted by a photograph, it is questionable to what extent this can be personal data (and only this is relevant in the context of the determination of the necessity according to Art. 6 Para. 1 Sentence 1 Letter f DS-GVO), and on the other hand, a lot of accompanying information can also be contained in a written report. Also the argument that a photograph represents "more" because Evidence would (only) be collected as a result, which is the task of the prosecution authorities, is not convincing, since an object of inspection and a witness are also generated as evidence by sending an e-mail without a photo and by naming the complainant himself. Therefore, when administrative offenses are reported, even without a photo, evidence is likely to arise that could be used in the subsequent proceedings. (c) Finally, there are no interests of the data subjects that conflict with data processing within the meaning of Art. 6 Para. 1 Sentence 1 Letter f GDPR (see (aa)), which could outweigh the plaintiff’s interest in processing the data (see (bb)). The controversial question of the burden of proof and burden of proof for the preponderance of conflicting interests (cf. Lehr/Becker, ZD 2022, 370 (375), with further citations) can remain open, since both parties have submitted extensive statements on this and no questions that would have to be decided according to the principles of the burden of proof , have remained open. (aa) The person concerned within the meaning of Article 6 Paragraph 1 Clause 1 Letter f DS-GVO in conjunction with Article 4 No. 1 DS-GVO is the respective owner of the photographed vehicle. The vehicle owner does not necessarily have to be identical to the driver, because only the owner can ultimately be identified. As a conflicting interest of the vehicle owner, the right to protection of the personal data concerning them according to Art. 8 Para. 1 GRCh or Art. 16 Para 1 TFEU under consideration. The vehicle owners concerned may also have an interest in remaining anonymous on the road. Finally, the vehicle owner also has an interest in not being prosecuted for committing an administrative offense due to the violation documented by the person responsible. In this respect, it is not a matter of data subjects within the meaning of Article 6 Paragraph 1 Clause 1 Letter f GDPR in conjunction with Article 4 No. 1 GDPR. The inclusion of conflicting interests other than those of the persons concerned does not result from the provision of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. In addition, it should be pointed out again that it is ultimately up to the prosecuting authorities to decide which of the administrative offenses reported under the processing of personal data are to be prosecuted (§ 47 Para. 1 Sentence 1 OWiG). (bb) The weighing of the legitimate interests of the plaintiff and the opposing Interests of the vehicle owners as data subjects do not lead to the interests of the vehicle owners overriding. Rather, the interests of the plaintiff weigh more heavily, whereas the interests of the data subjects are of comparatively little weight. With regard to the right of the data subjects to protection of their personal data according to Art. 8 para. 1 GRCh or Art. 16 para. 1 TFEU, the legislator has standardized the lawfulness of the processing of personal data as a restriction of this right by creating the various legal bases of Art. 6 Para. 1 Sentence 1 Letter b to f DS-GVO. Therefore, an encroachment on this right is justified if one of the conditions of Art. 6 Para. 1 DS-GVO is met. Within the meaning of recital 47 sentence 4 of the DS-GVO, the interests and fundamental rights of the data subject can outweigh the interests of the person responsible , when personal data is processed in situations where an individual should not reasonably expect further processing. This is not the case here, since the persons concerned must and can expect that their data will be processed for the purpose of prosecuting an administrative offense. There is no right to anonymity in road traffic, rather the license plate number of a vehicle must always be legible ( cf. § 23 para. 1 sentence 3 StVO) and therefore publicly accessible (cf. BVerwG, U.v. 22.10.2014 - 6 C 7/13 - juris para. 24). A vehicle owner must expect that a parking violation committed with his vehicle will be documented and reported. The fact that such a report can be made not only by the prosecuting authorities but also by private individuals results from Section 46 OWiG in conjunction with Section 158 (1) StPO. If the documentation of the illegally parked vehicle does not lead to the processing of additional personal data from bystanders, a difference between a written notification and the transmission of the vehicle owner's personal data by sending a photograph is not recognizable Protection of personal data through the transmission of photographs showing the vehicle registration number and the situation of the parking violation can be considered as minimal as possible. License plates have only little information content, precisely because a data-processing private individual, such as the plaintiff, would only be able to determine the identity of the vehicle owner after querying the vehicle register (cf. BVerwG, U.v. 22.10.2014 - 6 C 7/13 - juris paras. 23, 25). Finally, the interest of the persons concerned in not being prosecuted for committing an administrative offense must also take a back seat, since this is based on illegal behavior and is therefore not an interest worthy of protection. Overall the interests of the vehicle owners that conflict with the data processing are therefore to be classified as of minor importance. In contrast, the plaintiff's legitimate interests in the processing of the personal data are to be given greater weight. The plaintiff's interest in reporting an administrative offense on the basis of the processing of personal data is to be given some weight because this legitimate interest is explicitly stated in a recital of the GDPR (recital 50 sentence 9 of the GDPR). In addition, the plaintiff's interest in physical integrity and safety, as described above, also has some weight, since on the one hand these are high-ranking legal interests, but on the other hand there was no specific danger to the plaintiff in the parking violations reported here. The weighing of the mutual interests therefore shows that that the interests of the plaintiff as the person responsible for the data processing in the case at issue here outweigh those of the data subjects, so that the requirements of Art. 6 Para. 1 Sentence 1 Letter f DS-GVO were given. Accordingly, the processing of the personal data by the plaintiff was lawful within the meaning of Art. 5 Para. 1 Sentence 1 Letter a, Art. 6 Para. 1 Sentence 1 Letter f DS-GVO. Whether in the present case it corresponded to a dutiful exercise of discretion, the plaintiff because of a single-digit number of advertisements - in which he also carefully made sure not to process any data of uninvolved third parties, among other things by blacking out - not in the Informally pointing out the alleged illegality of the data processing in the sense of a "conclusion without action", but taking a remedial measure according to Art. 58 Para remain. (2) Whether there are information obligations (Art. 13, Art. 14 DS-GVO) or a right of withdrawal (Art. 21 DS-GVO) due to the data processing, it does not apply in this case. In the warning at issue, the defendant only complained about the processing of personal data through the transmission of photographs of the wrongly parked vehicles; other data protection obligations or violations of the DS-GVO were not determined in the warning. The warning issued by the defendant due to a violation of Art January 28, 2022 is therefore illegal.d. The plaintiff's rights have been violated as a result (§ 113 Para. 1 Sentence 1 VwGO). Because at least the plaintiff is warned by the official complaint of a violation of data protection law against continuing to use personal data in the future to process the transmission of photographs. The fact that the plaintiff's behavior constitutes a violation is expressly stated in the warning at issue. This finding is intended to indirectly prevent the plaintiff from making further recordings of illegally parked vehicles and submitting them to police inspections Outflow of the general right of personality from Article 2 Paragraph 1 in conjunction with Article 1 Paragraph 1 GG (cf. Goers in BeckOK StPO with RiStBV and MiStra, 45th ed. Status: October 1st, 2022, Article 158 marginal number 8). If the plaintiff is warned by the defendant state office if he makes use of the opportunity granted to report an administrative offense, this accordingly represents an inadmissible restriction of the plaintiff's rights and thus a violation of the law within the meaning of Section 113 (1) sentence 1 VwGO .In addition, the plaintiff is restricted by the statement underlying the warning and incriminating him at least in his general freedom of action resulting from Art. 2 Para. 1 GG. e. Due to the illegality of the warning as a basic order within the meaning of Art. 16 Para the follow-up decisions from numbers 2 to 4 of the disputed decision of the defendant of January 28, 2022, i.e. the cost decision in number 2 based on Article 19 (6) sentence 1 BayDSG in conjunction with Article 1 and Article 2 BayKG, were also the determination the fee i.H.v. EUR 100.00 according to Art. 6 Para. 1 Sentence 2 and 3, Para. 2 KG in Section 3 and the statement on the expenses in Section 4, illegal .The alternative request for evidence made by the plaintiff's representative in the oral hearing on November 2, 2022 is a conditional request for evidence, which could no longer be decided due to the plaintiff's victory . The statement on the provisional enforceability is based on § 167 paragraph 2, paragraph 1 sentence 1 VwGO in conjunction with § 708 No. 11, § 711 ZPO. Resolution: The amount in dispute is set at EUR 5,000.00. Reasons: According to § 52 paragraph 1 GKG, the value in dispute is to be determined at our discretion according to the importance of the matter for him resulting from the plaintiff's application. In the absence of further indications, the value in dispute was to be set at EUR 5,000.00 in accordance with Section 52 (2) GKG; In particular, the plaintiff's representative also stated in a letter dated February 28, 2022 that there were no concerns in this regard.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5112.5.2021&diff=30450
UODO (Poland) - DKN.5112.5.2021
2023-01-18T13:53:28Z
<p>AK: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKN.5112.5.2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=UODO<br />
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKN.5112.5.2021<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=<br />
|Date_Decided=30.11.2022<br />
|Date_Published=<br />
|Year=2022<br />
|Fine=9,738<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 5(2) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#2<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 9(2)(a) GDPR<br />
|GDPR_Article_Link_4=Article 9 GDPR#2a<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Polish DPA imposed a €9,738 fine on a law firm for unlawfully processing personal data of potential clients, including data relating to health, in violation of [[Article 5 GDPR|Articles 5(1)(a)]], [[Article 6 GDPR|6(1)]] and [[Article 9 GDPR|9(2) GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Controller is a law firm whose main services consist of providing legal advice to clients injured in traffic accidents and representing them in court proceedings concerning damages. In the course of these activities, the controller interacted with potential clients (data subjects) in order to assess their legal situation as well as possibilities of taking their cases on board. Before interacting with the data subjects, the controller would verbally ask for consent to process the personal data of the data subjects. However, there was no evidence available of obtaining such a consent. Based on an oral declaration and before concluding any contract, the controller would obtain the following information from the data subjects: name, surname, telephone number, e-mail address, information about the death of another person, and health data related to traffic accidents.<br />
<br />
In February 2022, the Polish DPA initiated ex officio proceedings in order to investigate the controller's data processing activities with regard to potential clients.<br />
<br />
=== Holding ===<br />
The Polish DPA noted that the processing of personal data may only take place when a valid legal basis exists in accordance with [[Article 5 GDPR|Articles 5(1)(a)]] and [[Article 6 GDPR|6(1) GDPR]], and in the case of health data which constitute sensitive data, also [[Article 9 GDPR#2|Article 9(2) GDPR]]. The DPA analysed whether the controller had a valid legal basis for processing. Since the offering of services to potential clients involved direct marketing and the controller failed to prove the adherence to any other valid legal basis under the GDPR, the DPA concluded that the only possibility would have been to base the processing on consent of the data subject ([[Article 6 GDPR|Article 6(1)(a) GDPR]]) and explicit consent when dealing with sensitive data ([[Article 9 GDPR|Article 9(2)(a) GDPR]]). However, the controller only collected oral and unregistered consent. In this regard, the DPA recalled that [[Article 5 GDPR#2|Article 5(2) GDPR]] obliges the controller to demonstrate compliance with GDPR provisions, this included proof of consent. Especially in the context of [[Article 9 GDPR#2a|Article 9(2)(a) GDPR]], the explicit consent collected for processing of health data should have a 'distinct character'. Therefore, the DPA held that the consent was invalid and the controller processed personal data without a valid legal basis. <br />
<br />
In conclusion, the DPA found a violation of [[Article 5 GDPR|Articles 5(1)(a)]], [[Article 6 GDPR|6(1)]] and [[Article 9 GDPR|9(2) GDPR]], which resulted in imposing an administrative fine of PLN 45,697 on the controller pursuant to [[Article 58 GDPR|Articles 58(2)(i)]] and [[Article 83 GDPR|83 GDPR]].<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
PRESIDENT OF THE PERSONAL DATA PROTECTION OFFICE Warsaw, November 30, 2022<br />
Decision<br />
DKN.5112.5.2021<br />
<br />
<br />
<br />
<br />
<br />
Based on Article. 104 § 1 of the Act of June 14, 1960 Code of Administrative Procedure (Journal of Laws of 2021, item 735, as amended) and art. 7 sec. 1 and 2, art. 60, art. 101 and art. 103 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) and art. 57 sec. 1 lit. a) and h), Art. 58 sec. 2 lit. d) and point i) in connection with art. 5 sec. 1 lit. a), art. 6 sec. 1, art. 9 sec. 1 in connection with art. 9 sec. 2, as well as art. 83 sec. 1 - 3 and art. 83 sec. 5 lit. a) Regulation of the European Parliament and of the EU Council 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation ) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended), after conducting administrative proceedings initiated ex officio for infringement of the provisions on the protection of personal data in connection with the processing of personal data by Partners of a civil law partnership PIONIER [ ...] s.c. with the place of business in L [...], President of the Office for Personal Data Protection<br />
<br />
<br />
<br />
stating that N.B. and T.M., partners in the civil law partnership Kancelaria PIONIER [...] s.c. with the place of business in L [...], as well as R. B., a former partner of this company, the provisions:<br />
<br />
article 6 sec. 1 of Regulation 2016/679 consisting in the processing of personal data of their potential customers without a legal basis, and in particular without obtaining their consent to processing referred to in art. 6 sec. 1 lit. a) of Regulation 2016/679, which is a violation of the principle of processing personal data in accordance with the law, referred to in art. 5 sec. 1 lit. a) Regulation 2016/679,<br />
article 9 sec. 1 in connection with art. 9 sec. 2 of Regulation 2016/679 consisting in the processing of data concerning the health of their potential customers without a legal basis, and in particular without obtaining their express consent to processing referred to in art. 9 sec. 2 lit. a) of Regulation 2016/679, which is a violation of the principle of processing personal data in accordance with the law, referred to in art. 5 sec. 1 lit. a) Regulation 2016/679,<br />
<br />
orders N. B. and T. M., partners in the civil law partnership PIONIER [...] s.c., to adapt the processing operations to the provisions of Regulation 2016/679 by ceasing to process personal data of potential clients without a legal basis, i.e. without obtaining consent to the processing of their personal data, which referred to in art. 6 sec. 1 lit. a) and art. 9 sec. 2 lit. a) of Regulation 2016/679, within 14 days from the date of delivery of this decision.<br />
imposes on N. B. and T. M., partners in the civil law partnership Kancelaria PIONIER [...] s.c., and on R. B., former partner in the civil law partnership Kancelaria PIONIER [...] s.c., all jointly and severally liable for violation of the provisions indicated in points a) and b) of the conclusion of this decision, an administrative fine in the amount of PLN 45,697.00 (say: forty-five thousand six hundred and ninety-seven zlotys).<br />
<br />
<br />
<br />
<br />
<br />
Justification<br />
<br />
<br />
<br />
The President of the Personal Data Protection Office, hereinafter referred to as the "President of the Personal Data Protection Office", pursuant to art. 78 sec. 1, art. 79 sec. 1 item 1 and art. 84 sec. 1 point 1-4 of the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), hereinafter referred to as the "Act", in connection with Art. 57 sec. 1 lit. a) and h) and Art. 58 sec. 1 lit. b) and e) of Regulation 2016/679, in order to control the compliance of data processing with the provisions on the protection of personal data, performed control activities at R. B. and T. M., Partners of PIONIER [...] s.c. with the place of business in L [...], hereinafter referred to as the "Partners of the Company" or "Administrators" (file reference DKN [...]).<br />
<br />
above control activities were carried out as a result of the receipt by the President of the UODO of information indicating a possible violation by the Administrators of the provisions on the protection of personal data. This information was provided to the President of the UODO in the letter of the Poviat Police Commander in L. of March 2021, in which, as part of the activities ordered by the District Prosecutor's Office in L., the Poviat Police Commander in L. asked the President of the UODO for carrying out control activities at the Administrators.<br />
<br />
The President of the UODO, after receiving the above-mentioned of the letter, in the first place, he undertook checking activities against the Administrators, requesting by letters of [...] March and [...] May 2021 to deliver, in accordance with art. 58 sec. 1 lit. a) of Regulation 2016/679, all information needed by the supervisory authority to perform its tasks, i.e. information regarding primarily the method, purpose and legal basis for the processing of personal data by Administrators in connection with their business activity.<br />
<br />
Due to the lack of sufficient cooperation of the Company's Shareholders with the supervisory authority in clarifying the circumstances of this case, manifested in the delay in answering the questions addressed to the Company's Shareholders by the President of the UODO, as well as their non-exhaustive content, the President of the UODO decided that it is necessary to conduct an inspection in the enterprise of the Company's Shareholders pursuant to art. 78, art. 79 sec. 1 and art. 84 sec. 1 point 1-4 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) in connection with joke. 57 sec. 1 lit. a) and h) and Art. 58 sec. 1 lit. b), e) and f) of Regulation 2016/679.<br />
<br />
The scope of the inspection covered the processing of personal data of clients and potential clients of the Company's Shareholders by the Administrators. In the course of the inspection, oral explanations were received from the Administrators' employees. The facts were described in detail in the inspection report, which was signed by the Company's Shareholders.<br />
<br />
Based on the evidence collected in the case, it was established that in the process of processing personal data, the Company's partners, as administrators, violated the provisions on the protection of personal data, i.e. art. 6 sec. 1 and art. 9 sec. 2 in connection with art. 5 sec. 1 lit. a) and Art. 9 sec. 1 of Regulation 2016/679, by processing without a legal basis personal data of potential clients of the Company's Shareholders, including data regarding their health, in particular without obtaining their consent to the processing of personal data referred to in art. 6 sec. 1 lit. a) and art. 9 sec. 2 lit. a) Regulation 2016/679.<br />
<br />
In connection with the above, the President of the UODO initiated ex officio administrative proceedings regarding the identified deficiencies in order to clarify the circumstances of the case (letter of [...] February 2022, reference number:[...]). The Company's partners did not respond in writing to the identified violations of the provisions on the protection of personal data, which are the subject of the administrative proceedings, listed in the notification of the initiation of the proceedings. It should be noted that during the administrative proceedings regarding the case in question, R.B. ceased to be a party to the articles of association concluded by the Company's Shareholders and to conduct business activity within it. N.B., on the other hand, joined the partnership agreement with T. M., becoming a Partner of the Company, and has been conducting business activity within it since [...] April 2022. For the above reason, a letter of [...] October 2022 was sent to N. B. as a Partner of the Company (ref.: [...]) with a notification of the initiation of proceedings against her in the case in question. N.B., like the other Shareholders of the Company before, did not submit any explanations regarding the above-mentioned writings.<br />
<br />
<br />
<br />
After reviewing all the evidence collected in the case, the President of the UODO considered the following.<br />
<br />
In Art. 5 of Regulation 2016/679, rules for the processing of personal data are formulated, which must be respected by all administrators, i.e. entities that individually or jointly with others determine the purposes and methods of personal data processing. Pursuant to art. 5 sec. 1 lit. a) of Regulation 2016/679, personal data must be processed in accordance with the law, fairly and transparently for the data subject ("lawfulness, reliability and transparency"). In addition, in accordance with art. 6 sec. 1 of Regulation 2016/679, processing is lawful only in cases where - and to the extent that - at least one of the following conditions is met:<br />
<br />
the data subject has consented to the processing of his personal data for one or more specific purposes;<br />
processing is necessary for the performance of a contract to which the data subject is a party or in order to take action at the request of the data subject prior to entering into a contract;<br />
processing is necessary to fulfill a legal obligation to which the controller is subject;<br />
processing is necessary to protect the vital interests of the data subject or another natural person;<br />
processing is necessary to perform a task carried out in the public interest or in the exercise of public authority entrusted to the administrator;<br />
processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except for situations where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular when the data subject is a child.<br />
<br />
In turn, pursuant to art. 9 sec. 1 of Regulation 2016/679, it is prohibited to process personal data revealing racial or ethnic origin, political opinions, religious or ideological beliefs, trade union membership, and genetic and biometric data, processed for the purpose of uniquely identifying a natural person, or data concerning health, sexuality or orientation that person's sexuality.<br />
<br />
Regulated in art. 9 sec. 1 of Regulation 2016/679, the processing of a special category of personal data, including health data, is therefore generally prohibited. However, the above-mentioned provision does not apply in the cases indicated in Art. 9 sec. 2, among others when the condition is met that the data subject has expressly consented to the processing of the above-mentioned personal data for one or more specific purposes, unless Union or Member State law provides that the data subject may not lift the said prohibition (Article 9(2)(a) of Regulation 2016/679). The catalog of conditions listed in art. 9 sec. 2 of Regulation 2016/679 is closed. Each of the premises legalizing the process of processing personal data subject to special protection, including health data, referred to in this provision, is autonomous and independent. This means that these conditions are, in principle, equal, and therefore the fulfillment of at least one of them determines the lawful processing of personal data. In addition, the processing of personal data must comply with the principles laid down in art. 5 sec. 1 of Regulation 2016/679. These principles include, among others, the processing of personal data in accordance with the law (point a). The aforementioned principle requires that personal data be processed in accordance with the law, fairly and transparently for the data subject ("lawfulness, reliability and transparency").<br />
<br />
The Company's shareholders and their employees, in the explanations submitted during the inspection, indicated that the predominant business activity conducted by the Company's Shareholders, in accordance with the entry in the Central Register and Information on Economic Activity, is activity related to risk assessment and estimation of incurred losses (PKD: 66.21.Z ). As it was established in the course of the inspection, the activity carried out by the Company's Shareholders consists in providing legal assistance in the field of representing clients injured mainly in traffic accidents before insurance companies, courts and other entities, in order to obtain compensation, redress and pensions for them, and also reimbursement of treatment and rehabilitation costs. The activity of the Company's Partners also consists in mediating between clients and medical facilities in the field of obtaining medical services. As part of the services provided, persons employed by the Company's Shareholders represent clients in court proceedings, the subject of which are claims for damages.<br />
<br />
During the first conversation with a potential client, he is first asked to give the Company's Shareholders oral consent to obtain and process his personal data until the possible conclusion of a contract for the provision of services. If the potential customer gives verbal consent to the processing of his data, the conversation is continued, and in the case of refusal, the conversation is interrupted. Thus, the acquisition and subsequent processing of the potential client's data by the Company's Shareholders occurs only if the representative of the Administrators receives from the potential client an oral statement of consent to the processing of his personal data.<br />
<br />
In connection with the above, the consent given by the potential client is only oral, i.e. through a declaration of the potential client made during the first telephone conversation or the first direct conversation with the partners, representatives or employees of the Company's Shareholders. In order to obtain data from potential customers in the above-mentioned way is to ensure that the Company's Shareholders are able to contact these customers again and present them with an offer.<br />
<br />
Activities leading to the acquisition of the above-mentioned personal data and establishing contacts with potential customers are carried out on the basis of press releases, internet publications, including content available in social media (e.g. "[...]"), as well as information provided or disseminated by organizations engaged in charity activities (e.g. foundations). The Company's partners did not provide evidence confirming the fact that they obtained consent to obtain personal data of persons supported by the above-mentioned entities. foundations.<br />
<br />
Personal data of potential customers are also obtained on the basis of the content of publicly available private profiles of natural persons in the above-mentioned social media, containing information about the death of natural persons, accidents and other events relevant to the activities of the Administrators and suggesting that the above-mentioned persons may be potential clients of the Company's Shareholders. The activities referred to above are also carried out through environmental intelligence activities, i.e. obtaining information about potential clients of the Company's Shareholders and their personal data as a result of direct conversations with persons residing, working or otherwise functioning in the environment of the above-mentioned entities. customers (e.g. conversations with neighbors, the mayor, getting acquainted with the content of widespread obituaries in cemeteries, etc.). The places of conducting the environmental interview are also selected on the basis of press reports and online publications. On the basis of all the above activities, the Company's Shareholders, their representatives or employees obtain personal data of potential customers primarily in the form of information allowing them to identify the address of residence, which allows them to then establish direct contact with these customers and submit an offer for the provision of services by the Company's Shareholders (e.g. information about the color of the facade of the house , its topographical location, etc.).<br />
<br />
In the case of reaching a potential customer, during a direct conversation, he is presented with the offer of services provided by the Administrators. In the event that a potential client expresses the will to establish contact with the Company's Shareholders or a contact person authorized by them, a personal conversation is conducted with him, during which other, more accurate personal data is obtained, i.e. telephone number, name and surname.<br />
<br />
In addition, the Administrators' offer is presented to potential customers who voluntarily initiate the first contact with the Company's Shareholders via electronic communication channels. In the majority of cases, contact is made on the initiative of a potential client by phone.<br />
<br />
These data are stored by the Company's Shareholders in electronic form (e.g. e-mail) or in paper form until a meeting with a potential client is held and the client makes a decision on establishing cooperation and concluding a contract for the provision of services. In a situation where no contract is concluded with a potential customer, his personal data is destroyed after a maximum of 5-7 days from the date of making the first contact with him and obtaining the data. After this time, the data is permanently destroyed. In the case of potential customers, the Company's Partners obtain, even before concluding a contract with them, the following data: name, surname, telephone number, e-mail address, information about the death of another person and health data in connection with accidents.<br />
<br />
It should be noted that, in accordance with recital 35 of Regulation 2016/679, "Personal data concerning health should include all data on the health of the data subject, revealing information about the past, present or future physical or mental health of the data subject concern. Such data include information about a given natural person collected during his registration for healthcare services or during the provision of healthcare services to him, as defined in Directive 2011/24/EU of the European Parliament and of the Council (1); number, symbol or designation assigned to a given natural person in order to uniquely identify that natural person for health purposes; information from laboratory or medical examinations of body parts or body fluids, including genetic data and biological samples; and any information, for example about a disease, disability, disease risk, medical history, clinical treatment or physiological or biomedical condition of the data subject, regardless of their source, which may be, for example, a doctor or other healthcare professional, hospital, device medical or in vitro diagnostic test.”<br />
<br />
Considering the subject and circumstances of the business activity carried out by the Company's Shareholders, the processing of personal data of potential customers within it, as it is done by the Company's Shareholders, may take place on the basis of the aforementioned art. 6 sec. 1 lit. a) and Art. 9 sec. 2 lit. a) in connection with art. 5 sec. 1 lit. a) of Regulation 2016/679, i.e. when the data subject has consented to the processing of his personal data for one or more specific purposes (in relation to data that is not subject to special protection) and when the above-mentioned the person has given explicit consent to the processing of data subject to special protection, in this case health data.<br />
<br />
As it was established during the inspection, in the case of potential customers, i.e. persons to whom the Company's Shareholders are just addressing an offer regarding the services they provide and with whom contracts in this regard have not yet been concluded, the above consent is obtained, according to the Administrators' statement and its employees, only in oral form. In this case, also due to the fact that data concerning the health of potential customers are processed (e.g. information about injuries suffered by accident victims), the premise indicated by the Administrators under Art. 6 sec. 1 lit. b) of Regulation 2016/679 does not apply as the legal basis for processing (processing necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract).<br />
<br />
It should be recalled that pursuant to art. 6 sec. 1 of Regulation 2016/679, processing is lawful only in cases where - and to the extent that - at least one of the following conditions is met:<br />
<br />
the data subject has consented to the processing of his personal data for one or more specific purposes;<br />
processing is necessary for the performance of a contract to which the data subject is a party or in order to take action at the request of the data subject prior to entering into a contract;<br />
processing is necessary to fulfill a legal obligation to which the controller is subject;<br />
processing is necessary to protect the vital interests of the data subject or another natural person;<br />
processing is necessary to perform a task carried out in the public interest or in the exercise of public authority entrusted to the administrator;<br />
processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party, except for situations where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular when the data subject is a child.<br />
<br />
In turn, in accordance with the content of art. 9 sec. 1 of Regulation 2016/679, it is prohibited to process personal data revealing racial or ethnic origin, political opinions, religious or ideological beliefs, trade union membership, and to process genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning health, sexuality or orientation that person's sexuality. sec. 1 does not apply if one of the following conditions is met:<br />
<br />
the data subject has expressly consented to the processing of such personal data for one or more specific purposes, unless Union or Member State law provides that the data subject may not lift the prohibition referred to in paragraph 1;<br />
processing is necessary for the fulfillment of obligations and the exercise of specific rights by the controller or the data subject in the field of labor law, social security and social protection, to the extent permitted by Union or Member State law, or a collective agreement under Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject;<br />
processing is necessary to protect the vital interests of the data subject or another natural person, and the data subject is physically or legally incapable of giving consent;<br />
processing is carried out as part of the authorized activity conducted with appropriate safeguards by a foundation, association or other non-profit entity with political, ideological, religious or trade union goals, provided that the processing concerns only members or former members of this entity or persons maintaining permanent contacts with it in in connection with its purposes and that personal data is not disclosed outside this entity without the consent of the data subjects;<br />
the processing concerns personal data obviously made public by the data subject;<br />
processing is necessary to establish, pursue or defend claims or as part of the administration of justice by the courts;<br />
processing is necessary for reasons related to important public interest, on the basis of Union or Member State law, which are proportionate to the intended purpose, do not violate the essence of the right to data protection and provide for appropriate and specific measures to protect the fundamental rights and interests of the data subject ;<br />
processing is necessary for the purposes of preventive or occupational medicine, to assess the employee's ability to work, medical diagnosis, the provision of health or social care, treatment or management of health or social care systems and services on the basis of Union or Member State law or in accordance with an agreement with a healthcare professional and subject to the conditions and safeguards referred to in section 3;<br />
processing is necessary for reasons related to the public interest in the field of public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, on the basis of Union or Member State law that provide for appropriate specific measures to protect the rights and freedoms of data subjects, in particular professional secrecy; 4.5.2016 L 119/38 Official Journal of the European Union EN;<br />
processing is necessary for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with art. 89 sec. 1, on the basis of Union law or Member State law, which are proportionate to the intended purpose, do not violate the essence of the right to data protection and provide for appropriate, specific measures to protect the fundamental rights and interests of the data subject.<br />
<br />
<br />
<br />
In the light of the evidence collected in the course of the inspection carried out at the Company's Shareholders by the President of the Personal Data Protection Office, as well as considering the special circumstances of obtaining and processing data of potential customers by the Company's Shareholders, as well as due to the wording of the provision of art. 6 sec. 1 of Regulation 2016/679, it should be considered that in the case of the so-called ordinary data, i.e. personal data of potential customers of the Company's Shareholders, such as: name, surname, telephone number and e-mail address, the only premise legitimizing the processing of such data by the Company's Shareholders is obtaining consent from the data subject, i.e. from potential customer. The evidence collected in the course of the inspection, including the explanations of the Company's Shareholders and their employees, shows that the processing of data of potential customers by the Administrators is not necessary for the performance of the contract to which the data subject is a party (it is not yet concluded at all with a potential client), or to take action at the request of potential clients, before concluding contracts with them (Article 6(1)(b) of Regulation 2016/679), since at the stage of contact between the Administrators and potential clients there is no mention of their "requests", and the data is obtained and processed by the Administrators only for the purpose of determining by him, for his needs, the degree of profitability of concluding an agreement with a potential client and in order to re-establish contact with him and express his will whether he wants to conclude a contract with the Administrators at all or not. It should be noted that during the inspection, the Company's Shareholders did not provide evidence to confirm the fact that potential customers submitted "demands" to them to take specific actions before concluding the contract.<br />
<br />
In addition, in the case in question, there can be no question of the necessity for the Administrators to process data of potential customers to protect their vital interests or other natural persons in a situation where these potential customers would be physically or legally unable to give consent (Article 6(1)(a) of the GDPR). d of Regulation 2016/679). The said processing is also not necessary to fulfill the legal obligation incumbent on the Administrators (Article 6(1)(c) of Regulation 2016/679), perform a task carried out in the public interest or in the exercise of public authority entrusted to them (Article 6(1)(c) of Regulation 2016/679) 1 letter e of Regulation 2016/679), or for purposes arising from legitimate interests pursued by the Administrators or by a third party (Article 6 paragraph 1 letter f of Regulation 2016/679).<br />
<br />
Please note that data processing for the purposes of the legitimate interests pursued by the Administrators of personal data, as a rule, cannot be carried out in any situation and for any purposes of the Administrators. When processing data pursuant to art. 6 sec. 1 lit. f) of Regulation 2016/679, it should be taken into account whether such processing is necessary and proportionate to the purpose specified by the Administrators. In addition, the rights and freedoms of persons whose data are to be processed and their possible priority in relation to the Administrators' goals should also be taken into account. In order to resolve the above issues, each administrator should carry out the so-called balance test, the aim of which is to obtain a balance of weighing of the above-mentioned goods on the part of both the data subject and their Administrators. If, as a result of such a test, it turns out that the goal specified by the given Administrators can be achieved in a different way than by processing personal data in a specific way and in a specific scope, and in particular when it violates the rights or freedoms of the data subject, it should be considered that the administrator does not has grounds for data processing pursuant to art. 6 sec. 1 lit. f) Regulation 2016/679.<br />
<br />
In the case in question, the Company's Shareholders, as Administrators, acquire and process data of potential customers in order to maintain contacts with them in order to obtain a declaration as to the conclusion or non-conclusion of a contract for the provision of services by the Company's Shareholders. During the processing, the Company's Shareholders also assess the degree of economic risk related to the conclusion of the contract. In the opinion of the President of the UODO, achieving the purpose referred to above does not require obtaining personal data from potential customers, in particular health data. The above-mentioned goal Administrators would be able to achieve, for example, by leaving a leaflet informing the potential client about his services and the possibility of concluding a contract for the provision of services regarding seeking compensation (redress).<br />
<br />
Thus, it should be considered that the processing of data of potential customers by the Administrators in the case in question is disproportionate to the desired result that they want to achieve and is not necessary for this purpose. It should be noted that the "necessity" in this case should be understood as a factual situation in which, without processing the data of potential customers in the above-mentioned way the Administrators would not be able to conclude contracts for the provision of services at all. In the case in question, in the opinion of the President of the UODO, such a state of necessity does not exist.<br />
<br />
In particular, the activities of the Administrators described above related to the processing of their potential customers' data cannot be considered direct marketing referred to in the final sentence of recital 47 of Regulation 2016/679. In accordance with the content of the above of the sentence, "the processing of personal data for direct marketing purposes can be considered as an action performed in a legitimate interest". According to the commonly accepted theory of direct marketing, it consists in directing specific content to selected customers, including through individual contact, in order to obtain their statements regarding the perception of specific goods or services or their willingness to purchase them.<br />
<br />
Direct marketing allows consumers to buy products through the use of various communication and advertising methods. In addition to shaping the image of the entrepreneur, the purpose of direct marketing is to obtain information directly from the consumer regarding his perception of specific goods and services.<br />
<br />
In the case in question, both due to the type of part of the potential customers' data processed by the Administrators (health data) and the purpose of their processing, in the opinion of the President of the UODO, there can be no question of processing for direct marketing purposes. The processing of health data for marketing purposes without the consent of the person concerned should be considered unacceptable and disproportionate to other customer interests that could potentially be implemented through such processing. It should be noted that health data is subject to special protection in the light of the content of art. 9 of Regulation 2016/679, which does not contain premises enabling their processing analogously to the premise related to the legitimate purpose pursued by the Administrators referred to in art. 6 sec. 1 lit. f of Regulation 2016/679. From the above reason, as well as due to the fact that the protection of extremely important personal rights of a natural person, i.e. their privacy, which also includes information about health, excludes the possibility of processing data containing the above-mentioned information for marketing purposes without prior consent, because these purposes are related to the implementation of goods of disproportionately lower value than the privacy of a natural person. It should also be noted that the offer of cooperation addressed by the Company's Shareholders to potential clients is closely related to the acquisition of health data by the Company's Shareholders, so without obtaining this data, the Company's Shareholders would not contact potential clients with an offer of cooperation in the way they do when establishing personal, direct contact with the above-mentioned people.<br />
<br />
At the same time, it should be noted that the Company's Shareholders obtain and then process the data of potential customers in special circumstances, because this happens in connection with insurance events, about which the Company's Shareholders obtain knowledge from publicly available sources (social media, local press, etc. .). Thus, reaching a potential customer is based on the above-mentioned information, and the purpose of a visit to a potential customer is to obtain and process his data for further contact with him regarding the conclusion of the contract and assessment of the business risk of its conclusion, not marketing activities consisting in presenting an offer of services.<br />
<br />
It should be noted that if the acquisition and further processing of data of potential customers by the Company's Shareholders were to be carried out for direct marketing purposes, the Company's Shareholders would basically have to have this data at the moment of establishing the first contact with these customers. In the case in question, however, data is obtained only when contact is made with a potential customer, and further processing is not related to marketing activities (study of customer attitude, advertising, presentation of the offer, etc.), but is only related, as mentioned above, to obtaining from above the client's statement regarding his will to conclude an agreement with the Company's Shareholders, on the one hand, and, on the other hand, an estimation of the business risk related to the conclusion of the agreement for the Company's Shareholders.<br />
<br />
It should also be remembered that the activity of the Administrators largely boils down to the provision of legal services, consisting in the operation of professional legal representatives (solicitors, attorneys) for persons seeking compensation from entities providing insurance services, representing them in court proceedings, etc. How testified in the course of the inspection, the Partner of the Company T. M., the activity carried out by the Partners of the Company "consists in providing legal assistance in the field of representing clients injured mainly in traffic accidents before insurance companies, before courts, as well as other entities in order to obtain compensation, compensation and pensions for them , as well as reimbursement of treatment and rehabilitation costs".<br />
<br />
Referring to the above, it should be noted that pursuant to § 23 of the Collection of Principles of Ethics for Advocates and the Dignity of the Profession (Code of Ethics for Advocates) (Resolution No. 2/XVIII/98 of the Polish Bar Council of October 10, 1998, as amended), an advocate is prohibited from using from advertising, as well as a ban on acquiring customers in a manner contrary to the dignity of the profession and cooperation with entities acquiring customers in violation of the law or principles of social coexistence. In addition, pursuant to § 23b section 1 of the Code, an attorney is not allowed to offer services to potential clients in the form of an offer addressed to persons who have not previously expressed such a clear wish, while according to § 23b sec. 4 and sec. 5 of the Code, it is unacceptable to address potential clients in order to provide information about one's activities, also during uninvited visits, telephone conversations and in correspondence to persons who do not turn to a lawyer for legal assistance, and it is also unacceptable to commission third parties to disseminate information about the lawyer .<br />
<br />
In turn, in accordance with the content of art. 32 sec. 1 item 6 of the Code of Ethics for Legal Advisors (annex to Resolution No. 3/2014 of the Extraordinary National Convention of Legal Advisors of November 22, 2014 on the Code of Ethics for Legal Advisors, as amended), it is forbidden to inform about the practice of the profession contrary to the law, decency and constituting a violation of the provisions of the Code, including imposing, in particular violating the sphere of privacy, insistent, in the wrong place, which may affect the decision to use legal assistance.<br />
<br />
In view of the above argument regarding the subject of the Administrators' activity and the quoted provisions of the codes of ethics of professional barristers and legal advisers, it should be assumed that the acquisition and processing of data of the Administrators' potential clients in the manner described above cannot also be justified by legitimate interests pursued by the Administrators or by a third party referred to in Art. 6 sec. 1 lit. f) Regulation 2016/679. The above-mentioned provisions regulating the rules for informing legal advisers and advocates about their activities, in the opinion of the President of the UODO, are in contradiction with the way in which the Administrators do it. And although it is not within the competence of the President of the UODO to assess the manner in which Administrators provide services in the field of legal advice, including presenting their offer to potential clients, as well as analyzing the internal legal regulations of professional self-governments, the wording of the said regulations is an additional indication in this case draw the conclusion that the Administrators cannot rely on the legitimate interests pursued by them in the form of direct marketing, since the above-mentioned the regulations, as a rule, do not allow acquiring customers in the manner in which Administrators do it, apart from the very issue that their actions taken towards potential customers cannot be considered direct marketing at all in this case.<br />
<br />
During the inspection, the Administrators did not prove that any of the above the conditions were met, which would justify the acquisition and processing of personal data of potential customers without obtaining their consent that could be demonstrated before the supervisory authority.<br />
<br />
On the other hand, in the case of specific data of potential customers processed by the Administrators, i.e. regarding their health or the health of other people, the more the only premise legitimizing the processing of the above. of the data is the consent of these customers, and this is the "explicit" consent, as provided for in art. 9 sec. 2 lit. a) Regulation 2016/679. None of the other premises stipulated in the above-mentioned the provision does not constitute a legal basis for the processing of data on the health of potential customers by the Company's Shareholders. The processing of this data is not necessary for the Administrators to fulfill their obligations and exercise the specific rights of the Administrators or by the data subject in the field of labor law, social security and social protection (Article 9(2)(b) of Regulation 2016/679 ). Processing of the above specific data is also not necessary to protect the vital interests of the data subjects or other natural persons, since the Company's Shareholders have not demonstrated during the inspection that the data subjects, i.e. potential clients of the Company's Shareholders, are physically or legally incapable of consent to processing (Article 9(2)(c) of Regulation 2016/679).<br />
<br />
The processing of data on the health of potential customers by the Administrators is also not justified by doing so as part of authorized activities conducted with appropriate safeguards by a foundation, association or other non-profit entity with political, ideological, religious or trade union goals. The Company's partners do not act in legal forms or for the purposes referred to above and listed in Art. 9 sec. 2 lit. d) Regulation 2016/679.<br />
<br />
The administrators have also failed to demonstrate that their processing of data on the health of potential customers concerns personal data obviously made public by the data subject (Article 9(2)(e) of Regulation 2016/679) or that it is necessary to determine pursuing or defending claims or as part of the administration of justice by the courts (Article 9(2)(f) of Regulation 2016/679). It is true that the activity of the Company's Partners is related to determining, pursuing and defending claims for clients, but the nature of the relationship between the Administrators' potential clients and themselves does not authorize them to process health data without obtaining explicit consent. The processing of data of potential customers by the Company's Shareholders without their consent is not necessary to establish, pursue and defend claims on their behalf. The premise indicated in art. 9 sec. 2 lit. f) of Regulation 2016/679 applies to cases where processing is necessary for the purposes indicated therein, so the data must be processed without the voluntary consent of the data subject. In a situation where a potential customer, according to the findings of the inspection carried out at the Administrators, starts a conversation with a representative of the Administrators only for the purpose of establishing possible cooperation and submitting the Administrators' initial offer, there are no grounds for the Administrators to obtain and then process even short-term data of a potential customer without his consent, because obtaining it in such a case is, on the one hand, necessary due to the purpose of data processing, and on the other hand, it can be obtained without the need to incur greater expenditure and, most importantly, without infringing any interests of the potential client related to the possibility of pursuing claims. As indicated by the Administrators in the explanations obtained in the course of the inspection, the data of a potential customer is stored in electronic form (e.g. an e-mail) or in paper form until a meeting is held with him and he decides to establish cooperation and conclude a contract for the provision of services with the Company's partners. In the event of a potential customer's resignation from concluding a contract, the personal data of such a customer is stored in the above-mentioned forms up to a maximum of 5 - 7 days. It follows from the above that the acquisition and processing of data of potential customers by the Company's Shareholders before the conclusion of the contract serves only to enable them to familiarize themselves with the offer and decide to establish cooperation with the Company's Shareholders, therefore it is not necessary to establish, pursue and defend claims of potential customers.<br />
<br />
The processing of data on the health of potential customers by Administrators is also not necessary for reasons related to important public interest, on the basis of Union law or Member State law (Article 9(2)(g) of Regulation 2016/679), or for the purposes of preventive health or occupational medicine, to assess the employee's ability to work, medical diagnosis, provide health care or social security, treatment or manage health or social care systems and services on the basis of Union law or Member State law or in accordance with a contract with a health professional (Art. 9 section 2 letter h of Regulation 2016/679).<br />
<br />
above processing is also not necessary for reasons related to the public interest in the field of public health, such as protection against serious cross-border health threats or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices, on the basis of Union or Member State law, which provide for appropriate, specific measures to protect the rights and freedoms of data subjects, in particular professional secrecy (Article 9(2)(i) of Regulation 2016/679).<br />
<br />
In the case of the Company's Shareholders, due to the nature and scope of their business activity, there can also be no question of the necessity to process data of potential customers for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 sec. 1 of Regulation 2016/679, on the basis of EU or Member State law, which are proportionate to the intended purpose, do not violate the essence of the right to data protection and provide for appropriate, specific measures to protect the fundamental rights and interests of the data subject (Article 9(1) of Regulation 2016/679 2 letter j of Regulation 2016/679).<br />
<br />
In this situation, it should be considered that the legal basis for obtaining and then further processing, including storage, of the above-mentioned data of potential customers can only be art. 6 sec. 1 lit. a) and Art. 9 sec. 2 lit. a) of Regulation 2016/679 in connection with Art. 5 sec. 1 lit. a) Regulation 2016/679. The above means that the Company's Shareholders, due to the fact of obtaining health data from potential customers, were obliged to obtain explicit consent to the processing of their personal data. Because, as indicated above, the Company's Shareholders, in accordance with the content submitted by them and their employees in the course of auditing testimonies as witnesses, obtain only oral and unregistered consents for the processing of data of potential customers (e.g. in the form of sound recordings, registers or lists of obtained consents and persons who granted them, etc.), such action should be considered as violating the above-mentioned provisions of Regulation 2016/679.<br />
<br />
In accordance with the content of art. 5 sec. 2 of Regulation 2016/679, the administrator is responsible for compliance with the provisions of art. 5 sec. 1 of Regulation 2016/679 and must be able to demonstrate compliance with them ("accountability"). In turn, pursuant to art. 7 sec. 1 of Regulation 2016/679, if the processing is based on consent, the administrator must be able to demonstrate that the data subject has consented to the processing of his personal data. However, in a situation where consents to data processing granted by potential clients of the Company's Shareholders are only oral, it is impossible to prove the consent to the processing of data of potential clients of the Administrators and the scope of the consent given, because the statements of the Company's Shareholders and persons employed by them are in this in terms of insufficient evidence. The above statement applies in particular to the consent to the processing of health data, which must be obtained, pursuant to art. 9 sec. 1 lit. a) of Regulation 2016/679, express nature.<br />
<br />
It should be noted that in the matter of consent to the processing of the so-called ordinary data (pursuant to Article 6(1)(a) of Regulation 2016/679), the Article 29 Working Party in the Guidelines on consent under Regulation 2016/679 (WP259 rev. 01) indicated that "in Article 7 sec. 1 of the GDPR clearly indicates the clear obligation for the controller to demonstrate that the data subject has given consent. In accordance with art. 7 sec. 1 the burden of proof rests with the administrator." In addition, the above The Working Group referred to recital 42 of Regulation 2016/679 in its explanations, which states that "if processing is based on the consent of the data subject, the controller should be able to demonstrate that the data subject has consented to the processing operation ". The Working Party also stressed that 'it is up to the controller to prove that the data subject has given valid consent. The GDPR does not specify exactly how this should be done. However, the administrator must be able to demonstrate that the data subject has given consent in a given case. As long as the data is processed, there is an obligation to demonstrate the correct consent. (…) For example, the controller may keep a record of obtained statements of consent, so that it can demonstrate how and when consent was obtained and what information was provided to the data subject at the time of consent. The controller must also be able to demonstrate that the data subject has been informed and that the procedure used by the controller met all the relevant criteria for obtaining valid consent. The argument for such a requirement in the provisions of the GDPR is the fact that the controller is responsible for obtaining valid consent from data subjects and the consent mechanisms implemented.”<br />
<br />
In turn, the European Data Protection Board (EDPB) in Guidelines 05/2020 on consent under Regulation 2016/679 explained that "in art. 4 point 11 of the GDPR clarifies that valid consent requires an "unambiguous" indication of will in the form of a "declaration or clear affirmative action" in accordance with the previous guidelines issued by the WP29. "Explicit affirmative action" means that the data subject must have taken a deliberate action to consent to the specific processing. Recital 32 provides additional guidance in this regard. Consent may be obtained in the form of a written or (recorded) oral statement, including electronically. Perhaps the most literal way to meet the "written statement" criterion is to ensure that the data subject sends a letter or email to the controller explaining exactly what he or she agrees to (…). Written statements may take various forms and sizes that could be compliant with the GDPR. Without prejudice to existing (national) contract law, consent may be obtained in the form of a recorded oral statement, although the information available to the data subject must be duly considered before giving consent. The use of pre-ticked boxes with consent is invalid under the GDPR. Silence or inaction on the part of the data subject, as well as simply continuing to use the service, cannot be considered as an active indication of a choice.”.<br />
<br />
In addition, regarding the requirements for obtaining explicit consent in the case of processing specific data listed in art. 9 sec. 1 of Regulation 2016/679, and thus also health data, the European Data Protection Board (EDPB) in its Guidelines 05/2020 on consent under Regulation 2016/679 indicated: "The term "explicit" refers to the method of expressing consent by the person whose data applies. This means that the data subject must make a clear declaration of consent. The obvious way to ensure that consent is explicit would be to expressly confirm it in a written statement. In appropriate cases, the controller could ensure that the data subject signs a written statement to dispel any possible doubts and prevent a possible lack of evidence in the future. However, such a signed statement is not the only way to obtain explicit consent, and it cannot be said that the GDPR provides for the obligation to obtain written and signed statements in all circumstances where valid explicit consent is required. For example, in a digital or online context, the data subject may be able to make the required declaration by completing an electronic form, sending an e-mail, uploading a scanned document bearing the data subject's signature, or affixing an electronic signature. In theory, the use of oral statements may also be considered a sufficiently explicit means of obtaining valid explicit consent, but it may be difficult for the controller to prove that all conditions for valid explicit consent were met at the time the statement was accepted.” In the opinion of the President of the UODO, the content of the above-mentioned EDPB Guidelines indicates that an oral statement on consent to data processing, both in the case of "ordinary" and, even more so, "special" data, is not a form that sufficiently guarantees demonstrating unambiguity, and even more so consent. Such a form, in the case of "ordinary" data, could be considered sufficient exceptionally in the event that it would be followed by other, additional actions of the administrator, e.g. by drawing up an appropriate register of consents or audio recording of conversations with data subjects. However, such actions were not taken in the case of Administrators.<br />
<br />
Thus, the acquisition and then further, several days (from 5 to 7) processing of personal data in the scope also including data on the health of potential customers by the Company's Shareholders was carried out without a legal basis and constituted a violation of Art. 6 sec. 1 lit. a) regulation 2016/679 and art. 9 sec. 1 in connection with art. 9 sec. 2 lit. a) Regulation 2016/679. It should be emphasized again that pursuant to Art. 9 sec. 1 of Regulation 2016/679, the processing of data subject to special protection, which includes health data, is generally prohibited, and the Company's Shareholders have not met the conditions for their processing, which are an exception to the above rule, set out in art. 9 sec. 2 of Regulation 2016/679, in the absence of obtaining explicit consent for this processing, referred to in letter a) of the above-mentioned recipe.<br />
<br />
In addition, in accordance with the content of art. 4 point 11 of Regulation 2016/679, the "consent" of the data subject means a voluntary, specific, informed and unambiguous indication of will by which the data subject, in the form of a statement or a clear affirmative action, allows the processing of personal data concerning him . Taking the above indication into account, it should be considered that in the case of obtaining personal data of potential customers by the Company's Shareholders, there is no clear evidence that these customers have consented to the processing of their data not only in the form of an unambiguous statement, but also a clear action. The testimonies of witnesses obtained in the course of the inspection clearly indicate that the Company's Shareholders, when obtaining personal data of potential customers, limit themselves only to receiving an oral statement.<br />
<br />
It should be noted that in the business relationship between the Company's Shareholders and their potential clients at the stage of submitting the initial assumptions of the offer by the Company's Shareholders to the latter, there are also no clear actions of potential clients that would confirm their consent to the processing of their personal data. Such consent cannot be considered, for example, for potential clients to report to the Company's Shareholders by phone on their own initiative, since the Company's Shareholders are unable to prove the purpose of such contact or the circumstances that during the telephone conversation or in connection with its initiation, potential customers consent to the processing their data. It should be mentioned that the above telephone conversations were one of several ways to establish contact with potential customers, and moreover, they were not recorded by the Company's Shareholders, which makes it impossible to verify their content and statements made during them by the Company's Shareholders and potential customers.<br />
<br />
In view of the above, it should be considered that the Company's Shareholders processed and continue to process personal data of potential customers without a legal basis (without meeting the conditions set out in Article 6(1)(a) of Regulation 2016/679, and in the case of data concerning their health - Art. 9 sec. 2 lit. a) of Regulation 2016/679, i.e. without obtaining the prior express consent of the data subjects. Due to the fact that the Company's Shareholders do not have any of the prerequisites for data processing, they thus violate Art. 5 sec. 1 lit. a) of Regulation 2016/679 expressing, among others, the principle of processing personal data in accordance with the law.<br />
<br />
As indicated in the commentary to Regulation 2016/679 edited by Edyta Bielak-Jomaa and Dominik Lubasz ("GDPR General Data Protection Regulation", published by Wolters Kluwer Polska S.A., 2018, p. 326), "The requirement to ensure compliance with the law data processing operations means not only the need to meet the conditions for the legality of data processing, which are set out in art. 6 and 9, but also the need to ensure compliance with other provisions on the protection of personal data. This requirement also means the need to ensure compliance with all the provisions governing the activities of data processors.”<br />
<br />
Administrative proceedings conducted by the President of the UODO are used to control the compliance of data processing with the provisions on the protection of personal data and are aimed at issuing an administrative decision in order to apply corrective powers set out in art. 58 sec. 2 of Regulation 2016/679. Pursuant to art. 58 sec. 2 lit. d) of Regulation 2016/679, the President of the UODO may order the controller or processor to adapt the processing operations to the applicable provisions.<br />
<br />
Given the fact that the Administrators process personal data, including health data, of potential customers without a legal basis, the President of the UODO ordered them to stop the above-mentioned processing. activities, while reserving that if he obtains the prior express consent of potential customers, said processing may be continued or resumed.<br />
<br />
In addition, in accordance with art. 58 sec. 2 lit. i) of Regulation 2016/679, each supervisory authority has the power to apply, in addition to or instead of other corrective measures provided for in art. 58 sec. 2 of this regulation, an administrative fine under Art. 83 of Regulation 2016/679, depending on the circumstances of a particular case. The President of the UODO states that in the case under consideration, there were premises conditioning the imposition of an administrative fine on the Company's Shareholders.<br />
<br />
Pursuant to the content of art. 83 sec. 2 of Regulation 2016/679, administrative fines are imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Art. 58 sec. 2 lit. a)-h) and point. j) Regulation 2016/679. Recital 148 of Regulation 2016/679 states that in order to make enforcement of the Regulation more effective, sanctions, including administrative fines, should be imposed for violations of the Regulation - in addition to or instead of appropriate measures imposed by the supervisory authority under this Regulation. If the infringement is minor, the fine may be replaced by a warning. However, due consideration should be given to the nature, gravity and duration of the infringement, whether the infringement was intentional, the actions taken to minimize the damage, the degree of responsibility or any significant previous infringements, the manner in which the supervisory authority became aware of the infringement, compliance with the measures imposed on the controller or processor, the application of codes of conduct and any other aggravating or mitigating factors.<br />
<br />
Determining the nature of the violation consists in determining which provision of Regulation 2016/679 has been violated and classifying the violation into the appropriate category of violated provisions, i.e. indicated in art. 83 sec. 4 or in art. 83 sec. 5 and 6 of Regulation 2016/679. The assessment of the severity of the infringement (e.g. low, medium or significant) is indicated by the nature of the infringement, as well as the scope, purpose of the given processing, the number of data subjects affected and the extent of the damage suffered by them. The purpose of personal data processing is related to determining the extent to which the processing meets the two key elements of the "limited purpose" principle, i.e. defining the purpose and compliant use by the controller or processor. When choosing a corrective measure, the supervisory authority takes into account whether the damage has been or may be suffered due to a breach of Regulation 2016/679, although the supervisory authority itself is not competent to award specific compensation for the damage suffered. By circling the duration of the infringement, it can be stated that it was immediately removed, how long it lasted, which consequently allows for the assessment of, for example, the purposefulness or effectiveness of the controller's or processor's actions. The Article 29 Working Group in the guidelines on the application and determination of administrative fines for the purposes of Regulation 2016/679 adopted on October 3, 2017, referring to the intentional or unintentional nature of the infringement, indicated that, in principle, "intention" includes both knowledge and intentional action , in connection with the characteristics of the prohibited act, while "unintentionally" means no intention to cause a violation, despite the controller's or processor's failure to comply with the duty of care required by law. Intentional violations are more serious than unintentional ones, and as a consequence, they are more often associated with the imposition of an administrative fine.<br />
<br />
The President of the UODO, when deciding to impose an administrative fine on the Company's Shareholders and determining its amount, in accordance with Art. 83 sec. 2 lit. a)-k) of Regulation 2016/679, took into account as circumstances considered to the detriment of the Company's Shareholders and aggravating the amount of the imposed penalty:<br />
<br />
nature, weight and duration of the violation of the provisions of Regulation 2016/679, taking into account the nature, scope or purpose of processing (Article 83(2)(a) of Regulation 2016/679) - violation of the rules for the processing of personal data in connection with the processing of data of potential clients of Shareholders companies without a legal basis (without provable consent to the processing of personal data, including explicit consent in the field of health data), i.e. violation of the principle of data processing in accordance with the law, was of considerable weight and serious nature due to the fact that the principle the lawfulness of processing is of key importance for the protection of personal data. In addition, as it results from the evidence collected in the course of the inspection carried out at the Company's Shareholders, the processing of the above data collection took place and still takes place in a continuous and planned manner, from the date of entry into force of the provisions of Regulation 2016/679, i.e. from May 25, 2018, to the date of this decision, i.e. long-term, for a period of at least 4 years. Attention should also be paid to the specific nature of the violation of the provisions of Regulation 2016/679 determined by the fact of processing data subject to special legal protection (concerning health), and also the circumstances of their acquisition and the life situation of the data subjects. The acquisition and then processing of potential customers' data by the Administrators takes place in conditions of mental and sometimes also physical trauma related to the tragic events that these customers have gone through. Events (mainly traffic accidents) in connection with which Administrators provide their services naturally have such a strong impact on the psyche of potential customers that they can make decisions, including consent to the processing of their data, in a way that is not always fully rational and aware. For this reason, in the above-mentioned under these conditions, it is of key importance that the Administrators exercise due diligence so that their potential customers have the opportunity to express, in a clear and unambiguous way as to the content of the declaration, their will regarding the processing of their data, including its purpose, manner and scope. Administrators should also make every effort to exclude the possibility of potential customers being under any pressure at the time of granting consent to the processing of their data, e.g. resulting from their poor mental state caused by a traumatic event, such as an accident in which certain people, most often very close to the above people, lost their lives or, to a large extent, their health. In a situation where potential customers express, according to the Administrators' declarations, consents only in oral form, ignoring the very fact of violating the provisions of Regulation 2016/679 regarding the rules of expressing the above-mentioned consents and accountability of the Administrators' actions, there can be no talk of exercising due diligence in the case in question, to which the Administrators are generally obliged, to the extent that takes into account the professional nature of the service activities undertaken by them;<br />
unintentional nature of the violation of the provisions of Regulation 2016/679 by the Company's Shareholders, however, under conditions of gross negligence on their part (Article 83(2)(b) of Regulation 2016/679), i.e. obtaining and processing data of potential customers despite not obtaining them from them , in an accountable manner and in accordance with the provisions of Regulation 2016/679, consents. The Company's partners, as entrepreneurs, should have exercised due diligence when processing the data of potential customers, the more so that this data also included special data, i.e. concerning health. Considering the above, the Company's Shareholders as administrators should take all actions resulting in the fulfillment of the obligations arising from the provisions of Regulation 2016/679. In particular, due to the nature of their business activity, they should have made sure what actions are necessary for the lawful processing of data of potential customers, and then implement them. The shareholders of the Company abandoned the above-mentioned activities, and the processing of data of potential customers took place on the basis of unspecified and impossible to prove, in the light of the provisions of Regulation 2016/679, oral arrangements with them;<br />
degree of cooperation with the supervisory authority in order to remove the infringement and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679) - due to the fact that the Administrators provided incomplete and general information in connection with the addressed to them by the President of the UODO with requests for explanations, which resulted in the need to conduct it, the degree of cooperation of the Administrators with the supervisory authority should be assessed as insufficient;<br />
categories of personal data affected by the breach (Article 83(2)(g) of Regulation 2016/679) - among the personal data of potential customers processed by the Company's Shareholders, in addition to ordinary data, such as: name, surname, telephone number, etc., also included special data, i.e. health data referred to in art. 9 sec. 1 of Regulation 2016/679. In view of the above, the Administrators, by processing the personal data of potential customers without provable consent, and in the case of specific data without their express consent, significantly violated the provisions of the abovementioned provisions. regulation. Processing of personal data specified in art. 9 sec. 1 of Regulation 2016/679 is particularly protected, which makes the failure of the Company's Shareholders to obtain relevant consents from data subjects to be assessed even more critically;<br />
how the supervisory authority found out about the infringement, in particular whether and to what extent the controller or processor reported the infringement (Article 83(2)(h) of Regulation 2016/679) - the supervisory authority learned about the infringement of the provisions of Regulation 2016 /679 as a result of inspection activities carried out by him. In addition, it should be stated that the control of the supervisory body was carried out as a result of incomplete, general information received from the Administrators in the course of the supervisory body's explanatory activities preceding the control, conducted under reference number DKN.[...]. In other words, the control of the supervisory authority was carried out as a result of problems in obtaining full and unambiguous information from the Administrators on the processing of data by them as part of their business activity.<br />
<br />
<br />
<br />
The following circumstances were considered mitigating circumstances in this case:<br />
<br />
number of affected data subjects and the extent of the damage they suffered (Article 83(2)(a) of Regulation 2016/679) - no damage caused by the Company's Shareholders to potential customers as a result of breaching the provisions of Regulation 2016/679 was found during the inspection;<br />
previous violations by the Administrators (Article 83(2)(e) of Regulation 2016/679) - no previous violations of the provisions of Regulation 2016/679 by the Administrators have been found;<br />
<br />
<br />
<br />
The imposition and the amount of the administrative fine were not influenced by the following circumstances:<br />
<br />
actions taken by the Administrators to minimize the damage suffered by the data subjects (Article 83(2)(c) of the Regulation 2016/679) - actions taken by the Administrators were not taken into account due to the fact that no damage was incurred by the persons whose the data concern;<br />
the degree of responsibility of the Administrators, taking into account the technical and organizational measures implemented by them pursuant to art. 25 and 32 of Regulation 2016/679 (Article 83(2)(d)) - technical and organizational measures to protect personal data processed by the Administrators were not subject to control by the President of the UODO;<br />
the fact that no corrective measures specified in art. 58 sec. 2 of Regulation 2016/679 (Article 83(2)(i) of Regulation 2016/679) - no decision by the President of the UODO regarding the Administrators of corrective measures specified in art. 58 sec. 2 of Regulation 2016/679;<br />
the use of approved codes of conduct under Art. 40 or approved certification mechanisms under Art. 42 (Article 83(2)(j) of Regulation 2016/679) - the Company's shareholders do not apply approved codes of conduct pursuant to Art. 40 of Regulation 2016/679 or approved certification mechanisms under Art. 42 of Regulation 2016/679;<br />
financial benefits achieved directly or indirectly in connection with the infringement or losses avoided (Article 83(2)(k) of Regulation 2016/679) - during the inspection, no impact of the violation of the provisions of Regulation 2016/679 on achieving financial benefits by the Administrators or avoiding losses was found .<br />
<br />
<br />
<br />
When deciding whether to impose an administrative fine, as well as determining its amount, the President of the UODO considered the most important to be the serious nature of the infringement resulting from the violation of the principle of compliance with the law in connection with the failure to obtain explicit consent to the processing of data of potential customers by the Company's Shareholders, in particular their data regarding health, so that the processing of the above-mentioned data people without any legal basis.<br />
<br />
When imposing a penalty in this case, the President of the UODO also took into account the content of Art. 83 sec. 3 of Regulation 2016/679, according to which, if the controller or processor intentionally or unintentionally violates several provisions of this regulation as part of the same or related processing operations, the total amount of the administrative fine does not exceed the amount of the fine for the most serious infringement.<br />
<br />
Referring to the amount of the administrative fine imposed on the Shareholders of the Company, the President of the UODO decided that in the circumstances of this case, i.e. in violation of the principle of compliance with the law expressed in Art. 5 sec. 1 lit. a) of Regulation 2016/679, art. 83 sec. 5 lit. a) Regulation 2016/679. In accordance with these provisions, violations of the basic principles of processing referred to in art. 5 of Regulation 2016/679, are subject to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual global turnover from the previous financial year, with the higher amount applicable.<br />
<br />
Pursuant to the content of art. 103 of the Act of May 10, 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euros referred to in art. 83 of Regulation 2016/679, is calculated in PLN according to the average euro exchange rate announced by the National Bank of Poland in the table of exchange rates as at January 28 of each year, and if in a given year the National Bank of Poland does not announce the average euro exchange rate on January 28 - according to the average euro exchange rate announced in the exchange rate table of the National Bank of Poland, which is the closest after that date.<br />
<br />
Considering the above, the President of the UODO, pursuant to art. 83 sec. 3 and art. 83 sec. 5 lit. a) of Regulation 2016/679 in connection with Art. 103 of the Act on the Protection of Personal Data, for the infringements described in the operative part of this decision, imposed on the Company's Shareholders - using the average euro exchange rate announced by the National Bank of Poland on January 28, 2022 (EUR 1 = PLN 4.5697) - an administrative fine in PLN 45,697 (equivalent to EUR 10,000).<br />
<br />
In the opinion of the President of the Personal Data Protection Office, the applied administrative fine in the amount of PLN 45,697 (forty-five thousand six hundred and ninety-seven zlotys) fulfills the functions referred to in art. 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case.<br />
<br />
It should be considered that the penalty will be effective if its imposition will lead to the Company's Shareholders processing personal data of potential customers on the basis of their consents (and in the case of health data processing - explicit consents) granted in such a form that demonstrating their obtaining and their scope by the Company's Shareholders will not raise doubts in the event of another inspection by the President of the UODO.<br />
<br />
In the opinion of the President of the UODO, the fine applied is proportional to the infringement found, especially due to the failure to fulfill the obligations of the Company's Shareholders as Administrators at least from May 15, 2018, i.e. from the date of entry into force of the provisions of Regulation 679/2016.<br />
<br />
Referring to the amount of the administrative fine imposed on the Company's Shareholders, the President of the UODO considered that it is proportionate both to the seriousness of the infringement found in this case and to the financial situation of the Company's Shareholders and will not constitute an excessive burden for them. The submitted profit and loss account shows that the revenues from the activities of the Company's Shareholders in the period from January 1, 2021 to December 31, 2021 amounted to PLN 3,868,531.36 (three million eight hundred and sixty-eight thousand five hundred and thirty-one 36/100 zlotys), therefore, the amount of the administrative fine imposed in this case is approximately 1.18% of the revenues earned by the Company's Shareholders in the period for which the Company's Shareholders presented financial data. At the same time, it is worth emphasizing that the amount of the fine imposed (PLN 45,697.00) is only approx. 0.05% of the maximum amount of the fine that the President of the UODO could - applying, in accordance with Art. 83 sec. 5 of Regulation 2016/679, the maximum threshold of EUR 20,000,000 (according to the average euro exchange rate of January 28, 2022 - PLN 91,394,000) - impose on the Company for violation of the provisions of Regulation 2016/679 found in this case.<br />
<br />
The dissuasive nature of the fine is related to the prevention of future violations and paying more attention to the implementation of the Administrator's tasks. The penalty is intended to deter both Administrators from re-infringement and other entities involved in data processing. By imposing with this administrative decision a fine for violation of the provisions on the protection of personal data, the President of the UODO took into account both aspects: firstly - repressive nature (the Company's Shareholders violated the provisions of Regulation 2016/679), secondly - preventive nature (both the Company's Shareholders and other entities involved in the processing of personal data will be more attentive and diligent to fulfill their obligations under Regulation 2016/679). In other words, in the opinion of the President of the UODO, the administrative fine will fulfill a repressive function, as it will be a response to the violation by the Company's Shareholders of the provisions of Regulation 2016/679, but also a preventive one, as the Company's Shareholders themselves will be effectively discouraged from violating the protection provisions in this way personal data in the future.<br />
<br />
The purpose of the imposed penalty is to oblige the Company's Shareholders to properly perform the obligations arising from Regulation 2016/679, and consequently to conduct data processing processes in accordance with applicable law. It should be emphasized that the penalty will be effective if its imposition will lead to the Company's Shareholders adapting their data processing processes to a lawful state. The application of an administrative fine in this case is necessary also considering that the Company's Shareholders completely ignored the obligation to obtain explicit consent to the processing of their potential clients' data, in particular in the field of health data.<br />
<br />
In the opinion of the President of the UODO, the applied administrative fine fulfills the functions referred to in art. 83 sec. 1 of Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this individual case. In connection with the above, it should be indicated that the administrative fine in the amount of PLN 45,697.00 meets the conditions referred to in Art. 83 sec. 1 of Regulation 2016/679 due to the seriousness of the violation found in the context of the basic principle of Regulation 2016/679 - the principle of lawful data processing.<br />
<br />
<br />
<br />
In this factual and legal situation, the President of the Personal Data Protection Office decided as in the sentence.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_20/02144&diff=30448
Datatilsynet (Norway) - 20/02144
2023-01-18T13:10:06Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Norway<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoNO.png<br />
|DPA_Abbrevation=Datatilsynet<br />
|DPA_With_Country=Datatilsynet (Norway)<br />
<br />
|Case_Number_Name=20/02144<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Norwegian DPA Datatilsynet<br />
|Original_Source_Link_1=https://www.datatilsynet.no/contentassets/4cc976be3b2f4ddcb379150c7227f1f8/~-20_02144-16-vedtak-om-palegg---postnord-as-359108_4_1.pdf<br />
|Original_Source_Language_1=Norwegian<br />
|Original_Source_Language__Code_1=NO<br />
|Original_Source_Name_2=Norwegian DPA Datatilsynet (press release)<br />
|Original_Source_Link_2=https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/palegg-til-postnord/<br />
|Original_Source_Language_2=Norwegian<br />
|Original_Source_Language__Code_2=NO<br />
|Original_Source_Name_3=<br />
|Original_Source_Link_3=<br />
|Original_Source_Language_3=<br />
|Original_Source_Language__Code_3=<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Started=24.02.2020<br />
|Date_Decided=09.01.2023<br />
|Date_Published=11.01.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 32(1) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1<br />
|GDPR_Article_2=Article 32(2) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#2<br />
|GDPR_Article_3=Article 58(2)(d) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#2d<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=PostNord AS<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Riealeksandra Rie Aleksandra Walle]<br />
|<br />
}}<br />
<br />
The Norwegian DPA held that a courier and logistics company violated [[Article 32 GDPR]] for insufficient risk assessment and the lack of security measures in the app ''MyPostNord,'' which used phone numbers as the only means of authentication to access a customer profile. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The courier and logistics company PostNord (the controller) offers their customers a service ''MyPostNord'', where they can schedule and track parcels as well as obtain advantages such as faster bookings. ''MyPostNord'' can also be accessed through an online app. <br />
<br />
In February and March 2020, the controller submitted two data breach notifications to the Norwegian DPA, relating to cases where unauthorised persons were able to access customer profiles of others. The unauthorised persons were able to access the profiles because the controller used phone numbers as the only means of authentication and entering someone else's number (for example an incorrect one) could give them access to their personal data in the profile, including name, gender, postal address, email address, phone number, order- and payment history, shipments underway and sender name. The same happened in cases where there was a new owner of the phone number previously used in the ''MyPostNord'' service and where the pervious owner of the same phone number did not update their profile information.<br />
<br />
In addition to the controller's breach notifications, the DPA received information from the public about similar incidents. The DPA initiated an investigation and requested information from the controller. Specifically, the DPA asked for the risk assessment of the service ''MyPostNord'' and related processing systems. The controller submitted the risk assessment, but could not state ''when'' the risk assessment was conducted.<br />
<br />
=== Holding ===<br />
The DPA assessed whether the controller took measures to ensure an appropriate level of security in accordance with [[Article 32 GDPR]]. One of the requirements under [[Article 32 GDPR|Article 32(1) GDPR]] is to identify risks associated with the processing of personal data. Controllers must perform and be able to report a risk assessment in order to sufficiently demonstrate compliance with [[Article 5 GDPR#2|Article 5(2)]] and [[Article 24 GDPR#1|Article 24(1) GDPR]]. The DPA noted that the risk assessment of the controller was not conducted before the processing began, and it lacked a systematic overview of relevant risks related to the processing of personal data, including the lack of an assessment of the risk of confidentiality breaches. The DPA recommended the controller to implement an established methodology, for example based on ISO 27001.<br />
<br />
Further, the DPA noted that using telephone numbers as an identifier to access the ''MyPostNord'' service could pose problems with regard to the principle of confidentiality ([[Article 5 GDPR|Article 5(1)(f) GDPR]]), especially when phone numbers are assigned to new owners but the service profiles are not updated. The DPA held that the controller violated [[Article 32 GDPR#1|Articles 32(1)]] and [[Article 32 GDPR#2|32(2) GDPR]] for insufficient risk assessment of security measures in the ''MyPostNord'' service, and ordered the controller, pursuant to [[Article 58 GDPR|Article 58(2)(d) GDPR]], to implement sufficient technical and organisational measures as per [[Article 32 GDPR]]. The controller accepted the notification and informed the DPA of plans to implement two-factor authentication in order to ensure confidentiality in the service.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Norwegian original. Please refer to the Norwegian original for more details.<br />
<br />
<pre><br />
POSTNORD AS<br />
PO Box 6441 Etterstad<br />
0605 OSLO<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Your reference Our reference Date<br />
20/02144-16 09.01.2023<br />
<br />
<br />
<br />
Decision on order - PostNord AS<br />
<br />
1 Introduction<br />
<br />
We refer to the notice of order of 25 May 2022 and their comments of 25 August 2022.<br />
<br />
<br />
We understand the comments to mean that PostNord AS accepts the notified order, and that the company<br />
plans to introduce two-factor authentication using a personal password and one-time code on<br />
SMS to ensure confidentiality in "mypostnord".<br />
<br />
<br />
Based on your comments, we make decisions in line with the notice.<br />
<br />
2 Resolution<br />
<br />
Pursuant to the Personal Protection Regulation article 58 no. 2 letter d is imposed<br />
<br />
POSTNORD AS, reg. no. 984 054 564, to implement suitable technical measures to<br />
achieve a suitable level of protection that ensures the confidentiality of the service<br />
"mypostnord", cf. the personal protection regulation article 32 no. 1 and no. 2.<br />
<br />
<br />
The deadline for carrying out the orders appears in section 7 of the decision.<br />
<br />
3 More about the facts of the case<br />
<br />
The background to the case is two notifications of breaches of personal data security from POSTNORD<br />
AS ("PostNord").<br />
<br />
<br />
The notice of 24 February 2020 (doc. no. 20/00643-1) applies to a person who has taken over a<br />
mobile phone number and thus gained access to the previous owner of the number's customer profile at<br />
POSTNORD ("Message 1").<br />
<br />
<br />
The notice of 6 March 2020 (doc. no. 20/00799-1) applies to a POSTNORD customer who<br />
registration entered the wrong mobile number. All subsequent information was then sent to this<br />
<br />
the mobile number, and the owner of the mistyped mobile number gained access to the whole<br />
the customer profile ("Message 2").<br />
<br />
Postal address: Office address: Telephone: Org. no: Website:<br />
PO Box 458 SentrumTrelastgata 3 22 39 69 00 974 761 467 www.datatilsynet.no 1<br />
0105 OSLO 0191 OSLOAs both messages concern unauthorized access to customer profiles, we process<br />
the messages together.<br />
<br />
You explain in the messages that access to customer profiles means access to the customer's name,<br />
gender, date of birth, postal address, e-mail address, telephone number, order and payment history,<br />
as well as an overview of consignments en route and sender name. In addition, gives access to a<br />
<br />
customer profile possibility to change notification settings.<br />
<br />
In the report of 24 February, it appears that the breach took place between 31 March 2017 and 21<br />
February 2020. In the report of 6 March, it appears that the breach took place between 8 August 2019 and<br />
March 6, 2020.<br />
<br />
The Norwegian Data Protection Authority has on two occasions asked PostNord to explain the facts of the case,<br />
<br />
including for risk assessment of and security in the mypostnord service, as well as for the location<br />
of processing responsibility in the PostNord group.<br />
<br />
In addition to the messages from PostNord and the company's explanations, the Norwegian Data Protection Authority has received tips<br />
from users who have experienced gaining access to other users' personal data.<br />
<br />
In the notes to the notice, PostNord writes that the company takes note of the notice of order,<br />
<br />
and that the company has now carried out a risk assessment and identified suitable measures to ensure<br />
the confidentiality of the mypostnord service.<br />
<br />
<br />
4 The requirements of the regulations<br />
<br />
4.1 Data controller<br />
<br />
The "controller" is the person who determines the purpose of the processing and which ones<br />
means to be used, cf. the Personal Data Protection Ordinance, Article 4 No. 7.<br />
<br />
4.2 Basic principles for processing personal data<br />
<br />
The basic principles for processing personal data follow<br />
the personal protection regulation article 5 no. 1. We refer to article 5 no. 1 letter a, b, c and f:<br />
<br />
<br />
1. Personal data must<br />
<br />
a) is processed in a legal, fair and transparent manner with regard to the data subject<br />
("legality, fairness and transparency"),<br />
<br />
b) is collected for specific, expressly stated and legitimate purposes and not<br />
is further processed in a way that is incompatible with these purposes (...)<br />
<br />
("purpose limitation"),<br />
<br />
<br />
<br />
<br />
<br />
<br />
2 c) be adequate, relevant and limited to what is necessary for the purposes they<br />
processed for ("data minimization"), (...)<br />
<br />
f) processed in a way that ensures sufficient security for the personal data,<br />
including protection against unauthorized or illegal processing (...) using suitable<br />
technical or organizational measures ("integrity and confidentiality")".<br />
<br />
<br />
2. The controller is responsible for and must be able to demonstrate that<br />
the privacy principles are observed, cf. Article 5 no. 2.<br />
<br />
4.3 Safety of processing<br />
<br />
Article 32 of the Personal Data Protection Regulation sets out requirements for security around the processing of<br />
personal data:<br />
<br />
1. Taking into account the technical development, implementation costs and<br />
<br />
the nature, scope, purpose and context of the processing, as well as the risks<br />
of varying degrees of probability and severity for the rights of natural persons<br />
and freedoms, the data controller and the data processor must carry out suitable<br />
technical and organizational measures to achieve a level of security that is suitable with<br />
consideration of the risk, including, among other things, depending on what is suitable,<br />
<br />
a) pseudonymisation and encryption of personal data,<br />
<br />
<br />
b) ability to ensure continued confidentiality, integrity, availability and robustness<br />
in the treatment systems and services, (…)<br />
<br />
d) a process for regular testing, analysis and assessment of how effective<br />
the processing's technical and organizational security measures are.<br />
<br />
<br />
2. When assessing the appropriate level of security, special consideration must be given to the risks<br />
associated with the processing, particularly as a result of (...) unauthorized disclosure of<br />
or access to personal data that has been transferred, stored or otherwise<br />
treated".<br />
<br />
<br />
5 The Norwegian Data Protection Authority's assessment<br />
<br />
5.1 Data controller<br />
<br />
Based on the information PostNord has sent us, we assume that the company<br />
PostNord AS is responsible for the processing of personal data through<br />
the mypostnord service, cf. the personal data protection regulation article 4 no. 7.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
35.2 Security of processing<br />
According to PostNord, "mypostnord" is a service created for private customers who use the company's<br />
forwarding services. The purpose of the service is to give the customer an overview of consignments on their way<br />
<br />
to or from them:<br />
<br />
The purpose of MyPostNord for private recipients is to give consumers their own, private space<br />
towards PostNord, where they can get information about their consignments and adapt their delivery<br />
by making changes to shipments that are on their way to them.<br />
<br />
<br />
The background to this case is two notifications of a breach of personal data security from<br />
PostNord, where new users have gained access to previous users' personal data. This<br />
happened because the new users had been assigned phone numbers that previously belonged to others<br />
users at PostNord. The Norwegian Data Protection Authority has also received tips from people who have experienced receiving<br />
access to other users' personal data in mypostnord.<br />
<br />
PostNord explains the incidents the company has reported as follows:<br />
<br />
<br />
Access to the "previous owner's" profile will be possible if the mobile number changes ownership<br />
telecom operator, and "former owner" of the telephone number has not deleted his profile at<br />
PostNord before changing the telephone number or it has not been at least 2 years since "previously<br />
owner" cancels his number with the telecom operator until the "new owner" is assigned the number from<br />
telecom operator. "New owner" will then be able to log in to the profile linked to the telephone number<br />
(since this is verified through SMS that the "new owner" can receive, and will not be asked<br />
<br />
about creating a new profile at PostNord.<br />
<br />
For the telecommunications operators, it is also common practice that telephone numbers that become available,<br />
blue. because subscriptions are terminated, not transferred from to a new owner before three have passed<br />
months precisely to ensure that new owners receive inquiries concerning the previous owner<br />
which is the situation here. The exception is in the case of direct sales of telephone numbers between two people<br />
persons, i.e. "former owner" and "new owner", where you go outside the system to<br />
<br />
the telecommunications operators, see case 2 below. "Previous owner" in this case has not updated<br />
the services within this period. Previous shipments are also not available in<br />
profile this procedure of not transferring phone numbers after a minimum of three<br />
months, since shipments are deleted from the profile after 14 days.<br />
<br />
The reason why the "new owner" will gain access to the profile is that the "previous owner" e.g. do not have<br />
<br />
updated his profile with his new phone number in the online store that makes<br />
shipments through PostNord and/or in the profile at PostNord or that "old<br />
owner" in the event of an oversight, enter their previous telephone number when ordering i<br />
online store. The online store will then use the former number of the "former owner" at<br />
shipment to "new owner", and "new owner" will then receive notification with shipment from<br />
PostNord with link to profile at PostNord. On the other hand, "previous owner" enters his new one<br />
phone number when ordering or have updated their profile, the relationship will not arise,<br />
<br />
and that may be part of the reason why such events happen very rarely.<br />
<br />
<br />
<br />
<br />
<br />
4 "New owner" does not have to access the profile to get information about shipments<br />
(The SMS provides the name of recipient, sender (company) and collection point, or to<br />
receive packages. But the "new owner" can then choose to access the profile themselves. This<br />
despite the fact that the person concerned is aware that the SMS is not for him, since that<br />
appears from the SMS by who is the recipient. "New owner" has thus accessed one<br />
profile this person knows does not have the right to access.<br />
<br />
<br />
Article 32 of the Personal Data Protection Regulation requires the data controller to carry out<br />
technical and organizational measures to achieve a level of security that is suitable with regard to<br />
the risk.<br />
<br />
The question in our case is whether the level of protection in mypostnord is suitable with regard to the risks<br />
when processing personal data in the system, including the current level of protection i<br />
sufficiently ensures ongoing confidentiality of the personal data in the system, cf.<br />
<br />
article 32 no. 1 letter b.<br />
<br />
The risks to the rights and freedoms of natural persons<br />
<br />
Before we assess whether the current level of protection is suitable, we want to say something about the risks involved<br />
data subject's rights and freedoms related to the processing of personal data i<br />
mypostnord.<br />
<br />
<br />
According to Article 32 no. 1 and no. 2, the data controller must carry out suitable technical<br />
measures in their treatment systems based on the risks associated with the treatment.<br />
The measures must, among other things, safeguard the "ability to ensure continued confidentiality" in it<br />
the controller's systems and services, cf. article 32 no. 1 letter b.<br />
<br />
<br />
When assessing which measures are suitable, the data controller must take into account<br />
the technical development, implementation costs and the nature, scope, purpose of the processing,<br />
and the context in which it is carried out, as well as the risks of varying probability and<br />
degree of severity for the rights and freedoms of the data subjects.<br />
<br />
As a first step in ensuring an appropriate level of security, Article 32(1) imposes it<br />
controllers to identify the risks associated with the processing of personal data.<br />
<br />
This objective assessment, often called "risk assessment", must identify the risks of<br />
the rights and freedoms of natural persons. The risks identified by the controller<br />
through the assessment is the governing body for which technical and organizational measures it takes<br />
data controllers must implement to ensure a suitable level of protection, cf. article 32 no.<br />
1 and No. 2.<br />
<br />
Paragraph 76 of the Personal Data Protection Regulation states the following about the assessment:<br />
<br />
<br />
How likely and serious the risk to the data subject's rights and freedoms is, should<br />
determined based on the nature, scope, purpose and context of the processing in which it is carried out.<br />
The risk should be assessed based on an objective assessment in which it is determined whether the treatment of<br />
the personal data involves a risk or a high risk.<br />
<br />
<br />
<br />
<br />
5 (our emphasis).<br />
<br />
In our demand for an explanation, we asked PostNord to send us the company's risk assessment<br />
mypostnord and related processing systems. In its statement, PostNord refers to<br />
the document "Security assessment MyPostNord".<br />
<br />
In the submission, PostNord has not documented when the assessment was carried out.<br />
<br />
<br />
In order to be able to demonstrate that the principles are adhered to, cf. art. 5 no. 2, and to be able to "ensure and demonstrate that<br />
the processing is carried out in accordance with this regulation", cf. art. 24 no. 1, it is necessary<br />
a systematic approach to the work with regulatory compliance. PostNord must be able to demonstrate<br />
the time of the assessment, including so that the Norwegian Data Protection Authority can check that it was<br />
carried out before the processing of personal data started. This is not possible from<br />
the documentation PostNord has sent.<br />
<br />
<br />
Furthermore, the submitted risk assessment lacks a systematic overview and assessment of<br />
relevant risks related to the company's processing of personal data in the service.<br />
<br />
The Personal Data Protection Regulation does not specify a methodology for carrying out risk assessments, but<br />
the controller must, in light of the accountability principle, have a systematic approach<br />
to regulatory compliance, which means that it has documented and can demonstrate compliance, cf. Article 5<br />
<br />
No. 2.<br />
<br />
The data controller must at least be able to demonstrate that they have an overview of relevant data<br />
risks, that they have assessed them to a sufficient extent and implemented suitable measures to reduce them<br />
the risk of a breach of personal data security. We cannot see that the risk of that one<br />
user receives their personal data astray via mypostnord is assessed to a sufficient extent i<br />
<br />
the documentation the company has sent us. PostNord has not assessed the special one either<br />
the risk of breach of confidentiality that the service entails for new users<br />
telephone number via direct sales, where confidential information can be disclosed<br />
unauthorized.<br />
<br />
The most widespread way of carrying out risk assessments is to list relevant ones<br />
risk scenarios and assess the probability and consequence of these. With basis in it<br />
<br />
the assessment determines whether the risks are acceptable or whether measures must be implemented.<br />
If the risks are not acceptable, various risk-reducing measures are assessed and a decision made<br />
which are suitable. You then specify who will carry out the various measures and<br />
the deadline for implementation. We recommend that PostNord adopts a recognized methodology for<br />
implementation of risk assessments, for example based on ISO27001.<br />
<br />
Our preliminary assessment is that the risk assessment PostNord has sent us is not sufficient<br />
<br />
degree identifies the risks associated with the company's processing of personal data i<br />
mypostnord. The assessment has key shortcomings that make it unsuitable for identifying the risks<br />
in the processing as required by Article 32 no. 1 and no. 2.<br />
<br />
<br />
<br />
<br />
<br />
<br />
6In what follows, we will say something overall about the risk to the rights and freedoms of the data subjects<br />
when using mypostnord, as the risks govern which technical measures PostNord takes<br />
which the data controller must carry out in the service.<br />
<br />
<br />
According to PostNord, the following information is stored in a customer profile in mypostnord:<br />
<br />
• First name, last name, mobile number, e-mail, photo, date of birth and gender (where the last three<br />
is not required to be filled in, and is rarely filled in by users).<br />
• Address<br />
<br />
• Packages on the way with the name of the sender (company name). This information is kept only<br />
for 14 days in the archive in the profile.<br />
• Notification settings, i.e. which notifications the person concerned wants to receive from PostNord,<br />
as e-mail or SMS.<br />
<br />
• Business recipients or contract customers you are associated with (and administration of these if<br />
the role dictates it).<br />
• What types of notification (ie notification of receipt of shipment) sent when,<br />
channel and status (but not content).<br />
• Payment history (date, type, shipment number, amount, status, payment method,<br />
<br />
reference and transaction identifier). This is only data against PostNord if there is<br />
purchased additional services from PostNord, such as Flex, i.e. changed delivery location (but then says<br />
only "Flex" in the profile), own shipment (then only "Mypack GO") or cash on delivery (is<br />
then only "CashOnDelivery"). Payment history may be deleted by the user.<br />
• PostNord Plus level, if you are a member of PostNord, which only indicates how many<br />
<br />
packages sent from PostNord and which user level you are at ("Gold", "Silver"<br />
or "Basic"), but no information about packages etc.<br />
<br />
This information is not, in principle, special categories of personal data according to<br />
Article 9 of the Personal Data Protection Regulation.<br />
<br />
<br />
However, the information may still be of a sensitive nature for the data subjects, and this<br />
applies in particular to the dispatch history with information on the name of the sender. PostNord has one<br />
large market share in the Nordics, and is used by many different types of online shops, including pharmacies. 1<br />
<br />
PostNord is not only covered by the provisions of the Personal Data Protection Ordinance, but also<br />
<br />
the Postal Act. Section 30 of the Postal Act states that providers of postal services have a duty of confidentiality for:<br />
<br />
[...] information about the sender's and recipient's use of the postal service, [...] the sender and<br />
recipient's business or personal circumstances and [...] content of postal delivery'.<br />
<br />
According to the Postal Act, the provider is obliged to "implement measures to prevent that<br />
<br />
unauthorized parties become aware of the information". The Norwegian Data Protection Authority is not the supervisory authority for<br />
<br />
<br />
1See, for example, the online stores of Apotek 1, Boots Apotek, Vitusapotek and Farmasiet.no,<br />
https://www.apotek1.no/kundesenter/frakt-og-levering, https://www.boots.no/frakt-og-levering,<br />
https://www.vitusapotek.no/kundeservice/levering-og-betaling/a/A1361,<br />
https://www.farmasiet.no/kundesenter/frakt-og-levering (last visited 25.05.22).<br />
<br />
<br />
<br />
7 of the Postal Act, but the provision on confidentiality is nevertheless suitable to say something about sensitivity<br />
for the information to which this case applies.<br />
<br />
We also note that the correspondence of natural persons is at the core of the right to privacy<br />
Article 8 of the European Convention on Human Rights.<br />
<br />
The integrity and confidentiality principle is a fundamental principle for the processing of<br />
<br />
personal data. cf. article 5 no. 1 letter f.<br />
<br />
Measures to achieve a suitable level of security with respect to the risk<br />
<br />
The next question is whether PostNord has implemented suitable technical measures that ensure a<br />
suitable level of protection in mypostnord in light of the risks involved in processing personal data,<br />
cf. the personal protection regulation article 32 no. 1.<br />
<br />
<br />
PostNord states that the technical measures which as of today have been introduced in mypostnord fulfill<br />
the requirement for technical measures and ensures a suitable level of security according to Article 32:<br />
<br />
Confidentiality is ensured by requiring authentication from a telephone number, see<br />
above, and that the risk of access when changing the telephone number is very small. Plus<br />
are there no alternative measures that would increase security with regard to personal data<br />
<br />
which is available in the solution and accessibility for users, see below. Use of<br />
telephone number is also an industry standard, and this is also the solution that, among other things, The mail<br />
uses.<br />
<br />
The duty of confidentiality under the Postal Act is respected according to the solution that has been chosen, and it will not<br />
be solutions or measures that provide more security. Previously, a notification about a package was sent<br />
<br />
out by post in the mailbox, and such a solution provides less security (because most people do not have<br />
locked mailboxes) than the solution currently used.<br />
<br />
It should also be specified that given the level of security as mentioned, the incident is due to it<br />
data subject's own relationship, as well as that the recipient of the SMS notification ("new owner") has acted<br />
against their better judgment, if the person concerned has accessed the previous owner's profile.<br />
<br />
<br />
As of today, PostNord uses the telephone number as an identifier for access to services and profiles<br />
at the company:<br />
<br />
Mobile number is used as identifier for access to services and profiles at<br />
PostNord which, according to PostNord's assessment, see the attached risk assessment, provides a<br />
adequate security level and risk level considering the information that is processed and<br />
which is available on the recipient's (the registered person's) profile as well as in the SMS notification, that this is<br />
<br />
limited information and not of a sensitive nature or special categories and that it is<br />
need to receive notifications about packages quickly and easily, and correspondingly for access to<br />
own profile and the services therein (type, scope, purpose and the context in which they are performed), see<br />
also below, the availability of the services (usability), the level of security<br />
which is available and practices for such information and services (the technical<br />
<br />
<br />
<br />
<br />
8 the development), the implementation costs (such that this is a more expensive solution than<br />
e-mail (a cost of approx. NOK 2.6 million per year, but BankID is a very expensive<br />
solution, with approx. NOK 10.8 million per year).<br />
<br />
(Our emphasis)<br />
<br />
We disagree with this assessment.<br />
<br />
<br />
Our view is that the authentication of users in mypostnord only with the use of a telephone number does not<br />
ensures a suitable level of protection that ensures the confidentiality of the service, cf.<br />
the personal data protection regulation article 32 no. 1 letter b.<br />
<br />
Firstly, the current arrangement with a telephone number as the only authentication means that<br />
people who buy phone numbers via direct sales, and who visit mypostnord, will get<br />
<br />
access to the previous owner's personal data, including shipment information.<br />
<br />
PostNord states that the shipment information is only stored for 14 days, and that confidentiality for<br />
this information can only be broken if a telephone number changes owner through one<br />
direct transaction, where the telephone number is not covered by the telecommunications operators' quarantine period.<br />
<br />
PostNord is aware that direct sales of telephone numbers take place in Norway, and that this is not the case<br />
<br />
illegal, even if it takes place to a lesser extent than the allocation of telephone numbers from<br />
the telecom operators. As telephone numbers are a limited resource, and there are still more of us in Norway,<br />
it follows logically that there will be an increasing probability of similar cases of<br />
breach of confidentiality in the future. If PostNord's market share increases in Norway, it will<br />
the probability increases further.<br />
<br />
<br />
Secondly, the current arrangement means that people who are allocated a new telephone number from<br />
a telecommunications operator, will gain access to the personal data of the former owner of<br />
the phone number, when the new owner uses mypostnord.<br />
<br />
According to the Personal Data Protection Ordinance, PostNord is further obliged to ensure the confidentiality of everyone<br />
personal data it processes as data controller.<br />
<br />
<br />
After shipment information has been deleted after 14 days, mypostnord stores the rest<br />
the personal data for one year before they are deleted. As the quarantine period for reuse of<br />
telephone numbers distributed via the telecom operators is less than a year, it is much higher<br />
likelihood that the confidentiality of this information will be breached. The arguments about<br />
telephone numbers as a limited resource and potential increase in PostNord's market share is yet to come<br />
more relevant here.<br />
<br />
<br />
PostNord itself states that "The information [...] is basic information that is<br />
necessary for recipients from PostNord, and not to be regarded as sensitive or intrusive<br />
the receiver". This is hardly a valid argument for all users, and in any case not a free pass<br />
to allow breaches of confidentiality, even if this applies to a small number of users.<br />
<br />
<br />
<br />
<br />
<br />
9Our assessment is that with the current level of protection, unauthorized persons will regularly receive<br />
access to users' personal data in mypostnord.<br />
<br />
We note that the responsibility for ensuring the security of personal data according to<br />
the data protection regulation lies with the data controller, and that PostNord cannot push<br />
this responsibility on the end user with the argument that a user with a new telephone number<br />
should have understood that it was in the process of gaining access to other people's personal data and thus<br />
<br />
"acts against better judgment".<br />
<br />
Based on this, our assessment is that PostNord has not carried out suitable technical measures<br />
measures to achieve a suitable level of protection in the mypostnord service. The company has not<br />
implemented suitable measures that ensure continued confidentiality in the service.<br />
<br />
Our conclusion is therefore that PostNord has breached Article 32 of the Personal Data Protection Regulation.<br />
<br />
<br />
<br />
6 Assessment of corrective measures<br />
<br />
Our assessment is that PostNord has not implemented suitable technical measures to ensure a suitable<br />
level of protection and confidentiality in mypostnord, cf. the personal data protection regulation article 32 and<br />
article 5 no. 1 letter f, as the service is designed today.<br />
<br />
We therefore consider it necessary to order PostNord to carry out technical measures to ensure a<br />
adequate level of protection and safeguard confidentiality in mypostnord.<br />
<br />
<br />
The order means, firstly, that PostNord must identify the risks associated with<br />
the processing of personal data in mypostnord in line with article 32 no. 1 and no. 2, cf.<br />
advocacy point 76.<br />
<br />
Furthermore, the order implies that PostNord must implement suitable technical measures to ensure a<br />
suitable level of protection and confidentiality in mypostnord. The company must take measures such as<br />
prevents people who get a new telephone number through direct sales or allocation from a<br />
<br />
telecom operator gains unauthorized access to other users' personal data at PostNord.<br />
<br />
In the notes to the notice, PostNord writes the following:<br />
<br />
On the basis of this case, PostNord has carried out a risk assessment (see<br />
attached appendix). In the risk assessment, we have mapped the risks we perceive to be relevant, i<br />
<br />
in addition to identifying suitable technical and organizational risk-reducing measures.<br />
PostNord has assessed that the risk will be reduced considerably by the introduction of suitable<br />
measures.<br />
<br />
In order to satisfy PostNord's own target requirements for adequate security, PostNord has<br />
decided to introduce additional requirements for logging into the MyPostNord application.<br />
PostNord has assessed that the introduction of two-factor identification will raise<br />
<br />
the security level in MyPostNord. This will mean introducing in person<br />
password in addition to the current solution with a code via SMS. Furthermore, considered<br />
<br />
<br />
<br />
10 the probability of an unauthorized person gaining access to the system as negligible<br />
(provided that one does not have access to the personal password or SMS code).<br />
<br />
As mentioned in the notice, we do not require PostNord to carry out certain technical measures in order to<br />
achieve a suitable level of security and confidentiality. This is because it is the company's task to itself<br />
identify suitable technical measures in light of the identified risk to natural persons<br />
rights and freedoms arising from the processing of personal data in the service.<br />
<br />
We nevertheless mention that we agree that the described measures will be an appropriate way to<br />
ensure the confidentiality of mypostnord on<br />
<br />
Our authority to order the company to implement suitable technical measures to achieve a<br />
suitable level of protection and confidentiality is the Personal Data Protection Regulation article 58 no. 2 letter<br />
d.<br />
<br />
7 Right of appeal and further proceedings<br />
<br />
You can appeal the decision. Any complaint must be sent to us within three weeks of this<br />
the letter has been received, cf. the Public Administration Act §§ 28 and 29. If we uphold our decision, we will<br />
<br />
forward the case to the Privacy Board for complaint processing.<br />
<br />
The deadline for carrying out the order is 4 weeks after the expiry of the appeal period. If you don't<br />
appeal the order, you must send us a written confirmation within this deadline, as well as<br />
documentation that the order has been carried out.<br />
<br />
<br />
8 Publicity, transparency and confidentiality<br />
<br />
We would like to inform you that all documents are basically public, cf.<br />
Public Relations Act § 3. If you believe there are grounds for exempting all or part of<br />
<br />
the document from public inspection, we ask you to give reasons for this.<br />
<br />
The Norwegian Data Protection Authority has a duty of confidentiality regarding who has notified us of a breach<br />
the Personal Data Act with the Personal Data Protection Regulation, and about their personal circumstances.<br />
The duty of confidentiality follows, among other things, from the Personal Information Act § 24 and the Administration Act § 13.<br />
As a party to the case, you may nevertheless be made aware of such information by the Norwegian Data Protection Authority, cf.<br />
Administration Act § 13 b first paragraph no. 1. You also have the right to inspect the case's documents,<br />
<br />
cf. Section 18 of the Public Administration Act.<br />
<br />
We draw your attention to the fact that you have a duty of confidentiality regarding information you receive from the Norwegian Data Protection Authority<br />
the identity of persons who report breaches of the Personal Data Act with<br />
the Personal Data Protection Regulation, personal circumstances and other identifying information, and that you<br />
can only use this information to the extent necessary to safeguard<br />
their interests in this matter, cf. the Public Administration Act § 13 b second paragraph. We do too<br />
<br />
note that breach of this duty of confidentiality can be punished according to Section 209 of the Criminal Code.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
11 If you have any questions about the case, you can contact us by e-mail omm@datatilsynet.no or<br />
telephone 22 39 69 59.<br />
<br />
<br />
<br />
<br />
With best regards<br />
<br />
<br />
Ylva Marrable<br />
section manager<br />
<br />
Ole Martin Moe<br />
senior legal advisor<br />
<br />
The document is electronically approved and therefore has no handwritten signatures<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
12<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_9832838&diff=30443
Garante per la protezione dei dati personali (Italy) - 9832838
2023-01-18T12:50:05Z
<p>AK: </p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Italy<br />
|DPA-BG-Color=background-color:#095d7e;<br />
|DPAlogo=LogoIT.png<br />
|DPA_Abbrevation=Garante per la protezione dei dati personali<br />
|DPA_With_Country=Garante per la protezione dei dati personali (Italy)<br />
<br />
|Case_Number_Name=9832838<br />
|ECLI=n/a<br />
<br />
|Original_Source_Name_1=il Garante per la Protezione dei Dati Personali<br />
|Original_Source_Link_1=https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9832838<br />
|Original_Source_Language_1=Italian<br />
|Original_Source_Language__Code_1=IT<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=<br />
|Date_Decided=10.11.2022<br />
|Date_Published=10.11.2022<br />
|Year=2022<br />
|Fine=20,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(a) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1a<br />
|GDPR_Article_2=Article 9(2)(b) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#2b<br />
|GDPR_Article_3=Article 13 GDPR<br />
|GDPR_Article_Link_3=Article 13 GDPR<br />
|GDPR_Article_4=Article 30(1)(c) GDPR<br />
|GDPR_Article_Link_4=Article 30 GDPR#1c<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 157 of the Codice in Materia di Protezione dei Dati Personali<br />
|National_Law_Link_1=https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9042678<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=Sportitalia (the controller)<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=<br />
|<br />
}}<br />
<br />
The Italian DPA fined a sports club €20,000 for the illegal use of a fingerprint system to register the attendance of its employees at work. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Sportitalia, an amateur sports club (the controller) manages several fitness clubs in Milan. The controller installed a system that collected biometric data (fingerprints) of its employees (the data subjects) to record their attendance at the sports clubs, and make it easier for them to record the entry and exit times from work as well as to adopt a simple and faster system than the badge-based system previously in use. This biometric system was installed in the registered office of the controller and its seven clubs with a total of 132 data subjects concerned. <br />
<br />
In October 2018, a trade union organisation lodged a complaint with the Italian DPA against the controller claiming that the system was illegal. The DPA initiated an investigation followed by a sanctioning procedure. <br />
<br />
During the procedure, the controller submitted that the processing of the data subjects' data was based on free and express consent. The controller emphasised that the data subjects could refuse to the use of the biometric system in favour of the badge, although no data subject requested the use of this alternative method. In its defence, the controller stated that this system had the sole purpose of detecting the attendance of employees in order to facilitate the registration of entry and exit times. The controller also argued to have acted in good faith and transparency with the data subjects by informing them that they could refuse to grant consent to the use of this biometric system or that they could withdraw their consent anytime. The controller indicated that, as of 2 May 2022, it would discontinue using the biometric system and erase all acquired data, returning to the traditional badge registration system. For this reason, the controller instructed its processor to erase the biometric data collected and processed during the use of the fingerprint scanning device.<br />
<br />
=== Holding ===<br />
The Italian DPA noted that biometric data constitute sensitive data under [[Article 9 GDPR|Article 9(1) GDPR]]. Additionally, any processing of personal data must have a legal basis in accordance with the principle of lawfulness ([[Article 5 GDPR|Article 5(1)(a) GDPR]]). In this regard, the DPA observed that, contrary to the statements made during the preliminary investigation, the controller did not offer data subjects a genuine possibility to revoke consent and switch to a traditional badge-based system. Hence, there was no free and explicit consent to process personal data ([[Article 9 GDPR|Article 9(2)(a) GDPR]]). Although the purposes of monitoring employee attendance and verifying compliance with working hours may be lawful under [[Article 9 GDPR|Article 9(2)(b) GDPR]], the processing of biometric data would only be lawful to the extent that it is authorised by national law or EU law and that it safeguards the rights and freedoms of data subjects. It means that the processing must be in line with the principles under [[Article 5 GDPR]] and respect data subject rights, such as the right to information. <br />
<br />
The only information provided to the data subjects concerning the processing of biometric data was contained in a short paragraph in the privacy notice concerning the general nature of the processing carried out in the context of the employment relationship. The controller did not clearly inform the data subjects about the processing of their biometric data. The DPA declared that in the context of the employment relationship, the obligation to inform the employee is also an expression of the principle of fairness ([[Article 5 GDPR#1a|Article 5(1)(a) GDPR]]). Thus by not providing sufficient information, the controller breached [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 13 GDPR|Article 13 GDPR.]] Additionally, the controller's record of processing activities failed to list biometric data among the categories of data processed and failed to provide a description of such processing, which led the Italian DPA to find a violation of [[Article 30 GDPR#1c|Article 30(1)(c) GDPR]]. <br />
<br />
Since the controller did not safeguard the rights of the data subjects, it also did not meet the requirements of [[Article 9 GDPR|Article 9(2)(b) GDPR,]] meaning there was no valid legal basis for the processing of biometric data. <br />
<br />
Considering, among others, the nature of the infringement (violation of general data processing principles), seriousness and duration of the infringement (just under four years) as well as the controller's cooperation with the DPA, and the absence of any previous relevant violations by the controller, the Italian DPA imposed a fine upon the controller of €20,000.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.<br />
<br />
<pre><br />
SEE NEWSLETTER OF 22 DECEMBER 2022<br />
<br />
[doc. web no. 9832838]<br />
Injunction against Sportitalia, a limited liability amateur sports club - 10 November 2022<br />
Register of measures<br />
no. 369 of 10 November 2022<br />
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA<br />
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;<br />
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");<br />
HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");<br />
HAVING REGARD to the report presented on 15 May 2019 by SLC CGIL against Sportitalia, an amateur sports club with limited liability;<br />
HAVING EXAMINED the documentation in the deeds;<br />
HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;<br />
SPEAKER Prof. Geneva Cerrina Feroni;<br />
WHEREAS<br />
1. The report to the Company and the outcome of the inspections.<br />
With a report dated May 15, 2019, the SLC CGIL complained that, starting from October 2018, at the Get Fit Clubs in Milan managed by Società Sportitalia, a limited liability amateur sports club (hereinafter, the Company), "it is a clocking system was introduced for attendance, with a biometric terminal (fingerprint detection) for all employees and collaborators in order to register access and attendance at the Clubs”.<br />
The introduction of the biometric system, arranged despite the request made to the Company by the reporting organization, to adopt "less invasive means - choosing non-biometric procedures", would have occurred in violation of the principles of lawfulness, necessity and proportionality.<br />
On 5 September 2019, the Authority sent the Company an invitation to provide feedback on the facts being reported and, on 10 January 2020, as no response was received, a request for information pursuant to art. 157 of the Code.<br />
Since the Company did not send any response in this case either, the Authority delegated the special privacy and technological fraud unit of the Guardia di Finanza to notify the act of initiation of the sanctioning procedure, pursuant to art. 166, paragraph 5, of the Code, in relation to the alleged violation of the same art. 166, paragraph 2 (where it establishes that the violation of article 157 of the Code is subject to the application of the administrative sanction pursuant to article 83, paragraph 5, of the Regulation). The Unit was also delegated to acquire the information already requested from the Company in relation to the facts being reported.<br />
On 28, 29 and 30 September 2021, inspections were carried out at the company's registered office, during which, in addition to the notification of the initiation of the sanctioning procedure for the violation of art. 166, paragraph 2 of the Code, the following statements were recorded in the minutes:<br />
to. at the company's registered office and at the 7 local units ("club with GET-FIT brand sign") "at present [...] a biometric detection system for employee attendance has been installed and is active [...]" ( see report 28/9/2021, p. 3);<br />
b. as regards the initiation of the sanctioning procedure subject to notification, the acknowledgment note to the Guarantor's request for information had also been prepared with the help of the Data Protection Officer on 16 October 2019 and entrusted for shipment via Pec to a employee of the company "who terminated the employment relationship in March 2021"; only following the notification of the act of initiation of the sanctioning procedure did the Company learn "that this communication was never sent [...]. The further communication from the Guarantor, sent by certified email on 10 January 2020, although it was delivered and received by the employee in charge of corporate correspondence, appears not to have been sent to the employee [...] in charge of this task (who should then have forward it to the DPO for the necessary comparison), for a sending error that was not detected or highlighted" (see report 29/9/2021, p. 5);<br />
c. the dates of the installation of the biometric detectors at the registered office and at the offices of the 7 GET-FIT clubs in Milan were provided (between 2-3 October 2018 and, in one case, 4 September 2020); in this regard, the Company specified that "after the initial phase of preliminary operating tests, which took place at the Head Office starting from 1 October 2018, the actual start of the treatment took place for all clubs from 8 October 2018 with the first surveys, while for that of via Pinerolo from 8 September 2020" (see report cited, p. 6);<br />
d. the requirement of lawfulness of the treatments carried out "is based on the specific and free consent expressed by each individual employee" (see report cited, p. 6);<br />
And. in this regard, the Company has delivered some documents bearing a "Privacy information for employees", which also bears at the bottom a signature for acknowledgment and consent to the processing of biometric data by the employee, dated 8 September 2021 and 16 October 2018, relating to three employees (see Annex 9, report cited, p. 6);<br />
f. "to date, the company makes use of the collaboration of 132 employees, all affected by the processing in question"; furthermore "the system has been set up, in terms of hardware and software, to operate with the alternative badge method without the use of the biometric data", although no employee has requested to be able to use the alternative system (see aforementioned report, p 7);<br />
g. the data contained in the biometric reader can be accessed, by entering a password, by employees with the role of "Club Manager" and, at the administrative office, by the IT systems officer (see report of 30 September 2021, p. 9);<br />
h. the biometric system produced by Kronotech s.r.l. and provided by Cronos s.r.l., treats "only the biometric model (template) which is created following processing upon registration of the biometric identification account of each user" (see aforementioned report, p. 9);<br />
the. "the newly hired employee is entered in the KEROS registry, by the administration office, to which personal access credentials are issued [...] useful for managing one's work account (attendance, absence, receipts, hours worked , requests for permits, etc.)" (see report cited, p. 9);<br />
j. subsequently "the biometric identity is created (enrollment), with the association of the aforementioned numerical code to the biometric model (template) which is generated following registration via fingerprint, of which the relative template remains only memorized in the physical device […] present in the assigned club”; moreover "all 9 devices [...] are connected, by the various clubs, to a network via company VPN with ethernet cable, as the server in the central office [...] queries said biometric terminals in the remote offices on a daily basis to centralize the data relating to attendance and then send them, via FTP protocol [...] to a CRONOS srl server with the aim of combining these data with the personal data of the employees” (see report cited, p. 10);<br />
k. the method of comparison at the time of authentication by the employee is of the "one to many" type (see report cited, p. 10);<br />
L. “there is no logging of raw biometric data”; moreover, in relation to storage times, "when an employee terminates the employment relationship with the company [one] proceeds to request the termination, via e-mail, of the relative personal registry user to Cronos support, for the subsequent task" (see report cit., p. 10).<br />
On 14 October 2021, the Company sent further documentation to resolve the reserves presented at the end of the inspection activities, in particular a copy of the register of processing activities carried out by the Company, without date and in any case, as indicated, "updated to 31.07 .21”. The Company also represented that "for the detection of personnel attendance and access, in addition to [the] biometric system, a detection system is also active through the use of a badge".<br />
2. The initiation of the proceeding and the deductions of the Company.<br />
Given that, as already reported in the previous paragraph, during the inspections, the Special Privacy and Technological Fraud Unit of the Guardia di Finanza notified the deed of initiation of the sanctioning procedure in relation to the alleged violation of the same art. 166, paragraph 2 (with regard to art. 157 of the Code), on 3 March 2022 the Office carried out, pursuant to art. 166, paragraph 5, of the Code, a new notification to the Company of the alleged violations of the Regulation found, with reference to articles 5, par. 1, lit. a), 9, 13, 30, para. 1, lit. c) of the Regulation.<br />
With defense briefs dated April 2, 2022, the Company stated that:<br />
to. "the system for detecting biometric data of employees, [...] has the sole purpose of detecting the presence of employees in order to facilitate the registration of entry and exit times";<br />
b. since "very often in the past [...] employees forgot to register, through the use of the badge, their arrival or their exit from the workplace, a circumstance that forced the employer to take disciplinary measures [...] it was decided to adopt this system, which is much leaner and faster";<br />
c. in relation to the biometric detection system "all employees [...] have given their free, specific and written consent";<br />
d. "employees are in any case informed of the possibility of not giving their consent to the processing of biometric personal data or of being able to revoke it at any time";<br />
And. the Company has therefore acted "in total good faith and transparency [and] if there has been a violation, it can only be considered to be culpable";<br />
f. in any case "with a view to total collaboration with the Privacy Guarantor, it is confirmed [...] that with effect from next May 2, 2022, the use of the biometric data collection system will be discontinued for employee access with contextual cancellation of any data possibly acquired and only the traditional registration system will be used [...] through the use of the "badge"".<br />
Finally, during the hearing held on 6 June 2022, the Company declared that:<br />
to. “as soon as it received notification of the violations from the Authority [the company] decided to stop using the system. In particular, it is confirmed that the fingerprint detection system has been deactivated since May 2";<br />
b. "Cronos s.r.l., the company that [...] supplied the system, has not [...] communicated any problematic aspect relating to the applicability of this system [...]. The total good faith of the company is therefore underlined”;<br />
c. “at the same time as the abandonment of the biometric system, the company asked Cronos s.r.l. to delete the collected data given that the extracted templates were stored only in the database of the company providing the service, while only the entry and exit data from the workplace were visible to the personnel office";<br />
d. “when the contract with Cronos s.r.l. the company had not yet appointed the DPO. When the first request for information from the Guarantor arrived, in 2019, a response was prepared by the company which was also sent for viewing to the DPO who, on the occasion, raised some objections to the system (in this regard, please refer to the exchange of e- e-mail referred to in attachment 3 of the inspection report). However, this response was never sent to the Guarantor due to the failure to send it by an employee responsible for this, who then resigned. As regards the second request for information sent by the Guarantor, the failure to respond is attributable to a mere oversight";<br />
And. "the biometric data have not been processed continuously since the introduction of the aforementioned detection system (about four years) considering that the gyms have been closed for almost a year due to the pandemic and that even after the reopening some employees remained on layoffs , while others resigned. Therefore the number of employees was lower than those in force at the time of activation of the system";<br />
f. "We are coming out of a disastrous period especially for gyms and the Guarantor is asked to take this into account when making its assessments given that the financial situation of the sector in general and of society in particular is still particularly difficult".<br />
3. The outcome of the investigation.<br />
3.1. The processing of biometric data carried out by the company.<br />
As a result of the examination of the declarations made to the Authority during the proceeding as well as of the documentation acquired, it appears that the Company, as owner, has carried out some processing operations, referring to its employees, which are not compliant with the regulations in matter of personal data protection.<br />
In this regard, it should be noted that, unless the fact constitutes a more serious offence, anyone who, in a proceeding before the Guarantor, falsely declares or attests news or circumstances or produces false deeds or documents, is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".<br />
On the merits, it emerged that the Company has carried out, starting from the month of October 2018, processing of personal data of its employees through the activation of a biometric system, aimed at verifying the presence in service, based on the detection of the fingerprint and the association of the fingerprint to a code assigned to the employee, in order to "help employees register their entry and exit times" and adopt a "leaner and faster" system than the one previously in use based on badges.<br />
The treatment concerned a significant number of data subjects, equal to 132 employees, although in some periods of health emergency the number of workers involved in the biometric treatment was significantly lower.<br />
The only information provided to employees regarding the processing of biometric data is contained in a short paragraph present within the information relating to the general nature of the processing carried out in the context of the employment relationship; moreover, the register of processing activities dated 31 July 2021 does not include biometric data among the types of data processed by the controller.<br />
It is acknowledged that, according to what was declared by the Company, on 2 May 2022 the biometric system was replaced by a non-biometric attendance recording system.<br />
Finally, it emerged that the Company did not respond to the request for information formulated by the Authority pursuant to art. 157 of the Code.<br />
The processing of personal data carried out by the Company, subject to verification, concerned the biometric data of the employees, given that, as clarified by the Authority, this type of data is processed both in the registration phase (so-called enrollment, consisting in the acquisition of the biometric characteristics - in this case fingerprints - of the interested party (see points 6.1 and 6.2 of attachment A to the provision of the Guarantor of 12 November 2014, n. 513, in www.garanteprivacy.it, web doc. n. 3556992) , both in the biometric recognition phase, when detecting attendance (see also point 6.3 of attachment A to the aforementioned provision).<br />
This also in light of the definition of biometric data provided by the Regulation ("personal data obtained from a specific technical treatment relating to the physical, physiological or behavioral characteristics of a natural person which allow or confirm its unambiguous identification, such as the facial image or dactyloscopic data", art. 4, n. 14, of the Regulation) which has also included this type of data among the "particular data" (art. 9, paragraph 1 of the Regulation).<br />
3.2. Violation of articles 5, par. 1, lit. a) and 9 of the Regulation.<br />
The Company has delivered copies of some documents, containing a "Privacy Policy for employees", referring to the generality of the treatments carried out in the context of the employment relationship with the Company, which finally, at the bottom of the section "Having read the employee - Consent to processing", where the following sentence also appears: "As regards the processing of my biometric data (fingerprint) for the monitoring and recording of accesses/exits, which the Data Controller will treat with the utmost attention and with the use of suitable computer systems, with this signature I give my express consent to the aforementioned processing for the purposes indicated”, bears the date and signature of the employee (the copies provided refer to three employees; see Annex 9, report of operations performed).<br />
In this regard, it is noted that, based on the regulations governing the protection of personal data, the processing of biometric data (as a rule prohibited pursuant to the aforementioned art. 9, paragraph 1 of the Regulation) is permitted only if one of the conditions indicated by the art. 9, par. 2 of the Regulation and, with regard to treatments carried out in the workplace, only when the treatment is "necessary to fulfill the obligations and exercise the specific rights of the data controller or of the interested party in the field of labor law and social security and protection social security, to the extent that it is authorized by Union or Member State law or by a collective agreement under the law of the Member States, in the presence of appropriate guarantees for the fundamental rights and interests of the data subject" (art. 9 , paragraph 2, letter b), of the Regulation; v. as well, art. 88, par. 1 and cons. 51-53 of the Regulation).<br />
Therefore, although in the working context the purposes of detecting employee attendance and verifying compliance with working hours may fall within the scope of application of art. 9, par. 2, lit. b) of the Regulation as they imply a treatment "necessary to fulfill the obligations and exercise the specific rights of the data controller or of the interested party in the field of labor law [and social security and social protection]" (see also art. 88, paragraph 1, Regulation), however the processing of biometric data will be permitted only "to the extent that it is authorized by Union or Member State law [...] in the presence of appropriate guarantees for the fundamental rights and interests of the 'interested party' (Article 9, paragraph 2, letter b), and cons. nos. 51-53 of the Regulation).<br />
In this framework, in order for a specific treatment involving biometric data to be lawfully initiated, it is therefore necessary that the same find its basis in a regulatory provision that has the characteristics required by the data protection regulation, also in terms of proportionality of the regulatory intervention with respect to the aims to be pursued.<br />
The current regulatory framework also provides that the processing of biometric data, in order to be lawfully implemented, takes place in compliance with "further conditions, including limitations" (see Article 9, paragraph 4, of the Regulation).<br />
This provision has been implemented, in the national legal system, with the art. 2-septies (Guarantee measures for the processing of genetic, biometric and health-related data) of the Code.<br />
The rule provides that the processing of these categories of data is lawful when one of the conditions referred to in art. 9, par. 2, of the Regulation "and in compliance with the guarantee measures established by the Guarantor", in relation to each category of data.<br />
The employer, data controller, is, in any case, required to respect the principles of "lawfulness, correctness and transparency", "purpose limitation", "minimization" as well as "integrity and confidentiality" of data and "accountability" (Article 5 of the Regulation). The data must also be "processed in such a way as to guarantee adequate security" of the same, "including protection, through appropriate technical and organizational measures, against unauthorized or unlawful processing and against accidental loss, destruction or damage" (art. 5, paragraph 1, letter f), and art. 32 of the Regulation).<br />
In this latter regard, it is also noted that the use of biometric data in the context of the ordinary management of the employment relationship (such as the activity of detecting attendance), for the declared purpose of guaranteeing greater speed and streamlining of the relative operations against of repeated forgetting in stamping with a badge, does not appear to comply with the principles of minimization and proportionality of the treatment (Article 5 of the Regulation).<br />
In the light of the aforementioned regulatory framework, the processing of biometric data carried out by the Company appears to have been carried out in the absence of an appropriate legal basis given that the collection of consent from the interested parties, in the context of the employment relationship, does not correspond to what is established by the aforementioned art . 9, par. 2, lit. b) of the Regulations in the terms set out above.<br />
Furthermore, it should be noted that the Authority with its own provisions considered that, in general terms, the worker's consent does not constitute, as a rule, a valid premise of lawfulness for the processing of personal data in the workplace, regardless of the public nature or of the employer, this in the light of the asymmetry between the respective parts of the employment relationship and the consequent, possible, need to ascertain from time to time and in concrete terms the effective freedom of the expression of will of the employee (see, among the others, provision n. 16 of 14 January 2021, web doc. n. 9542071; n. 35 of 13 February 2020, web doc. n. 9285411; n. 500 of 13 December 2018, web doc. n. 9068983 ; see also articles 6-7 and recitals 42-43, Regulation (EU) 2016/679; see also, in a compliant sense, Article 29 Group, Guidelines on consent pursuant to EU Regulation 2016/679 - WP 259 - of 4 May 2020, spec. paragraph 3.1.1.; Opinion 2/2017 on the processing of data on site of work, WP 249, spec. par. 3.1.1 and 6.2).<br />
However, it is noted that the Company has interrupted the processing of biometric data starting from 2 May 2022, declaring under its own responsibility that it has also ordered the cancellation of the data collected.<br />
The Company, for the above reasons, has therefore violated the articles 5, par. 1, lit. a) and 9, par. 2, lit. b) of the Regulation, from the date of installation and commissioning of the devices, as shown in the documents, to the date of 2 May 2022.<br />
3.3. Violation of articles 5, par. 1, lit. a) and 13 of the Regulation.<br />
The data controller must process the data "lawfully, correctly and transparently" (Article 5, paragraph 1, letter a) of the Regulation), adopting "appropriate measures to provide the interested party with all the information referred to in the articles 13 and 14 [...]” (art. 12 of the Regulation).<br />
As a result of the preliminary investigation, it emerged that the only information elements provided by the Company in relation to the processing of biometric data of employees are those contained in the aforementioned "Information on privacy for employees" (specifically the following: "the Data Controller will deal with the utmost attention and with the use of suitable IT systems [i] biometric data (fingerprint) for monitoring and recording accesses/exits”).<br />
These elements are completely unsuitable to represent the characteristics of the treatment that is intended to be carried out through the specific biometric devices, as prescribed by art. 13 of the Regulation (in particular, with regard to the specific case: data controller and processor, legal basis, retention times, rights of the interested party, right to lodge a complaint with a supervisory authority).<br />
Moreover, with specific regard to the legal basis of the processing, in the document prepared by the Company there is no reference to the possibility of using, as an alternative to the biometric system, the traditional system based on the badge or to be able to revoke the consent given, as declared by the Company itself during the investigation process.<br />
In the context of the employment relationship, the obligation to inform the employee is also an expression of the duty of correctness pursuant to art. 5, par. 1, lit. a) of the Regulation.<br />
The Company, for the above reasons, has therefore violated the articles 5, par. 1, lit. a) and 13 of the Regulation, from the date of installation and commissioning of the devices, as shown in the documents, to 2 May 2022.<br />
3.4. Violation of the art. 30, par. 1, lit. c) of the Regulation.<br />
The outcome of the verification activity also revealed that the register of processing operations prepared by the Company, dated 31 July 2021, does not indicate biometric data among the types of data processed by the controller (see documentation sent on 14/10/ 2021).<br />
Considering that the register is a tool that allows the owner, in the context of the c.d. responsibility ("accountability": art. 5, paragraph 2, of the Regulation), to have an updated picture of the treatments carried out also in view of the risk analysis as well as to be able to respond to requests for exhibition by the supervisory authority , the contents reported therein must correspond to the treatments actually in place.<br />
For this reason, the Authority considered that the register must be compiled in such a way as to indicate the verifiable date of its first establishment and that of the last update (see FAQ on the register of processing activities, n. 5). This taking into account the fact that keeping the register does not constitute a formal fulfillment but an integral part of a system of correct management of the processing of personal data carried out.<br />
Therefore, the failure to take into consideration, within the register, the processing of biometric data of employees results in violation of the provisions of art. 30 par. 1, lit. c), of the Regulation, according to which the description of the categories of personal data being processed must also be present in the register of processing activities carried out by the owner under his own responsibility.<br />
3.5. Violation of the art. 157 in relation to the provisions of art. 166, paragraph 2, of the Code.<br />
Finally, it has been ascertained that the Company has failed to respond to the requests for information addressed by the Authority, in particular to the invitation of 5 September 2019 and to the request made pursuant to art. 157 of the Code, sent on 10 January 2020 (containing the express notice that "in case of non-compliance with this request, the pecuniary administrative sanction provided for by art. 166, paragraph 2 of the Code must be applied"), despite the communications of the offices of the Guarantor had been duly notified.<br />
On the basis of the aforementioned article 157 of the Code "Within the scope of the powers referred to in article 58 of the Regulation, and for the performance of its duties, the Guarantor may request the holder [...] to provide information and produce documents". The art. 166, paragraph 2, of the Code establishes that the violation of art. 157 of the Code is subject to the administrative sanction pursuant to art.83, par. 5, of the Regulation. The failure of the Company to respond to the Guarantor's request for information therefore occurred in violation of art. 157 of the Code in relation to the provisions of art. 166, paragraph 2, of the Code, with consequent application of the administrative sanction pursuant to art.83, par. 5, of the Regulation.<br />
4. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2, Regulation.<br />
For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and are therefore unsuitable for allow the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.<br />
The processing of personal data carried out by the Company and in particular the processing of biometric data of employees and the failure to respond to the Guarantor's request for information is in fact illegal, in the terms set out above, in relation to articles 5, par. 1, lit. a), 9, 13, 30, para. 1, lit. c) of the Regulation and 157 of the Code.<br />
The violation ascertained in the terms set out in the reasoning cannot be considered "minor", taking into account the nature, gravity and duration of the violation itself, the degree of responsibility and the manner in which the supervisory authority became aware of the violation (cons. 148 of the Regulation).<br />
Therefore, given the corrective powers attributed by art. 58, par. 2 of the Regulation, the application of a pecuniary administrative sanction pursuant to art. 83 of the Regulation, commensurate with the circumstances of the specific case (Article 58, paragraph 2, letter i) of the Regulation).<br />
5. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).<br />
At the end of the proceeding it appears that Sportitalia, an amateur sports club with limited liability has violated the articles 5, par. 1, lit. a), 9, 13, 30, para. 1, lit. c) of the Regulation and 157 of the Code. For the violation of the aforementioned provisions, the application of the pecuniary administrative sanction envisaged by art. 83, par. 4, lit. a) and par. 5, letter. a) and b) of the Regulation, through the adoption of an injunction order (art. 18, law 11.24.1981, n. 689).<br />
Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "If, in relation to the same treatment or related treatments, a data controller [...] violates, with willful misconduct or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.<br />
With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must "in any case [be] effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that In the present case, the following circumstances were considered:<br />
a) in relation to the nature, gravity and duration of the violation (which lasted for just under four years, from the date of activation of the devices, which occurred for all clubs on 10/08/2018 and, in one case, the 8/9/2020, until 2/5/2022) the nature of the violation which concerned the general principles of treatment was considered relevant;<br />
b) with reference to the intentional or negligent nature of the violation and the degree of responsibility of the owner, the conduct of the Company and the degree of responsibility of the same was taken into consideration which did not comply with the regulations on data protection, in relation to a plurality of provisions also concerning the general principles of processing (lawfulness and correctness);<br />
c) in favor of the Company, the cooperation with the Supervisory Authority and the absence of previous relevant violations were taken into account.<br />
It is also believed that they assume relevance in the present case, taking into account the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation), in firstly the economic conditions of the offender, determined on the basis of the revenues achieved by the company with reference to the condensed financial statements for the year 2021, as well as the particular economic context linked to the health emergency. Lastly, the extent of the sanctions imposed in similar cases is taken into account.<br />
In the light of the elements indicated above and the assessments made, it is believed, in the present case, that the administrative sanction of payment of a sum equal to 20,000 (twenty thousand) euros should be applied against Sportitalia, an amateur sports club with limited liability.<br />
In this context, it is also considered, in consideration of the type of violations ascertained that concerned the general principles of treatment, that pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/2019, this provision must be published on the Guarantor's website.<br />
It is also believed that the conditions pursuant to art. 17 of Regulation no. 1/2019.<br />
ALL THAT BEING CONSIDERED, THE GUARANTOR<br />
notes the illegality of the processing carried out by Sportitalia, an amateur sports club with limited liability, in the person of its legal representative, with registered office in Via Giuseppe Meda, 52, Milan (MI), Tax Code 09600560966, pursuant to art. 143 of the Code, for the violation of the articles articles 5, par. 1, lit. a), 9, 13, 30, para. 1, lit. c) of the Regulation and 157 of the Code;<br />
ORDER<br />
pursuant to art. 58, par. 2, lit. i) of the Regulations to Sportitalia, a limited liability amateur sports club, to pay the sum of 20,000 (twenty thousand) euros as an administrative fine for the violations indicated in this provision;<br />
ENJOYS<br />
then to the same Company to pay the aforementioned sum of 20,000 (twenty thousand) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive deeds pursuant to art. 27 of the law n. 689/1981. It should be remembered that the offender retains the right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed, within the term set out in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1.9.2011 envisaged for the lodging of the appeal as indicated below (art. 166, paragraph 8, of the Code);<br />
HAS<br />
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor Regulation n. 1/20129, and believes that the conditions pursuant to art. 17 of Regulation no. 1/2019.<br />
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.<br />
Rome, 10 November 2022<br />
PRESIDENT<br />
Station<br />
THE SPEAKER<br />
Cerrina Feroni<br />
THE SECRETARY GENERAL<br />
Matthew<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=SO_w_Warszawie_-_XXV_C_2596/19&diff=17273
SO w Warszawie - XXV C 2596/19
2021-07-15T00:45:19Z
<p>AK: </p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=SO Warszawa <br />
|Court_With_Country=SO Warszawa(Poland)<br />
<br />
|Case_Number_Name=XXV C 2596/19<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Portal Orzeczeń Sądów Powszechnych<br />
|Original_Source_Link_1=http://orzeczenia.warszawa.so.gov.pl/content/$N/154505000007503_XXV_C_002596_2019_Uz_2020-09-23_001<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
<br />
|Date_Decided=06.08.2020<br />
|Date_Published=06.08.2020<br />
|Year=2020<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 82 GDPR<br />
|GDPR_Article_Link_2=Article 82 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Maciej Niezgoda<br />
|<br />
}}<br />
<br />
The District Court in Warsaw ordered an insurance company to pay €330 of compensation to a data subject for the insurer's breach of the data minimization principle. <br />
==English Summary==<br />
<br />
===Facts===<br />
The data subject was the owner of the vehicle which was involved in the road collision. On the date of collision the vehicle was insured in terms of civil liability of motor vehicle holders.<br />
After the collision, the insurer handled the loss adjustment. The injured party in the subject traffic collision approached the insurer to send documentation regarding the loss. The insurer's employee sent to the injured party scans of the loss documentation, which were not anonymized, i.e. including the name of the data subject, her residence address, PESEL number, telephone number, and vehicle data. Later on, the insurer notified the data subject of the above incident, as a result of which personal data may have fallen into the wrong hands.<br />
Upon receipt of the above information, the data subject changed her cell phone number and stipulated to the bank that withdrawals from her bank account could only be made on her personal instruction. She was afraid of the negative consequences of having her personal data disclosed by the insurer, i.e. that someone would call her and that her data would be passed on. The injured party in the traffic collision did not contact the data subject or file a claim in court against her. The insurance company paid the injured party compensation under the data subject's insurance contract.<br />
<br />
The representative of the data subject requested the insurance company to pay the amount of PLN 10,000 as compensation due to the violation of the protection of the claimant's personal data by unauthorised disclosure to third parties.<br />
<br />
In its reply, the insurance company refused to accept the data subject's claim, arguing that the transfer of the claimant's personal data to the injured party was based on provisions of law.<br />
===Dispute===<br />
Whether there has been an unlawful transfer of personal data to a third party?<br />
<br />
Did the scope of personal data provided to the third party comply with the data minimization principle?<br />
===Holding===<br />
The District Court in Warsaw held that under specific regulations itself, personal data of the data subject as the owner of the vehicle involved in the road collision could - as a matter of principle - be made available to the injured party in the collision even though the data subject was not driving the vehicle during the collision.<br />
The court held, however, that the insurer was entitled to provide the injured party with data including the data subject's first and last name and her place of residence, but was not entitled to provide information regarding her PESEL number and telephone number. The transfer of these additional data of the data subject went beyond the statutory authorization under specific provisions and was therefore unlawful and violated the principle of data minimization. Therefore the court ordered the insurance company to pay compensation to the data subject in the amount of PLN 1,500 in connection with the insurer's breach of the principle of data minimization. <br />
<br />
==Comment==<br />
According to the court, by providing a third party with a data subject's personal data in an overly broad scope, the insurance company violated the data subject's right to privacy and caused non-pecuniary damage to the data subject. Privacy is a good relating to the facts of a person's life, about which he or she does not consent to their publication in public. The right to privacy is embodied in such goods as secrecy of correspondence, personal data, or inviolability of the home. As a result of the insurer's actions, personal data of the data subject, which the person was not entitled to obtain (PESEL, the claimant's telephone number), was made available to a third party. As a result of the incident, the data subject lost a sense of security and began to experience fear related to the possibility of unauthorized use of her personal data by other persons, by performing banking activities on her behalf or making unwanted phone calls to her. The harm thus caused to the data subject gives rise to an obligation on the part of the insurance company to redress this harm by paying monetary compensation to the claimant pursuant to Article 82(1) of the GDPR<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Judgment Of the District Court in Warsaw of August 6, 2020<br />
<br />
XXV C 2596/19<br />
<br />
SUBSTANTIATION<br />
<br />
Adjudication panel<br />
<br />
Chairman: Judge SO Paweł Duda.<br />
<br />
Sentence<br />
<br />
District Court in Warsaw, XXV Civil Division, after hearing on August 6, 2020 in Warsaw, at the hearing of the case brought by MK against Towarzystwo (...) Spółka Akcyjna with its seat in W. for payment<br />
<br />
I. awards the Towarzystwo (...) Spółka Akcyjna with its seat in W. to MK the amount of PLN 1,500 (one thousand five hundred zlotys);<br />
<br />
II. dismisses the claim for the remainder;<br />
<br />
III. refrains from charging the claimant with the costs of legal representation for the defendant.<br />
<br />
Factual justification<br />
<br />
MK, in a lawsuit of 8 July 2019, requested that Towarzystwo (...) Spółka Akcyjna with its seat in W. amount to PLN 10,000 in connection with the breach of its personal data.<br />
<br />
In the justification, the claimant indicated that on October 31, 2018, she received a notification from the defendant about the transfer of her personal data to a participant in a road accident involving the claimant's car. In the claimant's opinion, her personal data could be used for information (...) by SA and the Police, but not by third parties. From the moment she receives the defendant's letter, the plaintiff is under constant stress, fearing how her personal data will be used. The claimant based her claim on the basis of Art. 82 of the Regulation of the European Parliament and of the Council (EU) (...) of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive95/46 / WE (Journal of Laws UE.L No. 119, p. 1), hereinafter referred to as "GDPR". In addition, in the procedural letter of March 16, 2020, the plaintiff referred to the claim art. 445 of the Civil Code and Art. 24 of the Civil Code in connection with with art. 448 of the Civil Code<br />
<br />
The defendant Towarzystwo (...) SA, in response to the claim, requested that the claim be dismissed in its entirety.<br />
<br />
The respondent denied that there was a breach of the provisions on the protection of personal data, as well as that any material or non- material damage to the plaintiff was therefore caused. The disclosure of the plaintiff's data (the insured person, the owner of the vehicle) by the defendant to the injured person was legally permissible, as it was permitted by the provisions of the Act on Insurance and Reinsurance Activity, the Act on Compulsory Insurance, the Insurance Guarantee Fund and the Polish Motor Insurers' Bureau, and the Road Traffic Act. Therefore, the content of the defendant's letter of October 31, 2018 was a mistake and cannot give rise to liability for damages on the part of the defendant, since the conditions for this liability have not been met.<br />
<br />
The court established the following facts:<br />
<br />
MK is the owner of a vehicle that was involved in a road collision. On the date the vehicle was in collision civil liability of motor vehicle owners insured Society (...) SA W. During the collision the plaintiff was not the person in charge of the vehicle (the circumstances established under Art. 229 of the Code - given by the defendant in response to the lawsuit and by the claimant at the hearing on August 6, 2020).<br />
<br />
After the collision, Towarzystwo (...) SA dealt with the liquidation of the loss registered under the number (...). The injured party in the road accident in question asked the defendant to send documentation regarding the damage. On October 5, 2018, the defendant's employee sent the injured person scans of the documentation regarding the damage that had not been anonymised, i.e. the name and surname of the claimant, her address, PESEL number, telephone number, and vehicle data. By letter of October 31, 2018, the insurer notified the claimant of the above incident, as a result of which the plaintiff's personal data could have fallen into the wrong hands (notification of a personal data breach of October 31, 2018 - p. 9-11).<br />
<br />
After receiving the above information, the plaintiff changed her mobile phone number and stipulated at the bank that withdrawals from her bank account could only be made on her personal request. She was afraid of the negative consequences of disclosing her personal data by the defendant, i.e. that someone stranger would call her, that her data would be passed on. So far, the plaintiff has not faced any negative consequences of disclosing her personal data by the defendant. The injured party in a road accident did not contact the plaintiff and did not file a claim against the plaintiff. The defendant insurance company paid compensation to the victim of the insurance contract the plaintiff (the circumstances established under Art. 230 of the Code - given by the applicant at the hearing of 6 August 2020. And not challenged by the defendant).<br />
<br />
By letter of February 21, 2019, the attorney of MK summoned Towarzystwo (...) SA to pay PLN 10,000 as compensation in connection with the breach of the plaintiff's personal data protection through unauthorized disclosure to third parties (request for payment of February 21, 2019. - sheets 12-12v.).<br />
<br />
In response, the defendant in a letter of 22 March 2019 refused to recognize the claimant's claim, arguing that the transfer of the plaintiff's personal data to the aggrieved was based on the provisions of law (the defendant's letter of 22 March 2019 - file 13-13v).<br />
<br />
The above-mentioned facts were established by the Court on the basis of the above-mentioned documentary evidence which did not raise any doubts as to their authenticity, and the facts established by them were not questioned by the parties to the proceedings. Regardless of this, the facts of the case were undisputed between the parties who were in dispute only as to the legal consequences of the facts described above.<br />
<br />
The court considered as follows:<br />
<br />
Due to the fact that the claimant referred to the provisions of the GDPR and the Civil Code on the protection of personal rights as the legal basis for the claim, the claim pursued by the claim will be assessed taking into account both of these legal bases invoked by the claimant.<br />
<br />
In accordance with Art. 82 GDPR, any person who has suffered material or non-pecuniary damage as a result of a breach of the regulation has the right to obtain compensation from the controller or processor for the damage suffered (paragraph 1). Any controller involved in processing is liable for damage caused by processing in breach of this Regulation. The processor is liable for damage caused by the processing only if he has not complied with the obligations which the regulation imposes directly on processors, or if he acted outside or contrary to the lawful instructions of the controller (paragraph 2). The controller or processor shall be exempt from liability if they prove that they were not at fault in any way for the event that led to the damage (paragraph 3).<br />
<br />
As defined in the GDPR, "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, economic, cultural or social identity of a natural person ( Article 4 (1 ) of the GDPR). "Processing" means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or other types of sharing, matching or combining, limiting, deleting or destroying ( Article 4 point 2 of the GDPR). By contrast, "controller" means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data; if the purposes and means of such processing are specified in EU law or in the law of a Member State, the controller may also be designated under EU law or in the law of a Member State, or specific criteria for its appointment may be specified ( Article 4 (7 ) of the GDPR).<br />
<br />
The provisions of the GDPR show that the processing of personal data is lawful only in cases where - and to the extent in which - at least one of the following conditions is met, specified e.g. in art. 6 lit. what the content: processing is necessary to fulfill the legal obligation incumbent on the administrator, and art. 6 lit. fo content: when processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where these interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data , in particular when the data subject is a child.<br />
<br />
Moreover, what is important in the present case, in Art. 5 sec. 1 lit. c GDPR, the principle of "data minimization" was expressed, according to which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.<br />
<br />
On the other hand, in Polish civil law, the principle of the protection of human personal rights is expressed in Art. 23 of the Civil Code, according to which a person's personal rights remain under the protection of civil law, irrespective of the protection provided for in other provisions. The catalog of protected personal rights listed in art. 23 of the Civil Code is only exemplary, as indicated by the phrase "in particular", so it is not an exhaustive catalog. The means of protecting the infringed goods include pecuniary compensation for the harm suffered ( Art. 448 of the Civil Code in conjunction with Art. 24 § 1 sentence 3 of the Civil Code). The premise for a claim for payment of compensation on the basis of the cited provisions is the demonstration by the aggrieved party of the infringement of a specific personal interest and suffering of harm as a result of infringement of the personal interest. The provision of art. 448 of the Civil Code was placed in the title VI of the third book of the Civil Code "Prohibited Deeds", therefore the rules of the tort liability regime apply to it (see: Supreme Court of 12 December 2002,<br />
<br />
V CKN 1581/00 , OSNC 2004/4/53 and of 24 January 2008, I CSK 319/07 , LEX No. 448025). The condition for awarding pecuniary compensation for the harm suffered is the fault of the entity that committed the infringement ( Art. 415 of the Civil Code). The burden of proof regarding the guilt lies with the entity seeking protection of its personal rights.<br />
<br />
The provision of art. 24 § 1 of the Civil Code formulates the presumption of unlawfulness of infringement of personal rights, therefore it is the defendant's duty to prove that his action infringing the personal rights of the plaintiff was not unlawful. The culpable act of the perpetrator, which entails civil liability, must show signs of inappropriate conduct both from the objective side, which is referred to as the unlawfulness of the act, and from the subjective side, which is defined as a guilt in a subjective sense. Unlawfulness - as an objective feature of the perpetrator of the act - is recognized as a contradiction with the applicable legal order, which is understood as orders and prohibitions resulting not only from legal norms (in the field of civil, criminal, administrative, labor, financial law, etc.), but also resulting from moral and social norms, referred to as "principles of social coexistence" or "good manners" (cf. Gerard Bieniek, in: Commentary to the Civil Code. Księga third. Obligations, vol. 2, Warsaw 2005, pp. 235-236; orz. Supreme Court of 19 July 2003, V CKN 1681/00, LEX No. 121742). In a subjective sense, guilt refers to the sphere of human mental phenomena and is understood as a reprehensible decision relating to an unlawful act committed by him, however, in the case of legal persons, this qualification will apply to persons belonging to the body authorized to represent the person. legal ( Art. 416 of the Civil Code). Therefore, under civil law, blame can be attributed to the subject of law when there are grounds for a negative assessment of his behavior both from the objective and subjective point of view - the so-called overlaps in the proceedings (yes, Supreme Court in the ruling of September 26, 2003, IV CK 32/02 , LEX no. 146462 ).<br />
<br />
It should also be pointed out that in the event of infringement of a personal right, the court - pursuant to Art. 448 of the Civil Code - "may admit to a person whose personal interest has been violated" with an appropriate amount as compensation for the harm suffered. This means that even in the event of a violation of a personal interest, the award of pecuniary compensation is not obligatory, but optional - left to the discretion of the judge The legitimacy of the award of pecuniary compensation, as well as its amount, depend on the assessment of the entirety of the facts of the case, such as the type of the breached good, the extent of the harm suffered, the nature of the consequences of the breach, the degree of culpability, the property relations of the obligated and entitled party, etc. (also: GB , in: Commentary to the Civil Code. Book Three. Obligations. Volume 1, Warsaw 2005, p. 492; the Supreme Court in the ruling of April 19, 2006, II PK 245/2005 and the Court of Appeal in Poznań in the ruling of 11 January 2007, I ACa 833/2006 , LEX No. 298413).<br />
<br />
In order to assess the claim of the plaintiff, it was necessary to examine in the case under examination whether the disclosure of the plaintiff's personal data by the defendant to the person injured in a road accident was lawful. The regulation of Art. 29 sec. 6 of the Act<br />
<br />
of September 11, 2015 on insurance and reinsurance activities (consolidated text: Journal of Laws of 2020, item 895), according to which the insurance company provides the policyholder, the insured, the claimant or the beneficiary under the insurance contract ( the aggrieved party is also considered to be the entitled party in the case of third party liability insurance - Article 3 (1) (52) of the Act) information and documents collected in order to determine the liability of the insurance company or the amount of compensation or benefits. These persons may request written confirmation by the insurance undertaking of the disclosed information, as well as the preparation, at their own expense, of photocopies of documents and confirmation of their compliance with the original by the insurance undertaking.<br />
<br />
Moreover, pursuant to Art. 44 sec. 1 point 4 of the Act of June 22, 1997, Road Traffic Law (consolidated text: Journal of Laws of 2020, item 110), the driver of the vehicle, in the event of participating in a road accident, is obliged to provide his / her personal data the owner or holder of the vehicle and data on the insurance company with which the compulsory third party liability insurance contract is concluded, at the request of the person involved in the accident.<br />
<br />
It follows from the above regulations that the personal data of the claimant, as the owner of the vehicle involved in a road accident, could - as a rule - be made available to the person injured in the accident, even though the claimant did not drive the vehicle during the accident. The basis for the defendant to provide such data to the plaintiffs were the above-mentioned provisions of Art. 29 sec. 6 of the Insurance and Reinsurance Activity Act in connection with with art. 44 sec. 12 point 4 of the Road Traffic Law.<br />
<br />
The purpose of the road accident victim's access to data concerning the owner of the vehicle (its holder) is to enable him to pursue claims related to the sustained property or non-pecuniary damage. From the previously mentioned Art. 5 sec. 1 lit. c GDPR, it follows that the processed (and therefore transferred to a third party) personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Objectives of Art. 29 sec. 6 of the Insurance and Reinsurance Activity Act and Art. 44 sec. 1 point 4 of the Road Traffic Law also indicate that the (personal) data of the owner or holder of the vehicle (insured under the compulsory third-party liability insurance of motor vehicle owners), which can be obtained by the injured person (entitled under civil liability insurance), does not include all (any) data the owner (holder) of the vehicle, but only those that are needed by the injured party in order to establish liability and pursue claims for damages against the owner (holder) of the vehicle or the third party liability insurer. For these purposes, it is sufficient to provide the name and surname of the vehicle owner and the number of the civil liability insurance policy (possibly additionally the place of residence), which sufficiently identify him. The provision of the PESEL number and the phone number of the vehicle owner certainly goes beyond these goals. Therefore, it should be concluded that the defendant insurer was entitled to provide the injured party with data including the plaintiff's name and surname and her place of residence, but was not entitled to provide information on the PESEL number and the plaintiff's telephone number. The provision of these additional data to the claimant exceeded the statutory authorization resulting from the above-mentioned provisions, and was therefore unlawful. The defendant insurance company can be attributed a subjective fault in the meaning described above. The above-mentioned legal regulations on the protection of personal data (protection of personal rights) should be known to the representatives of the defendant who hand over the damage documentation to the injured party in a road accident, since the defendant is professionally involved in insurance activities, including claims settlement.<br />
<br />
By providing a third party with the plaintiff's personal (personal) data to a too broad extent, the defendant violated the plaintiff's right to privacy and led to non-pecuniary damage (harm) on its part. Privacy is a good relating to the facts of a person's life that he or she does not consent to being made public. The emancipation of the right to privacy are goods such as the confidentiality of correspondence, personal data or the inviolability of the home. As a result of the defendant's actions, the claimant's personal data was made available to a third party, which that person was not entitled to obtain (PESEL, the claimant's telephone number). As a result of this incident, the claimant lost her sense of security, she began to feel anxiety related to the possibility of unauthorized use of her personal data by other persons by making banking activities on her behalf or making unwanted telephone calls with her. Damage caused in this way to the plaintiff gives rise to the defendant's obligation to repair it by paying the plaintiff a pecuniary compensation, pursuant to Art. 82 sec. 1 GDPR and art. 448 of the Civil Code in connection with with art. 24 § 1 sentence 2 of the Civil Code<br />
<br />
The purpose of awarding pecuniary compensation is to mitigate the harm suffered by the aggrieved party (non-pecuniary damage) caused by the tort. Compensation for the harm suffered, due to its compensatory nature, must present some economic value. On the other hand, its amount cannot be excessive in relation to the harm suffered and the current property relations of the society, as it is supposed to mitigate the harm and not lead to the enrichment of the aggrieved party. The elements determining the extent of compensation are the nature of the infringed personal interest, the degree of the perpetrator's guilt, the intensity of the infringer's interference in a given good or personal goods and the duration of the infringement, the way in which the aggrieved person felt in his psyche the unlawful action of the perpetrator (see the Court of Appeal in Warsaw, June 10, 2011, VI ACa 84/11 , Legalis No. 363615).<br />
<br />
The evidence in the case does not show that the plaintiff's personal data (PESEL number, telephone number) was made public or used unlawfully by an unauthorized person. The claimant herself admitted that the victim of the accident, to whom the claimant's data was provided, did not contact her by phone and did not experience any other negative consequences related to the disclosure of her personal data . The fact of unlawful transfer of the plaintiff's extensive personal data to the aggrieved did not lead to harassment of the plaintiff, attempts to incur liabilities with the use of her personal data, or violation of her home life. Apart from the claims declared by the claimant regarding the possibility of unlawful use of her personal data by a third party, the claimants faced no further consequences. Therefore, the damage caused to the claimant as a result of the breach of her personal data turned out to be small, and therefore the compensation should be small. The compensation demanded by the plaintiff in the amount of PLN 10,000 is considered excessive in this situation.<br />
<br />
In the opinion of the Court, the appropriate compensation for the plaintiff in the context of the extent of the damage will be PLN 1,500. Such an amount of compensation will compensate the claimant's harm caused by the defendant's infringement of her personal rights. It will be a financial gain for the claimant, giving the claimant a moral satisfaction adequate to the scale of the infringement of her personal rights, and thus fulfilling its compensatory function. On the other hand, this sum will not be excessive and will not lead to unjustified enrichment of the claimant at the expense of the defendant.<br />
<br />
For the reasons described, the Court, in point I of the operative part of the judgment, ordered the defendant to pay the plaintiff PLN 1,500, and in point II of the judgment dismissed the remaining part of the claim, pursuant to the above-mentioned provisions.<br />
<br />
While ruling on the costs of the proceedings in point III of the operative part of the judgment, the Court applied the principle of equity expressed in Art. 102 of the Code of Civil Procedure, according to which, in particularly justified cases, the court may award only part of the costs from the losing party or not charge it with costs at all. The application of the principle of equity should be assessed against all the circumstances that would justify a departure from the basic principles determining the decision as to the costs of the trial. These circumstances include both the facts related to the course of the trial and the facts outside the trial, especially those relating to the financial condition (life situation). These circumstances should be assessed primarily taking into account the principles of social coexistence (see the post of the Supreme Court of January 14, 1974, II CZ 223/73 , Legalis). The court costs incurred by the defendant include only the costs of legal representation by a professional attorney. The court had in mind that the present case was not complicated and the pleading constituting a response to the statement of claim essentially duplicated the arguments presented in the defendant's letter to the plaintiff at the pre-trial stage. On the other hand, the plaintiff had grounds to believe that the claim was right (which was confirmed in principle), and its amount depended on the judge's discretion, so the plaintiff was not able to precisely estimate it.<br />
<br />
The text of the judgment comes from the collections of common courts.<br />
<br />
<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Article_64_GDPR&diff=15250
Article 64 GDPR
2021-04-23T15:00:28Z
<p>AK: /* Overview */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 63 GDPR|←]] Article 64 - Opinion of the Board [[Article 65 GDPR|→]]<br />
|-<br />
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
== Legal Text ==<br />
<br /><center>'''Article 64 - Opinion of the Board'''</center><br /><br />
<br />
<span id="1">1. The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:</span><br />
<br />
::<span id="1a">(a) aims to adopt a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4);</span><br />
<br />
::<span id="1b">(b) concerns a matter pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of conduct complies with this Regulation;</span><br />
<br />
::<span id="1c">(c) aims to approve the criteria for accreditation of a body pursuant to Article 41(3) or a certification body pursuant to Article 43(3);</span><br />
<br />
::<span id="1d">(d) aims to determine standard data protection clauses referred to in point (d) of Article 46(2) and in Article 28(8);</span><br />
<br />
::<span id="1e">(e) aims to authorise contractual clauses referred to in point (a) of Article 46(3); or</span><br />
<br />
::<span id="1f">(f) aims to approve binding corporate rules within the meaning of Article 47.</span><br />
<br />
<span id="2">2. Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.</span><br />
<br />
<span id="3">3. In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. That opinion shall be adopted within eight weeks by simple majority of the members of the Board. That period may be extended by a further six weeks, taking into account the complexity of the subject matter. Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in accordance with paragraph 5, a member which has not objected within a reasonable period indicated by the Chair, shall be deemed to be in agreement with the draft decision.</span><br />
<br />
<span id="4">4. Supervisory authorities and the Commission shall, without undue delay, communicate by electronic means to the Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other supervisory authorities concerned.</span><br />
<br />
<span id="5">5. The Chair of the Board shall, without undue, delay inform by electronic means:</span><br />
<br />
::<span id="5a">(a) the members of the Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the Board shall, where necessary, provide translations of relevant information; and</span><br />
<br />
::<span id="5b">(b) the supervisory authority referred to, as the case may be, in paragraphs 1 and 2, and the Commission of the opinion and make it public.</span><br />
<br />
<span id="6">6. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1 within the period referred to in paragraph 3.</span><br />
<br />
<span id="7">7. The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft decision, using a standardised format.</span><br />
<br />
<span id="8">8. Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.</span><br />
<br />
<span id="8">8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span><br />
<br />
<span id="9">9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span><br />
<br />
<span id="10">10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span><br />
<br />
<span id="11">11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span><br />
<br />
<span id="12">12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r136"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 136:''' Opinion of the Board </div><br />
<div class="mw-collapsible-content"><br />
In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation. <br />
</div></div><br />
<br />
== Commentary ==<br />
<br />
=== Overview ===<br />
The purpose of this provision is <br />
<br />
== Decisions ==<br />
→ You can find all related decisions in [[:Category:Article 64 GDPR]]<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Article 64 GDPR]] [[Category:GDPR]]</div>
AK
https://gdprhub.eu/index.php?title=Article_64_GDPR&diff=15249
Article 64 GDPR
2021-04-23T15:00:06Z
<p>AK: /* Commentary */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 63 GDPR|←]] Article 64 - Opinion of the Board [[Article 65 GDPR|→]]<br />
|-<br />
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
== Legal Text ==<br />
<br /><center>'''Article 64 - Opinion of the Board'''</center><br /><br />
<br />
<span id="1">1. The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:</span><br />
<br />
::<span id="1a">(a) aims to adopt a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4);</span><br />
<br />
::<span id="1b">(b) concerns a matter pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of conduct complies with this Regulation;</span><br />
<br />
::<span id="1c">(c) aims to approve the criteria for accreditation of a body pursuant to Article 41(3) or a certification body pursuant to Article 43(3);</span><br />
<br />
::<span id="1d">(d) aims to determine standard data protection clauses referred to in point (d) of Article 46(2) and in Article 28(8);</span><br />
<br />
::<span id="1e">(e) aims to authorise contractual clauses referred to in point (a) of Article 46(3); or</span><br />
<br />
::<span id="1f">(f) aims to approve binding corporate rules within the meaning of Article 47.</span><br />
<br />
<span id="2">2. Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.</span><br />
<br />
<span id="3">3. In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. That opinion shall be adopted within eight weeks by simple majority of the members of the Board. That period may be extended by a further six weeks, taking into account the complexity of the subject matter. Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in accordance with paragraph 5, a member which has not objected within a reasonable period indicated by the Chair, shall be deemed to be in agreement with the draft decision.</span><br />
<br />
<span id="4">4. Supervisory authorities and the Commission shall, without undue delay, communicate by electronic means to the Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other supervisory authorities concerned.</span><br />
<br />
<span id="5">5. The Chair of the Board shall, without undue, delay inform by electronic means:</span><br />
<br />
::<span id="5a">(a) the members of the Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the Board shall, where necessary, provide translations of relevant information; and</span><br />
<br />
::<span id="5b">(b) the supervisory authority referred to, as the case may be, in paragraphs 1 and 2, and the Commission of the opinion and make it public.</span><br />
<br />
<span id="6">6. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1 within the period referred to in paragraph 3.</span><br />
<br />
<span id="7">7. The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft decision, using a standardised format.</span><br />
<br />
<span id="8">8. Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.</span><br />
<br />
<span id="8">8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span><br />
<br />
<span id="9">9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span><br />
<br />
<span id="10">10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span><br />
<br />
<span id="11">11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span><br />
<br />
<span id="12">12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r136"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 136:''' Opinion of the Board </div><br />
<div class="mw-collapsible-content"><br />
In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation. <br />
</div></div><br />
<br />
== Commentary ==<br />
<br />
=== Overview ===<br />
The purposes of this provision is <br />
<br />
== Decisions ==<br />
→ You can find all related decisions in [[:Category:Article 64 GDPR]]<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Article 64 GDPR]] [[Category:GDPR]]</div>
AK
https://gdprhub.eu/index.php?title=Article_20_GDPR&diff=15248
Article 20 GDPR
2021-04-23T14:58:47Z
<p>AK: /* Relevant Recitals */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 19 GDPR|←]] Article 20 - Right to data portability [[Article 21 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text==<br />
'''Article 20 - Right to data portability'''<br />
<br />
<span id="1">1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:</span><br />
<br />
::<span id="1a">(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and</span><br />
<br />
::<span id="1b">(b) the processing is carried out by automated means.</span><br />
<br />
<span id="2">2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.</span><br />
<br />
<span id="3">3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.</span><br />
<br />
<span id="4">4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r68"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 68:''' Data Portability </div><br />
<div class="mw-collapsible-content"><br />
To further strengthen the control over his or her own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. That right should apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. By its very nature, that right should not be exercised against controllers processing personal data in the exercise of their public duties. It should therefore not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller. The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible. Where, in a certain set of personal data, more than one data subject is concerned, the right to receive the personal data should be without prejudice to the rights and freedoms of other data subjects in accordance with this Regulation. Furthermore, that right should not prejudice the right of the data subject to obtain the erasure of personal data and the limitations of that right as set out in this Regulation and should, in particular, not imply the erasure of personal data concerning the data subject which have been provided by him or her for the performance of a contract to the extent that and for as long as the personal data are necessary for the performance of that contract. Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.<br />
</div></div><br />
<br />
==Commentary==<br />
<br />
The purpose of the right to data portability is to give data subjects more control over their personal data by granting a certain type of 'ownership'. The goal is to increase competition on the market allowing for a free movement of data between providers. It seems very relevant especially in such cases when one controller offers a higher level of protection of personal data than another within the same industry sector or across sectors.<br />
<br />
The right to data portability complements the right of access ([[Article 15 GDPR|Article 15]]) by empowering users to receive a copy of their data in a structured, commonly used, and machine-readable format. Users can decide what they want to do with such data and either store it on their computer, send it to another controller, or send it to another third party. The right to portability is not limited to the providers that offer similar or comparable services - it can be exercised with any controllers a data subject chooses under the conditions specified below. <br />
<br />
'''Responsibilities of controllers'''<br />
<br />
Data controllers which address portability requests ("'''sending controllers'''") act on behalf of a data subject and are responsible to:<br />
<br />
*provide prior information about the existence of such a right (eg in the privacy notice) and clearly explain the difference between the right of access and the right to data portability;<br />
*process the request without undue delay, within 1 month (up to 3 months);<br />
*carry out authentication;<br />
*set safeguards to ensure they genuinely act on the data subject’s behalf (eg ensure that they transmit the exact type of personal data that the data subject wants to transmit);<br />
*in light of the principles set forth in [[Article 5(1) GDPR|Article 5(1)]] - ensure that the data transmitted is accurate and up to date;<br />
*take all the security measures for transmissions.<br />
*<br />
<br />
The sending controllers are, however, not responsible for the processing handled by the data subject or by another company receiving personal data. ''"In this respect, the data controller is not responsible for compliance of the receiving data controller with data protection law, considering that it is not the sending data controller that chooses the recipient."''<ref name=":0">Article 29 Working Party “Guidelines on the Right to Data Portability”, WP242 rev.01, p. 6.</ref><br />
<br />
Data controllers which receive portability requests ("'''receiving controllers'''") have an obligation to:<br />
<br />
*"clearly and directly" state the purpose of the new processing before they accept the request in accordance with the transparency requirements set out in [[Article 14 GDPR|Article 14]] GDPR''<ref name=":1">Article 29 Working Party “Guidelines on the Right to Data Portability”, WP242 rev.01, p. 7.</ref>;''<br />
*process the request without undue delay, within 1 month (up to 3 months);<br />
*ensure that the data they accept is relevant and not excessive for the intended data processing;<br />
*delete the personal data which is not necessary to achieve the purpose of the new processing as soon as possible.<br />
<br />
The receiving controllers can decide whether to accept and process data from a portability request. <br />
===(1) The right to receive and transmit personal data===<br />
<br />
The data subject can ask to transmit the data as long as the data controller processes it. This is to say that a controller cannot refuse a portability request only because the retention period is ending soon.<br />
<br />
'''Material scope'''<br />
<br />
The data subject may request the transmission of data that ''concerns'' him or her (ie not anonymous data) and that he or she ''provided'' to the controller. The data "provided" is the data that was actively given to the controller (eg photos uploaded to the service) or such which was "observed" by a controller (eg activity logs, food preferences etc).<br />
<br />
The personal data which was transferred from one controller to another in the context of the exercise of the right to data portability should be considered as having been provided by the data subject.<ref name=":2">Herbst in: Kühling/Buchner, DS-GVO, BDSG, 2nd ed., Article 20, para 11.</ref><br />
<br />
====(a) Legal basis for processing====<br />
<br />
The categories of data that can be requested are those processed either for the performance of a contract ([[Article 6 GDPR#1|Article 6(1)(b)]]) or to which processing a data subject gave his or her consent ([[Article 6 GDPR#1|Article 6(1)(a)]]). However, according to the Article 29 Working Party, it is a good practice to address portability requests also in such cases that do not explicitly provide for a general right to data portability, ie when processing is based on the legitimate interests or for the performance of a task carried out in the public interest.<ref name=":3">Article 29 Working Party “Guidelines on the Right to Data Portability”, WP242 rev.01, p. 8.</ref><br />
<br />
====(b) Processing by automated means====<br />
<br />
Another condition is that the personal data is processed ''automatically'', therefore the data which is available eg only on paper and which is processed manually falls out of the data portability scope.<br />
<br />
===(2) The right to transmit personal data directly to another controller===<br />
The data subject can also ask the controller to send his or her personal data directly to another controller, if this is ''technically feasible''. Controllers are therefore encouraged to use interoperable formats in order to facilitate such an exchange of personal data between each other. Companies may create sector-specific interoperable formats within an industry to allow for easier transmissions of personal data.<br />
<br />
Data portability is supposed to facilitate the reuse of personal data concerning the data subject provided that the copy of the data should be transmitted in the defined format.<br />
<br />
===(3) The right to erasure===<br />
The exercise of the right to data portability is without prejudice to any other rights under the GDPR. Thus, if the data subject wants to delete his or her data from the controller's system (exercise the “right to be forgotten” under [[Article 17 GDPR|Article 17]]), the controller cannot justify its denial to erase such data by the data portability request.<br />
===(4) The rights of third parties===<br />
The portability request should not include any third party data if there is a likelihood that the new processing will adversely affect the rights and freedoms of the other data subjects. ''"Such an adverse effect would occur, for instance, if the transmission of data from one data controller to another, would prevent third parties from exercising their rights as data subjects under the GDPR."''<ref name=":4">Article 29 Working Party “Guidelines on the Right to Data Portability”, WP242 rev.01, p. 11.</ref><br />
<br />
The rights and freedoms are unlikely to be adversely affected if the receiving controller processes the data of other data subjects for the ''same purpose'' it was processed by the sending controller.<br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 20 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>
AK
https://gdprhub.eu/index.php?title=Article_64_GDPR&diff=15247
Article 64 GDPR
2021-04-23T14:58:12Z
<p>AK: /* Relevant Recitals */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 63 GDPR|←]] Article 64 - Opinion of the Board [[Article 65 GDPR|→]]<br />
|-<br />
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
== Legal Text ==<br />
<br /><center>'''Article 64 - Opinion of the Board'''</center><br /><br />
<br />
<span id="1">1. The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:</span><br />
<br />
::<span id="1a">(a) aims to adopt a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4);</span><br />
<br />
::<span id="1b">(b) concerns a matter pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of conduct complies with this Regulation;</span><br />
<br />
::<span id="1c">(c) aims to approve the criteria for accreditation of a body pursuant to Article 41(3) or a certification body pursuant to Article 43(3);</span><br />
<br />
::<span id="1d">(d) aims to determine standard data protection clauses referred to in point (d) of Article 46(2) and in Article 28(8);</span><br />
<br />
::<span id="1e">(e) aims to authorise contractual clauses referred to in point (a) of Article 46(3); or</span><br />
<br />
::<span id="1f">(f) aims to approve binding corporate rules within the meaning of Article 47.</span><br />
<br />
<span id="2">2. Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.</span><br />
<br />
<span id="3">3. In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. That opinion shall be adopted within eight weeks by simple majority of the members of the Board. That period may be extended by a further six weeks, taking into account the complexity of the subject matter. Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in accordance with paragraph 5, a member which has not objected within a reasonable period indicated by the Chair, shall be deemed to be in agreement with the draft decision.</span><br />
<br />
<span id="4">4. Supervisory authorities and the Commission shall, without undue delay, communicate by electronic means to the Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other supervisory authorities concerned.</span><br />
<br />
<span id="5">5. The Chair of the Board shall, without undue, delay inform by electronic means:</span><br />
<br />
::<span id="5a">(a) the members of the Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the Board shall, where necessary, provide translations of relevant information; and</span><br />
<br />
::<span id="5b">(b) the supervisory authority referred to, as the case may be, in paragraphs 1 and 2, and the Commission of the opinion and make it public.</span><br />
<br />
<span id="6">6. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1 within the period referred to in paragraph 3.</span><br />
<br />
<span id="7">7. The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft decision, using a standardised format.</span><br />
<br />
<span id="8">8. Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.</span><br />
<br />
<span id="8">8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span><br />
<br />
<span id="9">9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span><br />
<br />
<span id="10">10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span><br />
<br />
<span id="11">11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span><br />
<br />
<span id="12">12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r136"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 136:''' Opinion of the Board </div><br />
<div class="mw-collapsible-content"><br />
In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation. <br />
</div></div><br />
<br />
== Commentary ==<br />
<br />
''You can help us fill this section!''<br />
<br />
== Decisions ==<br />
→ You can find all related decisions in [[:Category:Article 64 GDPR]]<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Article 64 GDPR]] [[Category:GDPR]]</div>
AK
https://gdprhub.eu/index.php?title=Article_64_GDPR&diff=15246
Article 64 GDPR
2021-04-23T14:56:41Z
<p>AK: /* Relevant Recitals */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Article 63 GDPR|←]] Article 64 - Opinion of the Board [[Article 65 GDPR|→]]<br />
|-<br />
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" overflow:auto;" style="border-width: 0px"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
== Legal Text ==<br />
<br /><center>'''Article 64 - Opinion of the Board'''</center><br /><br />
<br />
<span id="1">1. The Board shall issue an opinion where a competent supervisory authority intends to adopt any of the measures below. To that end, the competent supervisory authority shall communicate the draft decision to the Board, when it:</span><br />
<br />
::<span id="1a">(a) aims to adopt a list of the processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4);</span><br />
<br />
::<span id="1b">(b) concerns a matter pursuant to Article 40(7) whether a draft code of conduct or an amendment or extension to a code of conduct complies with this Regulation;</span><br />
<br />
::<span id="1c">(c) aims to approve the criteria for accreditation of a body pursuant to Article 41(3) or a certification body pursuant to Article 43(3);</span><br />
<br />
::<span id="1d">(d) aims to determine standard data protection clauses referred to in point (d) of Article 46(2) and in Article 28(8);</span><br />
<br />
::<span id="1e">(e) aims to authorise contractual clauses referred to in point (a) of Article 46(3); or</span><br />
<br />
::<span id="1f">(f) aims to approve binding corporate rules within the meaning of Article 47.</span><br />
<br />
<span id="2">2. Any supervisory authority, the Chair of the Board or the Commission may request that any matter of general application or producing effects in more than one Member State be examined by the Board with a view to obtaining an opinion, in particular where a competent supervisory authority does not comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in accordance with Article 62.</span><br />
<br />
<span id="3">3. In the cases referred to in paragraphs 1 and 2, the Board shall issue an opinion on the matter submitted to it provided that it has not already issued an opinion on the same matter. That opinion shall be adopted within eight weeks by simple majority of the members of the Board. That period may be extended by a further six weeks, taking into account the complexity of the subject matter. Regarding the draft decision referred to in paragraph 1 circulated to the members of the Board in accordance with paragraph 5, a member which has not objected within a reasonable period indicated by the Chair, shall be deemed to be in agreement with the draft decision.</span><br />
<br />
<span id="4">4. Supervisory authorities and the Commission shall, without undue delay, communicate by electronic means to the Board, using a standardised format any relevant information, including as the case may be a summary of the facts, the draft decision, the grounds which make the enactment of such measure necessary, and the views of other supervisory authorities concerned.</span><br />
<br />
<span id="5">5. The Chair of the Board shall, without undue, delay inform by electronic means:</span><br />
<br />
::<span id="5a">(a) the members of the Board and the Commission of any relevant information which has been communicated to it using a standardised format. The secretariat of the Board shall, where necessary, provide translations of relevant information; and</span><br />
<br />
::<span id="5b">(b) the supervisory authority referred to, as the case may be, in paragraphs 1 and 2, and the Commission of the opinion and make it public.</span><br />
<br />
<span id="6">6. The competent supervisory authority shall not adopt its draft decision referred to in paragraph 1 within the period referred to in paragraph 3.</span><br />
<br />
<span id="7">7. The supervisory authority referred to in paragraph 1 shall take utmost account of the opinion of the Board and shall, within two weeks after receiving the opinion, communicate to the Chair of the Board by electronic means whether it will maintain or amend its draft decision and, if any, the amended draft decision, using a standardised format.</span><br />
<br />
<span id="8">8. Where the supervisory authority concerned informs the Chair of the Board within the period referred to in paragraph 7 of this Article that it does not intend to follow the opinion of the Board, in whole or in part, providing the relevant grounds, Article 65(1) shall apply.</span><br />
<br />
<span id="8">8. By derogation from paragraph 7, where a complaint is dismissed or rejected, the supervisory authority with which the complaint was lodged shall adopt the decision and notify it to the complainant and shall inform the controller thereof.</span><br />
<br />
<span id="9">9. Where the lead supervisory authority and the supervisory authorities concerned agree to dismiss or reject parts of a complaint and to act on other parts of that complaint, a separate decision shall be adopted for each of those parts of the matter. The lead supervisory authority shall adopt the decision for the part concerning actions in relation to the controller, shall notify it to the main establishment or single establishment of the controller or processor on the territory of its Member State and shall inform the complainant thereof, while the supervisory authority of the complainant shall adopt the decision for the part concerning dismissal or rejection of that complaint, and shall notify it to that complainant and shall inform the controller or processor thereof.</span><br />
<br />
<span id="10">10. After being notified of the decision of the lead supervisory authority pursuant to paragraphs 7 and 9, the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.</span><br />
<br />
<span id="11">11. Where, in exceptional circumstances, a supervisory authority concerned has reasons to consider that there is an urgent need to act in order to protect the interests of data subjects, the urgency procedure referred to in Article 66 shall apply.</span><br />
<br />
<span id="12">12. The lead supervisory authority and the other supervisory authorities concerned shall supply the information required under this Article to each other by electronic means, using a standardised format.</span><br />
<br />
==Relevant Recitals==<br />
<span id="r136"><br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 136:''' Opinion of the Board - Article 64</div><br />
<div class="mw-collapsible-content"><br />
In applying the consistency mechanism, the Board should, within a determined period of time, issue an opinion, if a majority of its members so decides or if so requested by any supervisory authority concerned or the Commission. The Board should also be empowered to adopt legally binding decisions where there are disputes between supervisory authorities. For that purpose, it should issue, in principle by a two-thirds majority of its members, legally binding decisions in clearly specified cases where there are conflicting views among supervisory authorities, in particular in the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned on the merits of the case, in particular whether there is an infringement of this Regulation. <br />
</div></div><br />
<br />
== Commentary ==<br />
<br />
''You can help us fill this section!''<br />
<br />
== Decisions ==<br />
→ You can find all related decisions in [[:Category:Article 64 GDPR]]<br />
<br />
== References ==<br />
<references /><br />
<br />
[[Category:Article 64 GDPR]] [[Category:GDPR]]</div>
AK
https://gdprhub.eu/index.php?title=VDAI_-_VDAI_vs_V%C4%AE_Registr%C5%B3_centras&diff=13935
VDAI - VDAI vs VĮ Registrų centras
2021-03-09T16:58:55Z
<p>AK: /* Holding */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Lithuania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoLT.png<br />
|DPA_Abbrevation=ADA<br />
|DPA_With_Country=ADA (Lithuania)<br />
<br />
|Case_Number_Name=VĮ Registrų centras<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Valstybinė duomenų apsaugos inspekcija <br />
|Original_Source_Link_1=https://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre<br />
|Original_Source_Language_1=Lithuanian<br />
|Original_Source_Language__Code_1=LT<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=02.03.2021<br />
|Year=<br />
|Fine=15000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1c<br />
|GDPR_Article_3=Article 83(2)(a) GDPR<br />
|GDPR_Article_Link_3=Article 83 GDPR#2a<br />
|GDPR_Article_4=Article 83(2)(d) GDPR<br />
|GDPR_Article_Link_4=Article 83 GDPR#2d<br />
|GDPR_Article_5=Article 83(2)(g) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#2g<br />
<br />
<br />
<br />
|Party_Name_1=VĮ Registrų centras<br />
|Party_Link_1=https://www.registrucentras.lt/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
In February 2021, the Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of 15.000 Eur on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures. <br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in:<br />
Electronic health services and collaboration infrastructure information system;<br />
Real estate register;<br />
Real estate cadastre;<br />
Register of Legal Entities;<br />
Population Register of the Republic of Lithuania;<br />
Register of seizure deeds;<br />
Mortgage Register of the Republic of Lithuania;<br />
Register of wills;<br />
Register of marriage contracts;<br />
Register of credentials;<br />
Register of incapacitated and restricted persons;<br />
Register of contracts;<br />
Information system for participants of legal entities;<br />
Bailiffs information system;<br />
License information system;<br />
Money Restriction Information System;<br />
Legal aid services information system;<br />
Registration service information system;<br />
Electronic signature and timestamp service;<br />
Register center document management system;<br />
Personnel administration system of the Register Center;<br />
Accounting software of the Register Center.<br />
<br />
===Dispute===<br />
<br />
<br />
===Holding===<br />
The fine of 15.000 Eur was imposed for infringements of Article 32(1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline. <br />
<br />
In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83(2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.<br />
<br />
<pre><br />
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="lt" lang="lt"><head><title> Fine imposed for breaches of the General Data Protection Regulation in the Center of Registers State Data Protection Inspectorate </title><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="keywords" content="data, registers, register ;, system ;, information" /><meta name="description" content="After 2020 July 20 The State Data Protection Inspectorate (VDAI), having carried out an investigation in accordance with the General Regulation of the State Register of Incidents, which disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers," /><meta name="robots" content="all" /><!--[if IE]><br />
<meta http-equiv="imagetoolbar" content="false" /><br />
<meta name="MSSmartTagsPreventParsing" content="true" /><br />
<![endif]--><meta property="og:url" content="http://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre"><meta property="og:title" content="A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers"><meta property="og:image" content="http://vdai.lrv.lt/uploads/vdai/news/images/267_1f8b031415a579c0c0281cf144b17b1d.png"><link rel="canonical" href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" /><link rel="shortcut icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link rel="icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link href="//fonts.googleapis.com/css?family=Ubuntu:300,400" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="/assets/scripts/lightslider/lightSlider.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Project/Modules/Gpdr/assets/styles.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/jquery_ui/jquery-ui.theme.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/vendors/bootstrap_3.3.2/css/bootstrap.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/vendors/font-awesome/css/font-awesome.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/themes/base/jquery.ui.all.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/node_modules/select2/dist/css/select2.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/scss/cms-select2.css?1614947813" /><link rel="stylesheet" href="/assets/scripts/AudioPlayer/css/audioplayer.css" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/screen.css?1614947813" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/print.css?1614947813" type="text/css" media="print" /><script type="text/javascript"> var baseHref = "//vdai.lrv.lt/lt/" </script><script type="text/javascript" src="/Framework/assets/node_modules/jquery/dist/jquery.min.js?1614947813"></script></head><body id="module_news"><script><br />
$(document).ready(function () {<br />
var browser_version = parseInt($.browser.version.split('.')[0]);<br />
if(<br />
($.browser.msie && browser_version < 10)<br />
|| ($.browser.mozilla && browser_version < 24)<br />
|| ($.browser.chrome && browser_version < 30)<br />
|| ($.browser.opera && browser_version < 20)<br />
|| ($.browser.safari && browser_version < 7)<br />
|| false<br />
){<br />
$.get("//vdai.lrv.lt/lt/general/oldbrowser?ajax=1").done(function(r) {<br />
if(r){<br />
$('body').append(r);<br />
}<br />
});<br />
}<br />
});<br />
</script><section id="ccc" class="closed" style="z-index: 214748364" data-domain="lrv.lt"><div id="ccc-overlay"></div><div id="ccc-icon"><div class="triangle"><img src="/Project/Modules/Gpdr/assets/images/BDAR.svg" alt="BDAR"/></div></div><div id="ccc-module"><div id="ccc-content"><div id="ccc-close"><svg xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"></path></svg></div><p> To ensure the best browsing experience, we use cookies on this website. You can revoke your consent at any time by changing your web browser settings and deleting the saved cookies.</p><p class="ccc-policy-links"> <a href="https://ivpk.lrv.lt/slapuku-naudojimo-taisykles" class="ccc-notify-button ccc-button-solid" target="_blank">Read the cookie</a> <a href="https://vdai.lrv.lt/lt/asmens-duomenu-apsauga" class="ccc-notify-button ccc-button-solid">privacy policy</a> </p><hr><div id="ccc-optional-categories"><div data-index="0" class="optional-cookie"><h3 id="ccc-necessary-title"> Cookies are required</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-necessary-cookies" checked="checked" disabled="disabled"> <span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p id="ccc-necessary-description"> Necessary cookies enable the basic functions of the website. The website cannot function properly without these cookies, they can only be disabled by changing your browser settings. </p><div class="ccc-alert"></div><hr/></div><div data-index="1" class="optional-cookie"><h3 class="optional-cookie-header"> Statistics cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-stats-cookies" /><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> Analytical cookies help us to improve our website by collecting and providing information about its use. </p><div class="ccc-alert"></div><hr/></div><div data-index="2" class="optional-cookie"><h3 class="optional-cookie-header"> Language selection cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-language-cookies"><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> The language selection cookies remember the language you have selected.</p><div class="ccc-alert"></div><hr/></div><div class="buttons-wrap"> <button class="btn btn-outline-primary close-window"><span class="text-uppercase">Confirm</span><br></button> <button class="btn btn-primary accept-all-cookies"><span class="text-uppercase">Confirm</span></button> <button class="btn btn-outline-primary close-window">selected cookies</button> <button class="btn btn-primary accept-all-cookies"><br>All cookies</button> </div></div><div id="ccc-info"></div></div></div></section><main><div class="wrapper"><div class="header"><div class="header_links"><div class="inner_wrap"><div class="center clearfix"><div id="mobile-header"><div class="first"> <button type="button" class="navbar-open collapsed" data-toggle="collapse" data-target="#navbar" aria-label="Navigacija" title="Navigation"><span class="sr-only">Navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button></div><div class="center"> <a href="http://lrv.lt/lt" class="title">My government is <span class="beta_title">BETA</span></a></div><div class="last text-nowrap"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Site map"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a></div></div><div class="right-header"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Structure"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable" class="disabilities_icon to_right"></a></div><ul class="head_nav to_right"><li> <a href="http://ministraspirmininkas.lrv.lt/lt/">Prime Minister</a></li><li> <a href="http://lrvk.lrv.lt/lt">Government Office</a></li><li> <a href="http://lrv.lt/lt/ministerijos">Ministries</a></li><li> <a href="http://lrv.lt/lt/istaigos">Institutions</a></li><li> <a href="//epilietis.lrv.lt/">E. citizen</a></li><li class="disabilities_link"> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable">For the disabled</a> </li></ul></div></div></div><div class="inst_name_logo"><div class="inner_wrap"><div class="main_logo"><img src="/assets/images/lr_logo.png" alt="LR"></div><div class="name"> State Data Protection Inspectorate </div><div class="clear"><!-- clear --></div></div></div><div></div><nav id="datails-menu" class="navbar-default"><div class="datails-menu-top"></div> <button type="button" class="navbar-open collapsed"<br />
aria-controls="navbar"><span class="icon"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></span></button><div id="navbar" class="collapse"> <button type="button" class="navbar-close collapsed" aria-expanded="false" aria-controls="navbar"><i></i></button><div class="top_links"> <a href="#" class="to_left home"><i></i>Home</a> <a href="#" class="to_right newsletter">News subscription</a> <div class="clear"><!-- clear --></div></div><div id="nawbar-first-scroll"><div class="scroll"><ul class="nav first"><li class="active "> <a<br />
href="//vdai.lrv.lt/lt/naujienos">News</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/struktura-ir-kontaktai">Structure and contacts</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/struktura">Structure</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kontaktai-1">Contacts</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kaip-mus-rasti">How to find us</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/teisine-informacija">Legal information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktai">Legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-projektai">Draft legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisine-praktika">Legal practice</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/tyrimai-ir-analizes">Research and analysis</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-pazeidimai">Violations of legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisinio-reguliavimo-stebesena">Monitoring of legal regulation</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/veiklos-sritys-1">Areas of activity</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/prevenciniai-tikrinimai">Preventive inspections</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/isankstines-konsultacijos">Prior consultation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/auditai">Audits</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas">Complaints handling</a></li><li class=" "> <a href="/asmens-duomenu-apsaugos-reforma/pranesimas-apie-duomenu-saugumo-pazeidima">Data security breaches</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/tarptautinis-bendradarbiavimas">International cooperation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/visuomenes-informavimas">Informing the public</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/korupcijos-prevencija">Corruption prevention</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/administracine-informacija">Administrative information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/nuostatai">Regulations</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/planavimo-dokumentai">Planning documents</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/praneseju-apsauga">Protection of whistleblowers</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/darbo-uzmokestis">Wage</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/paskatinimai-ir-apdovanojimai">Incentives and awards</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/viesieji-pirkimai">Procurement</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/biudzeto-vykdymo-ataskaitu-rinkiniai">Budget implementation report sets</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/finansiniu-ataskaitu-rinkiniai">Sets of financial statements</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/ukio-subjektu-prieziura">Supervision of economic operators</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/tarnybiniai-lengvieji-automobiliai">Official passenger cars</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/veiklos-ataskaitos">Activity reports</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/paslaugos">Services</a></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/nuorodos">Links</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/dsp-ir-dap">DSP and DAP</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/pranesimas-apie-duomenu-saugumo-pazeidima">Data breach notification</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/duomenu-apsaugos-pareigunas">Data Protection Officer</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/asmens-duomenu-apsauga">Protection of personal data</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/naudinga-informacija">useful information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="klausimai-duk">Frequently Asked Questions (FAQ)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/rekomendacijos-gaires-ir-kt">Recommendations, guidelines, etc.</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/covid-19-ir-bdar">COVID-19 and BDAR</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/patikrinimu-rezultatu-apibendrinimai">Summaries of inspection results</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/teismu-sprendimai-pagal-vdai-skundus">Court decisions (according to VDAI complaints)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/2018-m-duomenu-apsaugos-reforma-1">2018 data protection reform</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/viesosios-konsultacijos-iki-bdar">Public consultation before BDAR</a></li><li class=" "> <a target="_blank" href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-2-work-projektas">SolPriPa 2 WORK project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-projektas">SOLPriPa PROJECT</a></li><li class=" dropdown-submenu"> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai">Projects</a><ul class="nav thrid"><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/es-dvyniu-projektas-nr-ua-47b-ukrainos-parlamento-vyriausiojo-zmogaus-teisiu-komisaro">EU twinning project no. UA / 47b &quot;Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice&quot;</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/valstybines-duomenu-apsaugos-inspekcijos-valstybes-tarnautoju-ir-darbuotoju-kvalifikacijos-tobulinimas">Improving the qualification of civil servants and employees of the State Data Protection Inspectorate</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/informaciniu-sistemu-susiejimo-ir-modernizavimo-projektas">Information systems interconnection and modernization project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/projektas-valstybines-duomenu-apsaugos-inspekcijos-ir-lietuvos-bibliotekininku-draugijos-bendradarbiavimo-didinimas-igyvendinant-asmens-duomenu-apsaugos-politika">Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians&#39; Association in implementing the personal data protection policy”</a></li></ul></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/vaikams-ir-jaunimui">For children and young people</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/atviri-duomenys-1">Open data</a></li><li class=" "> <a href="https://vdai.lrv.lt/forms/ada-vdai-2020">Surveys</a></li><li class=" "> <a href="events">Events archive</a></li><li class=" "> <a href="https://vdai.lrv.lt/lt/skelbimai">Advertisements</a> </li></ul></div></div></li></ul></div></div><ul class="head_nav"></ul></div></nav></div><div class="main_content clearfix"><div class="inner_wrap"></div><div class="inner_wrap"><h1> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</h1><ol class="breadcrumb"><li> <a href="//vdai.lrv.lt/lt/" aria-label="home">Home</a></li><li class=""> <a href="//vdai.lrv.lt/lt/naujienos"<br />
>News</a></li><li class="active"> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</li></ol><div class="top_line"> <a href="javascript:window.print()" class="print_link nodeco">Print<i class="fa fa-print fa-fw" aria-hidden="true"></i></a> <div class="clear"><!-- clear --></div></div><div class="clear"><!-- clear --></div><div class="content text to_left"><div class="event_startDate single"><div class="row startDate_wrap"><div class="col-xs-12 col-sm-5"><div class="col-xs-6 col-sm-5"><h5> Data</h5></div><div class="col-xs-6 col-sm-7"><p> 2021 03 02</p></div></div><div class="col-xs-12 col-sm-7"><div class="col-xs-6 col-sm-5 col-md-4"><h5> Evaluation</h5></div><div class="col-xs-6 col-sm-7 col-md-8"> <span class="ratingContainter"><a href="#" data-like_url="//vdai.lrv.lt/lt/ratings/like?ajax=1&amp;entity=News.Ratings&amp;itemId=177&amp;style=star" class="rating_action star_icon "><span class="counter"><i></i></span>5</a></span> </div></div></div></div><div class="news_photo_wrapper"><img class="news_photo" src="//vdai.lrv.lt/uploads/vdai/news/images/852x536_crop/267_1f8b031415a579c0c0281cf144b17b1d.png" alt="Registry center bauda.png" style="max-width: 1920px; max-height: 1080px;"></div><p style="text-align: justify;"><br /> After 2020 July 20 The State Data Protection Inspectorate (VDAI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021, carried out an incident of the State Enterprise Center of Registers that disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers. February. imposed a fine for improper implementation of technical and organizational data security measures.</p><p style="text-align: justify;"> SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline.</p><p style="text-align: justify;"> Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach:</p><ul><li style="text-align: justify;"> Electronic health services and collaboration infrastructure information system;</li><li style="text-align: justify;"> Real estate register;</li><li style="text-align: justify;"> Real estate cadastre;</li><li style="text-align: justify;"> Register of Legal Entities;</li><li style="text-align: justify;"> Population Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of seizure deeds;</li><li style="text-align: justify;"> Mortgage Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of wills;</li><li style="text-align: justify;"> Register of marriage contracts;</li><li style="text-align: justify;"> Register of credentials;</li><li style="text-align: justify;"> Register of Inactive and Limited Persons;</li><li style="text-align: justify;"> Register of contracts;</li><li style="text-align: justify;"> Information system for participants of legal entities;</li><li style="text-align: justify;"> Bailiffs information system;</li><li style="text-align: justify;"> License information system;</li><li style="text-align: justify;"> Money Restriction Information System;</li><li style="text-align: justify;"> Legal aid services information system;</li><li style="text-align: justify;"> Registration service information system;</li><li style="text-align: justify;"> Electronic signature and timestamp service;</li><li style="text-align: justify;"> Register center document management system;</li><li style="text-align: justify;"> Personnel administration system of the Register Center;</li><li style="text-align: justify;"> Accounting software of the Register Center.</li></ul><p style="text-align: justify;"> Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Center of Registers, it was decided to impose an administrative fine on the SE Center of Registers.</p><p style="text-align: justify;"> Pursuant to the Law on the Legal Protection of Personal Data, a supervisory authority may impose an administrative fine on an authority or institution that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR up to 0.5 per cent of the authority&#39;s or institution&#39;s current year&#39;s budget and other gross annual income, but not more than thirty thousand euros.</p><p style="text-align: justify;"> In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future.</p><p style="text-align: justify;"> VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.</p><p style="text-align: justify;"></p><p style="text-align: justify;"> Related information:<br /> <a href="https://vdai.lrv.lt/lt/naujienos/del-valstybes-imoneje-registru-centras-ivykusio-incidento" target="_blank">Due to an incident in the State Enterprise Center of Registers &gt;&gt;</a></p><p style="text-align: justify;"></p><div class="clear"><!-- clear --></div><div class="share"> <span class="title to_left" aria-label="Share">Share</span><ul class="soc_icons to_left"><li> <a href="http://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Facebook" target="_blank"><i class="fa fa-facebook" aria-hidden="true"></i></a></li><li> <a href="https://www.linkedin.com/sharing/share-offsite/?url=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Linkedin" target="_blank"><i class="fa fa-linkedin" aria-hidden="true"></i></a> </li></ul><div class="clear"><!-- clear --></div></div></div><div id="sidebar" class="to_right"><div class="also_read"><h4> Also read</h4> <a href="//vdai.lrv.lt/lt/naujienos/valstybine-duomenu-apsaugos-inspekcija-iesko-it-skyriaus-vyriausiojo-specialisto">The State Data Protection Inspectorate is looking for a chief specialist of the IT department in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete-1">2021. March 4 9-12 SolPriPa 2 WORK project presentation conference online in</a> <a href="//vdai.lrv.lt/lt/naujienos/2020-m-asmens-duomenu-apsaugos-srities-teismu-sprendimu-apibendrinimas">2020 Summary of court decisions in the field of personal data protection in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete">2021 March 4 9-12 SolPriPa 2 WORK Project Presentation Conference Online</a> <a href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-programeleje-karantinas">Fined for Violations of the General Data Protection Regulation in the Quarantine App</a></div></div><div class="clear"><!-- clear --></div></div><div class="back_top"> <a href="javascript:history.go(-1);" class="back_button" style="display: none;"><i class="fa fa-angle-left" aria-hidden="true"></i>Back</a><a href="#" class="up_button" aria-label="Go up"><i></i></a> <div class="clear"><!-- clear --></div></div></div><div class="footer clearfix"><div class="inner_wrap"><div class="footer_table"><div class="footer_cell credentials"><p> L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt</p><p> Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912</p><p> <strong>Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm</strong></p><div class="credentials main_copyright"> © Government of the Republic of Lithuania</div></div><div class="footer_cell logos"><div> <a href="ES banerio nuoroda" target="_blank" title="The name of the EU banner"><img src="/assets/images/es_banner.jpg" width="150" height="60" alt="The name of the EU banner"></a></div><div class="copyright"> <a href="http://www.kryptis.lt" target="_blank" title="www.kryptis.lt"><img src="/assets/images/copyright.png" alt="Direction"></a> </div></div></div></div><div class="clear"><!-- clear --></div></div></div></main><script>$(function() { <br />
$('.ck_toggle_text').each(function() { $(this).before('<a class="ck_href ck_expand_href">'+(typeof $(this).attr('title') != "undefined" && $(this).attr('title') != '' ? $(this).attr('title') : 'Išskleisti') + '</a>').append('<a class="ck_href ck_collapse_href">Suskleisti</a>'); } );<br />
$('body').on('click','a.ck_expand_href',function() { $(this).hide(); $(this).next('.ck_toggle_text').toggleClass('ck_hide_text'); } );<br />
$('body').on('click','a.ck_collapse_href',function() { $(this).parent('.ck_toggle_text').prev('.ck_expand_href').show(); $(this).parent('.ck_toggle_text').toggleClass('ck_hide_text'); } )} );</script><script type="text/javascript" src="/assets/scripts/jquery.touchSwipe.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/vendors/jquery/jquery-migrate-3.1.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.fracs-0.15.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/imgLiquid-min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/lightslider/jquery.lightSlider.js?1614947813"></script><script type="text/javascript" src="/Project/Modules/Gpdr/assets/ccc-script.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/gallery.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/browser/jquery.browser.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery_ui/jquery-ui.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/popper.js/dist/umd/popper.min.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/bootstrap_3.3.2/js/bootstrap.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.pack.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.nicescroll.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery-scrolltofixed-min.fix.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.core.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.widget.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.mouse.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.sortable.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/select2.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/i18n/lt.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-select2.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.datepicker.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/i18n/jquery.ui.datepicker-lt.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-datepicker.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/jcarousel/jquery.jcarousel.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.cycle2.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/AudioPlayer/js/audioplayer.fix.js"></script><script type="text/javascript" src="/assets/scripts/scripts.js?1614947813"></script></body></html><br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=VDAI_-_VDAI_vs_V%C4%AE_Registr%C5%B3_centras&diff=13934
VDAI - VDAI vs VĮ Registrų centras
2021-03-09T16:58:17Z
<p>AK: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Lithuania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoLT.png<br />
|DPA_Abbrevation=ADA<br />
|DPA_With_Country=ADA (Lithuania)<br />
<br />
|Case_Number_Name=VĮ Registrų centras<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Valstybinė duomenų apsaugos inspekcija <br />
|Original_Source_Link_1=https://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre<br />
|Original_Source_Language_1=Lithuanian<br />
|Original_Source_Language__Code_1=LT<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=02.03.2021<br />
|Year=<br />
|Fine=15000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1c<br />
|GDPR_Article_3=Article 83(2)(a) GDPR<br />
|GDPR_Article_Link_3=Article 83 GDPR#2a<br />
|GDPR_Article_4=Article 83(2)(d) GDPR<br />
|GDPR_Article_Link_4=Article 83 GDPR#2d<br />
|GDPR_Article_5=Article 83(2)(g) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#2g<br />
<br />
<br />
<br />
|Party_Name_1=VĮ Registrų centras<br />
|Party_Link_1=https://www.registrucentras.lt/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
In February 2021, the Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of 15.000 Eur on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in:<br />
Electronic health services and collaboration infrastructure information system;<br />
Real estate register;<br />
Real estate cadastre;<br />
Register of Legal Entities;<br />
Population Register of the Republic of Lithuania;<br />
Register of seizure deeds;<br />
Mortgage Register of the Republic of Lithuania;<br />
Register of wills;<br />
Register of marriage contracts;<br />
Register of credentials;<br />
Register of incapacitated and restricted persons;<br />
Register of contracts;<br />
Information system for participants of legal entities;<br />
Bailiffs information system;<br />
License information system;<br />
Money Restriction Information System;<br />
Legal aid services information system;<br />
Registration service information system;<br />
Electronic signature and timestamp service;<br />
Register center document management system;<br />
Personnel administration system of the Register Center;<br />
Accounting software of the Register Center.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The fine of 15.000 Eur was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline. <br />
<br />
In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83 (2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.<br />
<br />
<pre><br />
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="lt" lang="lt"><head><title> Fine imposed for breaches of the General Data Protection Regulation in the Center of Registers State Data Protection Inspectorate </title><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="keywords" content="data, registers, register ;, system ;, information" /><meta name="description" content="After 2020 July 20 The State Data Protection Inspectorate (VDAI), having carried out an investigation in accordance with the General Regulation of the State Register of Incidents, which disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers," /><meta name="robots" content="all" /><!--[if IE]><br />
<meta http-equiv="imagetoolbar" content="false" /><br />
<meta name="MSSmartTagsPreventParsing" content="true" /><br />
<![endif]--><meta property="og:url" content="http://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre"><meta property="og:title" content="A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers"><meta property="og:image" content="http://vdai.lrv.lt/uploads/vdai/news/images/267_1f8b031415a579c0c0281cf144b17b1d.png"><link rel="canonical" href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" /><link rel="shortcut icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link rel="icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link href="//fonts.googleapis.com/css?family=Ubuntu:300,400" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="/assets/scripts/lightslider/lightSlider.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Project/Modules/Gpdr/assets/styles.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/jquery_ui/jquery-ui.theme.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/vendors/bootstrap_3.3.2/css/bootstrap.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/vendors/font-awesome/css/font-awesome.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/themes/base/jquery.ui.all.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/node_modules/select2/dist/css/select2.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/scss/cms-select2.css?1614947813" /><link rel="stylesheet" href="/assets/scripts/AudioPlayer/css/audioplayer.css" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/screen.css?1614947813" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/print.css?1614947813" type="text/css" media="print" /><script type="text/javascript"> var baseHref = "//vdai.lrv.lt/lt/" </script><script type="text/javascript" src="/Framework/assets/node_modules/jquery/dist/jquery.min.js?1614947813"></script></head><body id="module_news"><script><br />
$(document).ready(function () {<br />
var browser_version = parseInt($.browser.version.split('.')[0]);<br />
if(<br />
($.browser.msie && browser_version < 10)<br />
|| ($.browser.mozilla && browser_version < 24)<br />
|| ($.browser.chrome && browser_version < 30)<br />
|| ($.browser.opera && browser_version < 20)<br />
|| ($.browser.safari && browser_version < 7)<br />
|| false<br />
){<br />
$.get("//vdai.lrv.lt/lt/general/oldbrowser?ajax=1").done(function(r) {<br />
if(r){<br />
$('body').append(r);<br />
}<br />
});<br />
}<br />
});<br />
</script><section id="ccc" class="closed" style="z-index: 214748364" data-domain="lrv.lt"><div id="ccc-overlay"></div><div id="ccc-icon"><div class="triangle"><img src="/Project/Modules/Gpdr/assets/images/BDAR.svg" alt="BDAR"/></div></div><div id="ccc-module"><div id="ccc-content"><div id="ccc-close"><svg xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"></path></svg></div><p> To ensure the best browsing experience, we use cookies on this website. You can revoke your consent at any time by changing your web browser settings and deleting the saved cookies.</p><p class="ccc-policy-links"> <a href="https://ivpk.lrv.lt/slapuku-naudojimo-taisykles" class="ccc-notify-button ccc-button-solid" target="_blank">Read the cookie</a> <a href="https://vdai.lrv.lt/lt/asmens-duomenu-apsauga" class="ccc-notify-button ccc-button-solid">privacy policy</a> </p><hr><div id="ccc-optional-categories"><div data-index="0" class="optional-cookie"><h3 id="ccc-necessary-title"> Cookies are required</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-necessary-cookies" checked="checked" disabled="disabled"> <span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p id="ccc-necessary-description"> Necessary cookies enable the basic functions of the website. The website cannot function properly without these cookies, they can only be disabled by changing your browser settings. </p><div class="ccc-alert"></div><hr/></div><div data-index="1" class="optional-cookie"><h3 class="optional-cookie-header"> Statistics cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-stats-cookies" /><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> Analytical cookies help us to improve our website by collecting and providing information about its use. </p><div class="ccc-alert"></div><hr/></div><div data-index="2" class="optional-cookie"><h3 class="optional-cookie-header"> Language selection cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-language-cookies"><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> The language selection cookies remember the language you have selected.</p><div class="ccc-alert"></div><hr/></div><div class="buttons-wrap"> <button class="btn btn-outline-primary close-window"><span class="text-uppercase">Confirm</span><br></button> <button class="btn btn-primary accept-all-cookies"><span class="text-uppercase">Confirm</span></button> <button class="btn btn-outline-primary close-window">selected cookies</button> <button class="btn btn-primary accept-all-cookies"><br>All cookies</button> </div></div><div id="ccc-info"></div></div></div></section><main><div class="wrapper"><div class="header"><div class="header_links"><div class="inner_wrap"><div class="center clearfix"><div id="mobile-header"><div class="first"> <button type="button" class="navbar-open collapsed" data-toggle="collapse" data-target="#navbar" aria-label="Navigacija" title="Navigation"><span class="sr-only">Navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button></div><div class="center"> <a href="http://lrv.lt/lt" class="title">My government is <span class="beta_title">BETA</span></a></div><div class="last text-nowrap"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Site map"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a></div></div><div class="right-header"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Structure"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable" class="disabilities_icon to_right"></a></div><ul class="head_nav to_right"><li> <a href="http://ministraspirmininkas.lrv.lt/lt/">Prime Minister</a></li><li> <a href="http://lrvk.lrv.lt/lt">Government Office</a></li><li> <a href="http://lrv.lt/lt/ministerijos">Ministries</a></li><li> <a href="http://lrv.lt/lt/istaigos">Institutions</a></li><li> <a href="//epilietis.lrv.lt/">E. citizen</a></li><li class="disabilities_link"> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable">For the disabled</a> </li></ul></div></div></div><div class="inst_name_logo"><div class="inner_wrap"><div class="main_logo"><img src="/assets/images/lr_logo.png" alt="LR"></div><div class="name"> State Data Protection Inspectorate </div><div class="clear"><!-- clear --></div></div></div><div></div><nav id="datails-menu" class="navbar-default"><div class="datails-menu-top"></div> <button type="button" class="navbar-open collapsed"<br />
aria-controls="navbar"><span class="icon"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></span></button><div id="navbar" class="collapse"> <button type="button" class="navbar-close collapsed" aria-expanded="false" aria-controls="navbar"><i></i></button><div class="top_links"> <a href="#" class="to_left home"><i></i>Home</a> <a href="#" class="to_right newsletter">News subscription</a> <div class="clear"><!-- clear --></div></div><div id="nawbar-first-scroll"><div class="scroll"><ul class="nav first"><li class="active "> <a<br />
href="//vdai.lrv.lt/lt/naujienos">News</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/struktura-ir-kontaktai">Structure and contacts</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/struktura">Structure</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kontaktai-1">Contacts</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kaip-mus-rasti">How to find us</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/teisine-informacija">Legal information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktai">Legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-projektai">Draft legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisine-praktika">Legal practice</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/tyrimai-ir-analizes">Research and analysis</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-pazeidimai">Violations of legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisinio-reguliavimo-stebesena">Monitoring of legal regulation</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/veiklos-sritys-1">Areas of activity</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/prevenciniai-tikrinimai">Preventive inspections</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/isankstines-konsultacijos">Prior consultation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/auditai">Audits</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas">Complaints handling</a></li><li class=" "> <a href="/asmens-duomenu-apsaugos-reforma/pranesimas-apie-duomenu-saugumo-pazeidima">Data security breaches</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/tarptautinis-bendradarbiavimas">International cooperation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/visuomenes-informavimas">Informing the public</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/korupcijos-prevencija">Corruption prevention</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/administracine-informacija">Administrative information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/nuostatai">Regulations</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/planavimo-dokumentai">Planning documents</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/praneseju-apsauga">Protection of whistleblowers</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/darbo-uzmokestis">Wage</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/paskatinimai-ir-apdovanojimai">Incentives and awards</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/viesieji-pirkimai">Procurement</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/biudzeto-vykdymo-ataskaitu-rinkiniai">Budget implementation report sets</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/finansiniu-ataskaitu-rinkiniai">Sets of financial statements</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/ukio-subjektu-prieziura">Supervision of economic operators</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/tarnybiniai-lengvieji-automobiliai">Official passenger cars</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/veiklos-ataskaitos">Activity reports</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/paslaugos">Services</a></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/nuorodos">Links</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/dsp-ir-dap">DSP and DAP</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/pranesimas-apie-duomenu-saugumo-pazeidima">Data breach notification</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/duomenu-apsaugos-pareigunas">Data Protection Officer</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/asmens-duomenu-apsauga">Protection of personal data</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/naudinga-informacija">useful information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="klausimai-duk">Frequently Asked Questions (FAQ)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/rekomendacijos-gaires-ir-kt">Recommendations, guidelines, etc.</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/covid-19-ir-bdar">COVID-19 and BDAR</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/patikrinimu-rezultatu-apibendrinimai">Summaries of inspection results</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/teismu-sprendimai-pagal-vdai-skundus">Court decisions (according to VDAI complaints)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/2018-m-duomenu-apsaugos-reforma-1">2018 data protection reform</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/viesosios-konsultacijos-iki-bdar">Public consultation before BDAR</a></li><li class=" "> <a target="_blank" href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-2-work-projektas">SolPriPa 2 WORK project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-projektas">SOLPriPa PROJECT</a></li><li class=" dropdown-submenu"> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai">Projects</a><ul class="nav thrid"><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/es-dvyniu-projektas-nr-ua-47b-ukrainos-parlamento-vyriausiojo-zmogaus-teisiu-komisaro">EU twinning project no. UA / 47b &quot;Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice&quot;</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/valstybines-duomenu-apsaugos-inspekcijos-valstybes-tarnautoju-ir-darbuotoju-kvalifikacijos-tobulinimas">Improving the qualification of civil servants and employees of the State Data Protection Inspectorate</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/informaciniu-sistemu-susiejimo-ir-modernizavimo-projektas">Information systems interconnection and modernization project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/projektas-valstybines-duomenu-apsaugos-inspekcijos-ir-lietuvos-bibliotekininku-draugijos-bendradarbiavimo-didinimas-igyvendinant-asmens-duomenu-apsaugos-politika">Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians&#39; Association in implementing the personal data protection policy”</a></li></ul></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/vaikams-ir-jaunimui">For children and young people</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/atviri-duomenys-1">Open data</a></li><li class=" "> <a href="https://vdai.lrv.lt/forms/ada-vdai-2020">Surveys</a></li><li class=" "> <a href="events">Events archive</a></li><li class=" "> <a href="https://vdai.lrv.lt/lt/skelbimai">Advertisements</a> </li></ul></div></div></li></ul></div></div><ul class="head_nav"></ul></div></nav></div><div class="main_content clearfix"><div class="inner_wrap"></div><div class="inner_wrap"><h1> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</h1><ol class="breadcrumb"><li> <a href="//vdai.lrv.lt/lt/" aria-label="home">Home</a></li><li class=""> <a href="//vdai.lrv.lt/lt/naujienos"<br />
>News</a></li><li class="active"> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</li></ol><div class="top_line"> <a href="javascript:window.print()" class="print_link nodeco">Print<i class="fa fa-print fa-fw" aria-hidden="true"></i></a> <div class="clear"><!-- clear --></div></div><div class="clear"><!-- clear --></div><div class="content text to_left"><div class="event_startDate single"><div class="row startDate_wrap"><div class="col-xs-12 col-sm-5"><div class="col-xs-6 col-sm-5"><h5> Data</h5></div><div class="col-xs-6 col-sm-7"><p> 2021 03 02</p></div></div><div class="col-xs-12 col-sm-7"><div class="col-xs-6 col-sm-5 col-md-4"><h5> Evaluation</h5></div><div class="col-xs-6 col-sm-7 col-md-8"> <span class="ratingContainter"><a href="#" data-like_url="//vdai.lrv.lt/lt/ratings/like?ajax=1&amp;entity=News.Ratings&amp;itemId=177&amp;style=star" class="rating_action star_icon "><span class="counter"><i></i></span>5</a></span> </div></div></div></div><div class="news_photo_wrapper"><img class="news_photo" src="//vdai.lrv.lt/uploads/vdai/news/images/852x536_crop/267_1f8b031415a579c0c0281cf144b17b1d.png" alt="Registry center bauda.png" style="max-width: 1920px; max-height: 1080px;"></div><p style="text-align: justify;"><br /> After 2020 July 20 The State Data Protection Inspectorate (VDAI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021, carried out an incident of the State Enterprise Center of Registers that disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers. February. imposed a fine for improper implementation of technical and organizational data security measures.</p><p style="text-align: justify;"> SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline.</p><p style="text-align: justify;"> Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach:</p><ul><li style="text-align: justify;"> Electronic health services and collaboration infrastructure information system;</li><li style="text-align: justify;"> Real estate register;</li><li style="text-align: justify;"> Real estate cadastre;</li><li style="text-align: justify;"> Register of Legal Entities;</li><li style="text-align: justify;"> Population Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of seizure deeds;</li><li style="text-align: justify;"> Mortgage Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of wills;</li><li style="text-align: justify;"> Register of marriage contracts;</li><li style="text-align: justify;"> Register of credentials;</li><li style="text-align: justify;"> Register of Inactive and Limited Persons;</li><li style="text-align: justify;"> Register of contracts;</li><li style="text-align: justify;"> Information system for participants of legal entities;</li><li style="text-align: justify;"> Bailiffs information system;</li><li style="text-align: justify;"> License information system;</li><li style="text-align: justify;"> Money Restriction Information System;</li><li style="text-align: justify;"> Legal aid services information system;</li><li style="text-align: justify;"> Registration service information system;</li><li style="text-align: justify;"> Electronic signature and timestamp service;</li><li style="text-align: justify;"> Register center document management system;</li><li style="text-align: justify;"> Personnel administration system of the Register Center;</li><li style="text-align: justify;"> Accounting software of the Register Center.</li></ul><p style="text-align: justify;"> Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Center of Registers, it was decided to impose an administrative fine on the SE Center of Registers.</p><p style="text-align: justify;"> Pursuant to the Law on the Legal Protection of Personal Data, a supervisory authority may impose an administrative fine on an authority or institution that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR up to 0.5 per cent of the authority&#39;s or institution&#39;s current year&#39;s budget and other gross annual income, but not more than thirty thousand euros.</p><p style="text-align: justify;"> In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future.</p><p style="text-align: justify;"> VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.</p><p style="text-align: justify;"></p><p style="text-align: justify;"> Related information:<br /> <a href="https://vdai.lrv.lt/lt/naujienos/del-valstybes-imoneje-registru-centras-ivykusio-incidento" target="_blank">Due to an incident in the State Enterprise Center of Registers &gt;&gt;</a></p><p style="text-align: justify;"></p><div class="clear"><!-- clear --></div><div class="share"> <span class="title to_left" aria-label="Share">Share</span><ul class="soc_icons to_left"><li> <a href="http://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Facebook" target="_blank"><i class="fa fa-facebook" aria-hidden="true"></i></a></li><li> <a href="https://www.linkedin.com/sharing/share-offsite/?url=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Linkedin" target="_blank"><i class="fa fa-linkedin" aria-hidden="true"></i></a> </li></ul><div class="clear"><!-- clear --></div></div></div><div id="sidebar" class="to_right"><div class="also_read"><h4> Also read</h4> <a href="//vdai.lrv.lt/lt/naujienos/valstybine-duomenu-apsaugos-inspekcija-iesko-it-skyriaus-vyriausiojo-specialisto">The State Data Protection Inspectorate is looking for a chief specialist of the IT department in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete-1">2021. March 4 9-12 SolPriPa 2 WORK project presentation conference online in</a> <a href="//vdai.lrv.lt/lt/naujienos/2020-m-asmens-duomenu-apsaugos-srities-teismu-sprendimu-apibendrinimas">2020 Summary of court decisions in the field of personal data protection in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete">2021 March 4 9-12 SolPriPa 2 WORK Project Presentation Conference Online</a> <a href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-programeleje-karantinas">Fined for Violations of the General Data Protection Regulation in the Quarantine App</a></div></div><div class="clear"><!-- clear --></div></div><div class="back_top"> <a href="javascript:history.go(-1);" class="back_button" style="display: none;"><i class="fa fa-angle-left" aria-hidden="true"></i>Back</a><a href="#" class="up_button" aria-label="Go up"><i></i></a> <div class="clear"><!-- clear --></div></div></div><div class="footer clearfix"><div class="inner_wrap"><div class="footer_table"><div class="footer_cell credentials"><p> L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt</p><p> Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912</p><p> <strong>Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm</strong></p><div class="credentials main_copyright"> © Government of the Republic of Lithuania</div></div><div class="footer_cell logos"><div> <a href="ES banerio nuoroda" target="_blank" title="The name of the EU banner"><img src="/assets/images/es_banner.jpg" width="150" height="60" alt="The name of the EU banner"></a></div><div class="copyright"> <a href="http://www.kryptis.lt" target="_blank" title="www.kryptis.lt"><img src="/assets/images/copyright.png" alt="Direction"></a> </div></div></div></div><div class="clear"><!-- clear --></div></div></div></main><script>$(function() { <br />
$('.ck_toggle_text').each(function() { $(this).before('<a class="ck_href ck_expand_href">'+(typeof $(this).attr('title') != "undefined" && $(this).attr('title') != '' ? $(this).attr('title') : 'Išskleisti') + '</a>').append('<a class="ck_href ck_collapse_href">Suskleisti</a>'); } );<br />
$('body').on('click','a.ck_expand_href',function() { $(this).hide(); $(this).next('.ck_toggle_text').toggleClass('ck_hide_text'); } );<br />
$('body').on('click','a.ck_collapse_href',function() { $(this).parent('.ck_toggle_text').prev('.ck_expand_href').show(); $(this).parent('.ck_toggle_text').toggleClass('ck_hide_text'); } )} );</script><script type="text/javascript" src="/assets/scripts/jquery.touchSwipe.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/vendors/jquery/jquery-migrate-3.1.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.fracs-0.15.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/imgLiquid-min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/lightslider/jquery.lightSlider.js?1614947813"></script><script type="text/javascript" src="/Project/Modules/Gpdr/assets/ccc-script.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/gallery.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/browser/jquery.browser.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery_ui/jquery-ui.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/popper.js/dist/umd/popper.min.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/bootstrap_3.3.2/js/bootstrap.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.pack.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.nicescroll.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery-scrolltofixed-min.fix.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.core.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.widget.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.mouse.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.sortable.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/select2.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/i18n/lt.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-select2.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.datepicker.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/i18n/jquery.ui.datepicker-lt.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-datepicker.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/jcarousel/jquery.jcarousel.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.cycle2.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/AudioPlayer/js/audioplayer.fix.js"></script><script type="text/javascript" src="/assets/scripts/scripts.js?1614947813"></script></body></html><br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=VDAI_-_VDAI_vs_V%C4%AE_Registr%C5%B3_centras&diff=13933
VDAI - VDAI vs VĮ Registrų centras
2021-03-09T16:57:16Z
<p>AK: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Lithuania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoLT.png<br />
|DPA_Abbrevation=ADA<br />
|DPA_With_Country=ADA (Lithuania)<br />
<br />
|Case_Number_Name=VĮ Registrų centras<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Valstybinė duomenų apsaugos inspekcija <br />
|Original_Source_Link_1=https://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre<br />
|Original_Source_Language_1=Lithuanian<br />
|Original_Source_Language__Code_1=LT<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=02.03.2021<br />
|Year=<br />
|Fine=15000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1c<br />
|GDPR_Article_3=Article 83(2)(a) GDPR<br />
|GDPR_Article_Link_3=Article 83 GDPR#2a<br />
|GDPR_Article_4=Article 83(2)(d) GDPR<br />
|GDPR_Article_Link_4=Article 83 GDPR#2d<br />
|GDPR_Article_5=Article 83(2)(g) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#2g<br />
<br />
<br />
<br />
|Party_Name_1=VĮ Registrų centras<br />
|Party_Link_1=https://www.registrucentras.lt/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
In February 2021, the Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of 15.000 Eur on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in:<br />
Electronic health services and collaboration infrastructure information system;<br />
Real estate register;<br />
Real estate cadastre;<br />
Register of Legal Entities;<br />
Population Register of the Republic of Lithuania;<br />
Register of seizure deeds;<br />
Mortgage Register of the Republic of Lithuania;<br />
Register of wills;<br />
Register of marriage contracts;<br />
Register of credentials;<br />
Register of incapacitated and restricted persons;<br />
Register of contracts;<br />
Information system for participants of legal entities;<br />
Bailiffs information system;<br />
License information system;<br />
Money Restriction Information System;<br />
Legal aid services information system;<br />
Registration service information system;<br />
Electronic signature and timestamp service;<br />
Register center document management system;<br />
Personnel administration system of the Register Center;<br />
Accounting software of the Register Center.<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The fine of 15.000 Eur was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline. <br />
<br />
In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83 (2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.<br />
<br />
<pre><br />
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="lt" lang="lt"><head><title> Fine imposed for breaches of the General Data Protection Regulation in the Center of Registers State Data Protection Inspectorate </title><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="keywords" content="data, registers, register ;, system ;, information" /><meta name="description" content="After 2020 July 20 The State Data Protection Inspectorate (VDAI), having carried out an investigation in accordance with the General Regulation of the State Register of Incidents, which disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers," /><meta name="robots" content="all" /><!--[if IE]><br />
<meta http-equiv="imagetoolbar" content="false" /><br />
<meta name="MSSmartTagsPreventParsing" content="true" /><br />
<![endif]--><meta property="og:url" content="http://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre"><meta property="og:title" content="A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers"><meta property="og:image" content="http://vdai.lrv.lt/uploads/vdai/news/images/267_1f8b031415a579c0c0281cf144b17b1d.png"><link rel="canonical" href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" /><link rel="shortcut icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link rel="icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link href="//fonts.googleapis.com/css?family=Ubuntu:300,400" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="/assets/scripts/lightslider/lightSlider.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Project/Modules/Gpdr/assets/styles.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/jquery_ui/jquery-ui.theme.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/vendors/bootstrap_3.3.2/css/bootstrap.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/vendors/font-awesome/css/font-awesome.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/themes/base/jquery.ui.all.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/node_modules/select2/dist/css/select2.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/scss/cms-select2.css?1614947813" /><link rel="stylesheet" href="/assets/scripts/AudioPlayer/css/audioplayer.css" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/screen.css?1614947813" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/print.css?1614947813" type="text/css" media="print" /><script type="text/javascript"> var baseHref = "//vdai.lrv.lt/lt/" </script><script type="text/javascript" src="/Framework/assets/node_modules/jquery/dist/jquery.min.js?1614947813"></script></head><body id="module_news"><script><br />
$(document).ready(function () {<br />
var browser_version = parseInt($.browser.version.split('.')[0]);<br />
if(<br />
($.browser.msie && browser_version < 10)<br />
|| ($.browser.mozilla && browser_version < 24)<br />
|| ($.browser.chrome && browser_version < 30)<br />
|| ($.browser.opera && browser_version < 20)<br />
|| ($.browser.safari && browser_version < 7)<br />
|| false<br />
){<br />
$.get("//vdai.lrv.lt/lt/general/oldbrowser?ajax=1").done(function(r) {<br />
if(r){<br />
$('body').append(r);<br />
}<br />
});<br />
}<br />
});<br />
</script><section id="ccc" class="closed" style="z-index: 214748364" data-domain="lrv.lt"><div id="ccc-overlay"></div><div id="ccc-icon"><div class="triangle"><img src="/Project/Modules/Gpdr/assets/images/BDAR.svg" alt="BDAR"/></div></div><div id="ccc-module"><div id="ccc-content"><div id="ccc-close"><svg xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"></path></svg></div><p> To ensure the best browsing experience, we use cookies on this website. You can revoke your consent at any time by changing your web browser settings and deleting the saved cookies.</p><p class="ccc-policy-links"> <a href="https://ivpk.lrv.lt/slapuku-naudojimo-taisykles" class="ccc-notify-button ccc-button-solid" target="_blank">Read the cookie</a> <a href="https://vdai.lrv.lt/lt/asmens-duomenu-apsauga" class="ccc-notify-button ccc-button-solid">privacy policy</a> </p><hr><div id="ccc-optional-categories"><div data-index="0" class="optional-cookie"><h3 id="ccc-necessary-title"> Cookies are required</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-necessary-cookies" checked="checked" disabled="disabled"> <span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p id="ccc-necessary-description"> Necessary cookies enable the basic functions of the website. The website cannot function properly without these cookies, they can only be disabled by changing your browser settings. </p><div class="ccc-alert"></div><hr/></div><div data-index="1" class="optional-cookie"><h3 class="optional-cookie-header"> Statistics cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-stats-cookies" /><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> Analytical cookies help us to improve our website by collecting and providing information about its use. </p><div class="ccc-alert"></div><hr/></div><div data-index="2" class="optional-cookie"><h3 class="optional-cookie-header"> Language selection cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-language-cookies"><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> The language selection cookies remember the language you have selected.</p><div class="ccc-alert"></div><hr/></div><div class="buttons-wrap"> <button class="btn btn-outline-primary close-window"><span class="text-uppercase">Confirm</span><br></button> <button class="btn btn-primary accept-all-cookies"><span class="text-uppercase">Confirm</span></button> <button class="btn btn-outline-primary close-window">selected cookies</button> <button class="btn btn-primary accept-all-cookies"><br>All cookies</button> </div></div><div id="ccc-info"></div></div></div></section><main><div class="wrapper"><div class="header"><div class="header_links"><div class="inner_wrap"><div class="center clearfix"><div id="mobile-header"><div class="first"> <button type="button" class="navbar-open collapsed" data-toggle="collapse" data-target="#navbar" aria-label="Navigacija" title="Navigation"><span class="sr-only">Navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button></div><div class="center"> <a href="http://lrv.lt/lt" class="title">My government is <span class="beta_title">BETA</span></a></div><div class="last text-nowrap"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Site map"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a></div></div><div class="right-header"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Structure"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable" class="disabilities_icon to_right"></a></div><ul class="head_nav to_right"><li> <a href="http://ministraspirmininkas.lrv.lt/lt/">Prime Minister</a></li><li> <a href="http://lrvk.lrv.lt/lt">Government Office</a></li><li> <a href="http://lrv.lt/lt/ministerijos">Ministries</a></li><li> <a href="http://lrv.lt/lt/istaigos">Institutions</a></li><li> <a href="//epilietis.lrv.lt/">E. citizen</a></li><li class="disabilities_link"> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable">For the disabled</a> </li></ul></div></div></div><div class="inst_name_logo"><div class="inner_wrap"><div class="main_logo"><img src="/assets/images/lr_logo.png" alt="LR"></div><div class="name"> State Data Protection Inspectorate </div><div class="clear"><!-- clear --></div></div></div><div></div><nav id="datails-menu" class="navbar-default"><div class="datails-menu-top"></div> <button type="button" class="navbar-open collapsed"<br />
aria-controls="navbar"><span class="icon"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></span></button><div id="navbar" class="collapse"> <button type="button" class="navbar-close collapsed" aria-expanded="false" aria-controls="navbar"><i></i></button><div class="top_links"> <a href="#" class="to_left home"><i></i>Home</a> <a href="#" class="to_right newsletter">News subscription</a> <div class="clear"><!-- clear --></div></div><div id="nawbar-first-scroll"><div class="scroll"><ul class="nav first"><li class="active "> <a<br />
href="//vdai.lrv.lt/lt/naujienos">News</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/struktura-ir-kontaktai">Structure and contacts</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/struktura">Structure</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kontaktai-1">Contacts</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kaip-mus-rasti">How to find us</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/teisine-informacija">Legal information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktai">Legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-projektai">Draft legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisine-praktika">Legal practice</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/tyrimai-ir-analizes">Research and analysis</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-pazeidimai">Violations of legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisinio-reguliavimo-stebesena">Monitoring of legal regulation</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/veiklos-sritys-1">Areas of activity</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/prevenciniai-tikrinimai">Preventive inspections</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/isankstines-konsultacijos">Prior consultation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/auditai">Audits</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas">Complaints handling</a></li><li class=" "> <a href="/asmens-duomenu-apsaugos-reforma/pranesimas-apie-duomenu-saugumo-pazeidima">Data security breaches</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/tarptautinis-bendradarbiavimas">International cooperation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/visuomenes-informavimas">Informing the public</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/korupcijos-prevencija">Corruption prevention</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/administracine-informacija">Administrative information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/nuostatai">Regulations</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/planavimo-dokumentai">Planning documents</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/praneseju-apsauga">Protection of whistleblowers</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/darbo-uzmokestis">Wage</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/paskatinimai-ir-apdovanojimai">Incentives and awards</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/viesieji-pirkimai">Procurement</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/biudzeto-vykdymo-ataskaitu-rinkiniai">Budget implementation report sets</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/finansiniu-ataskaitu-rinkiniai">Sets of financial statements</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/ukio-subjektu-prieziura">Supervision of economic operators</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/tarnybiniai-lengvieji-automobiliai">Official passenger cars</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/veiklos-ataskaitos">Activity reports</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/paslaugos">Services</a></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/nuorodos">Links</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/dsp-ir-dap">DSP and DAP</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/pranesimas-apie-duomenu-saugumo-pazeidima">Data breach notification</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/duomenu-apsaugos-pareigunas">Data Protection Officer</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/asmens-duomenu-apsauga">Protection of personal data</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/naudinga-informacija">useful information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="klausimai-duk">Frequently Asked Questions (FAQ)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/rekomendacijos-gaires-ir-kt">Recommendations, guidelines, etc.</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/covid-19-ir-bdar">COVID-19 and BDAR</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/patikrinimu-rezultatu-apibendrinimai">Summaries of inspection results</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/teismu-sprendimai-pagal-vdai-skundus">Court decisions (according to VDAI complaints)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/2018-m-duomenu-apsaugos-reforma-1">2018 data protection reform</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/viesosios-konsultacijos-iki-bdar">Public consultation before BDAR</a></li><li class=" "> <a target="_blank" href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-2-work-projektas">SolPriPa 2 WORK project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-projektas">SOLPriPa PROJECT</a></li><li class=" dropdown-submenu"> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai">Projects</a><ul class="nav thrid"><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/es-dvyniu-projektas-nr-ua-47b-ukrainos-parlamento-vyriausiojo-zmogaus-teisiu-komisaro">EU twinning project no. UA / 47b &quot;Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice&quot;</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/valstybines-duomenu-apsaugos-inspekcijos-valstybes-tarnautoju-ir-darbuotoju-kvalifikacijos-tobulinimas">Improving the qualification of civil servants and employees of the State Data Protection Inspectorate</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/informaciniu-sistemu-susiejimo-ir-modernizavimo-projektas">Information systems interconnection and modernization project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/projektas-valstybines-duomenu-apsaugos-inspekcijos-ir-lietuvos-bibliotekininku-draugijos-bendradarbiavimo-didinimas-igyvendinant-asmens-duomenu-apsaugos-politika">Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians&#39; Association in implementing the personal data protection policy”</a></li></ul></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/vaikams-ir-jaunimui">For children and young people</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/atviri-duomenys-1">Open data</a></li><li class=" "> <a href="https://vdai.lrv.lt/forms/ada-vdai-2020">Surveys</a></li><li class=" "> <a href="events">Events archive</a></li><li class=" "> <a href="https://vdai.lrv.lt/lt/skelbimai">Advertisements</a> </li></ul></div></div></li></ul></div></div><ul class="head_nav"></ul></div></nav></div><div class="main_content clearfix"><div class="inner_wrap"></div><div class="inner_wrap"><h1> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</h1><ol class="breadcrumb"><li> <a href="//vdai.lrv.lt/lt/" aria-label="home">Home</a></li><li class=""> <a href="//vdai.lrv.lt/lt/naujienos"<br />
>News</a></li><li class="active"> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</li></ol><div class="top_line"> <a href="javascript:window.print()" class="print_link nodeco">Print<i class="fa fa-print fa-fw" aria-hidden="true"></i></a> <div class="clear"><!-- clear --></div></div><div class="clear"><!-- clear --></div><div class="content text to_left"><div class="event_startDate single"><div class="row startDate_wrap"><div class="col-xs-12 col-sm-5"><div class="col-xs-6 col-sm-5"><h5> Data</h5></div><div class="col-xs-6 col-sm-7"><p> 2021 03 02</p></div></div><div class="col-xs-12 col-sm-7"><div class="col-xs-6 col-sm-5 col-md-4"><h5> Evaluation</h5></div><div class="col-xs-6 col-sm-7 col-md-8"> <span class="ratingContainter"><a href="#" data-like_url="//vdai.lrv.lt/lt/ratings/like?ajax=1&amp;entity=News.Ratings&amp;itemId=177&amp;style=star" class="rating_action star_icon "><span class="counter"><i></i></span>5</a></span> </div></div></div></div><div class="news_photo_wrapper"><img class="news_photo" src="//vdai.lrv.lt/uploads/vdai/news/images/852x536_crop/267_1f8b031415a579c0c0281cf144b17b1d.png" alt="Registry center bauda.png" style="max-width: 1920px; max-height: 1080px;"></div><p style="text-align: justify;"><br /> After 2020 July 20 The State Data Protection Inspectorate (VDAI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021, carried out an incident of the State Enterprise Center of Registers that disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers. February. imposed a fine for improper implementation of technical and organizational data security measures.</p><p style="text-align: justify;"> SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline.</p><p style="text-align: justify;"> Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach:</p><ul><li style="text-align: justify;"> Electronic health services and collaboration infrastructure information system;</li><li style="text-align: justify;"> Real estate register;</li><li style="text-align: justify;"> Real estate cadastre;</li><li style="text-align: justify;"> Register of Legal Entities;</li><li style="text-align: justify;"> Population Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of seizure deeds;</li><li style="text-align: justify;"> Mortgage Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of wills;</li><li style="text-align: justify;"> Register of marriage contracts;</li><li style="text-align: justify;"> Register of credentials;</li><li style="text-align: justify;"> Register of Inactive and Limited Persons;</li><li style="text-align: justify;"> Register of contracts;</li><li style="text-align: justify;"> Information system for participants of legal entities;</li><li style="text-align: justify;"> Bailiffs information system;</li><li style="text-align: justify;"> License information system;</li><li style="text-align: justify;"> Money Restriction Information System;</li><li style="text-align: justify;"> Legal aid services information system;</li><li style="text-align: justify;"> Registration service information system;</li><li style="text-align: justify;"> Electronic signature and timestamp service;</li><li style="text-align: justify;"> Register center document management system;</li><li style="text-align: justify;"> Personnel administration system of the Register Center;</li><li style="text-align: justify;"> Accounting software of the Register Center.</li></ul><p style="text-align: justify;"> Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Center of Registers, it was decided to impose an administrative fine on the SE Center of Registers.</p><p style="text-align: justify;"> Pursuant to the Law on the Legal Protection of Personal Data, a supervisory authority may impose an administrative fine on an authority or institution that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR up to 0.5 per cent of the authority&#39;s or institution&#39;s current year&#39;s budget and other gross annual income, but not more than thirty thousand euros.</p><p style="text-align: justify;"> In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future.</p><p style="text-align: justify;"> VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.</p><p style="text-align: justify;"></p><p style="text-align: justify;"> Related information:<br /> <a href="https://vdai.lrv.lt/lt/naujienos/del-valstybes-imoneje-registru-centras-ivykusio-incidento" target="_blank">Due to an incident in the State Enterprise Center of Registers &gt;&gt;</a></p><p style="text-align: justify;"></p><div class="clear"><!-- clear --></div><div class="share"> <span class="title to_left" aria-label="Share">Share</span><ul class="soc_icons to_left"><li> <a href="http://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Facebook" target="_blank"><i class="fa fa-facebook" aria-hidden="true"></i></a></li><li> <a href="https://www.linkedin.com/sharing/share-offsite/?url=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Linkedin" target="_blank"><i class="fa fa-linkedin" aria-hidden="true"></i></a> </li></ul><div class="clear"><!-- clear --></div></div></div><div id="sidebar" class="to_right"><div class="also_read"><h4> Also read</h4> <a href="//vdai.lrv.lt/lt/naujienos/valstybine-duomenu-apsaugos-inspekcija-iesko-it-skyriaus-vyriausiojo-specialisto">The State Data Protection Inspectorate is looking for a chief specialist of the IT department in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete-1">2021. March 4 9-12 SolPriPa 2 WORK project presentation conference online in</a> <a href="//vdai.lrv.lt/lt/naujienos/2020-m-asmens-duomenu-apsaugos-srities-teismu-sprendimu-apibendrinimas">2020 Summary of court decisions in the field of personal data protection in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete">2021 March 4 9-12 SolPriPa 2 WORK Project Presentation Conference Online</a> <a href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-programeleje-karantinas">Fined for Violations of the General Data Protection Regulation in the Quarantine App</a></div></div><div class="clear"><!-- clear --></div></div><div class="back_top"> <a href="javascript:history.go(-1);" class="back_button" style="display: none;"><i class="fa fa-angle-left" aria-hidden="true"></i>Back</a><a href="#" class="up_button" aria-label="Go up"><i></i></a> <div class="clear"><!-- clear --></div></div></div><div class="footer clearfix"><div class="inner_wrap"><div class="footer_table"><div class="footer_cell credentials"><p> L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt</p><p> Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912</p><p> <strong>Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm</strong></p><div class="credentials main_copyright"> © Government of the Republic of Lithuania</div></div><div class="footer_cell logos"><div> <a href="ES banerio nuoroda" target="_blank" title="The name of the EU banner"><img src="/assets/images/es_banner.jpg" width="150" height="60" alt="The name of the EU banner"></a></div><div class="copyright"> <a href="http://www.kryptis.lt" target="_blank" title="www.kryptis.lt"><img src="/assets/images/copyright.png" alt="Direction"></a> </div></div></div></div><div class="clear"><!-- clear --></div></div></div></main><script>$(function() { <br />
$('.ck_toggle_text').each(function() { $(this).before('<a class="ck_href ck_expand_href">'+(typeof $(this).attr('title') != "undefined" && $(this).attr('title') != '' ? $(this).attr('title') : 'Išskleisti') + '</a>').append('<a class="ck_href ck_collapse_href">Suskleisti</a>'); } );<br />
$('body').on('click','a.ck_expand_href',function() { $(this).hide(); $(this).next('.ck_toggle_text').toggleClass('ck_hide_text'); } );<br />
$('body').on('click','a.ck_collapse_href',function() { $(this).parent('.ck_toggle_text').prev('.ck_expand_href').show(); $(this).parent('.ck_toggle_text').toggleClass('ck_hide_text'); } )} );</script><script type="text/javascript" src="/assets/scripts/jquery.touchSwipe.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/vendors/jquery/jquery-migrate-3.1.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.fracs-0.15.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/imgLiquid-min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/lightslider/jquery.lightSlider.js?1614947813"></script><script type="text/javascript" src="/Project/Modules/Gpdr/assets/ccc-script.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/gallery.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/browser/jquery.browser.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery_ui/jquery-ui.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/popper.js/dist/umd/popper.min.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/bootstrap_3.3.2/js/bootstrap.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.pack.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.nicescroll.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery-scrolltofixed-min.fix.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.core.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.widget.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.mouse.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.sortable.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/select2.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/i18n/lt.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-select2.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.datepicker.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/i18n/jquery.ui.datepicker-lt.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-datepicker.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/jcarousel/jquery.jcarousel.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.cycle2.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/AudioPlayer/js/audioplayer.fix.js"></script><script type="text/javascript" src="/assets/scripts/scripts.js?1614947813"></script></body></html><br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=VDAI_-_VDAI_vs_V%C4%AE_Registr%C5%B3_centras&diff=13932
VDAI - VDAI vs VĮ Registrų centras
2021-03-09T16:56:03Z
<p>AK: Created page with "{{DPAdecisionBOX |Jurisdiction=Lithuania |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoLT.png |DPA_Abbrevation=ADA |DPA_With_Country=ADA (Lithuania) |Case_Number_Name..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Lithuania<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoLT.png<br />
|DPA_Abbrevation=ADA<br />
|DPA_With_Country=ADA (Lithuania)<br />
<br />
|Case_Number_Name=VĮ Registrų centras<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Valstybinė duomenų apsaugos inspekcija <br />
|Original_Source_Link_1=https://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre<br />
|Original_Source_Language_1=Lithuanian<br />
|Original_Source_Language__Code_1=LT<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=<br />
|Date_Published=02.03.2021<br />
|Year=<br />
|Fine=15000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 32(1)(b) GDPR<br />
|GDPR_Article_Link_1=Article 32 GDPR#1b<br />
|GDPR_Article_2=Article 32(1)(c) GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR#1c<br />
|GDPR_Article_3=Article 83(2)(a) GDPR<br />
|GDPR_Article_Link_3=Article 83 GDPR#2a<br />
|GDPR_Article_4=Article 83(2)(d) GDPR<br />
|GDPR_Article_Link_4=Article 83 GDPR#2d<br />
|GDPR_Article_5=Article 83(2)(g) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#2g<br />
<br />
<br />
<br />
|Party_Name_1=VĮ Registrų centras<br />
|Party_Link_1=https://www.registrucentras.lt/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
In February 2021, the Lithuanian State Data Protection Inspectorate (VDAI) imposed a fine of 15.000 Eur on the Center of Registers (VĮ Registrų centras) for improper implementation of technical and organizational data security measures. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Starting in July 2020, the VDAI was investigating the incident of a data breach in the systems maintained by the State Enterprise Center of Registers. The data affected by the data breach was stored in:<br />
<br />
Electronic health services and collaboration infrastructure information system;<br />
Real estate register;<br />
Real estate cadastre;<br />
Register of Legal Entities;<br />
Population Register of the Republic of Lithuania;<br />
Register of seizure deeds;<br />
Mortgage Register of the Republic of Lithuania;<br />
Register of wills;<br />
Register of marriage contracts;<br />
Register of credentials;<br />
Register of incapacitated and restricted persons;<br />
Register of contracts;<br />
Information system for participants of legal entities;<br />
Bailiffs information system;<br />
License information system;<br />
Money Restriction Information System;<br />
Legal aid services information system;<br />
Registration service information system;<br />
Electronic signature and timestamp service;<br />
Register center document management system;<br />
Personnel administration system of the Register Center;<br />
Accounting software of the Register Center.<br />
<br />
<br />
=== Dispute ===<br />
<br />
<br />
=== Holding ===<br />
The fine of 15.000 Eur was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services as well as failure to restore the conditions and access to personal data in the event of a physical or technical incident within the legal deadline. <br />
<br />
In determining the amount of the administrative fine, the VDAI took into account the factors mitigating the violation committed by the Center of Registers listed in Article 83 (2) (b), (c), (e), (f) and (h) GDPR, i. e. the absence of intent, the efforts made to restore the damaged data, the absence of facts about the material damage suffered by the data subjects, the close cooperation with the VDAI and the absence of previous violations of a similar nature. The VDAI also took into account that the Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and ruled that the proposed fine was a proportionate sanction to ensure future compliance with the provisions of the GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.<br />
<br />
<pre><br />
<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="lt" lang="lt"><head><title> Fine imposed for breaches of the General Data Protection Regulation in the Center of Registers State Data Protection Inspectorate </title><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="keywords" content="data, registers, register ;, system ;, information" /><meta name="description" content="After 2020 July 20 The State Data Protection Inspectorate (VDAI), having carried out an investigation in accordance with the General Regulation of the State Register of Incidents, which disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers," /><meta name="robots" content="all" /><!--[if IE]><br />
<meta http-equiv="imagetoolbar" content="false" /><br />
<meta name="MSSmartTagsPreventParsing" content="true" /><br />
<![endif]--><meta property="og:url" content="http://vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre"><meta property="og:title" content="A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers"><meta property="og:image" content="http://vdai.lrv.lt/uploads/vdai/news/images/267_1f8b031415a579c0c0281cf144b17b1d.png"><link rel="canonical" href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" /><link rel="shortcut icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link rel="icon" href="//vdai.lrv.lt/favicon.ico" type="image/vnd.microsoft.icon" /><link href="//fonts.googleapis.com/css?family=Ubuntu:300,400" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="/assets/scripts/lightslider/lightSlider.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Project/Modules/Gpdr/assets/styles.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/jquery_ui/jquery-ui.theme.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/vendors/bootstrap_3.3.2/css/bootstrap.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/assets/scripts/vendors/font-awesome/css/font-awesome.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/themes/base/jquery.ui.all.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/node_modules/select2/dist/css/select2.min.css?1614947813" /><link rel="stylesheet" type="text/css" href="/Framework/assets/scss/cms-select2.css?1614947813" /><link rel="stylesheet" href="/assets/scripts/AudioPlayer/css/audioplayer.css" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/screen.css?1614947813" type="text/css" media="screen,print" /><link rel="stylesheet" href="/assets/css/print.css?1614947813" type="text/css" media="print" /><script type="text/javascript"> var baseHref = "//vdai.lrv.lt/lt/" </script><script type="text/javascript" src="/Framework/assets/node_modules/jquery/dist/jquery.min.js?1614947813"></script></head><body id="module_news"><script><br />
$(document).ready(function () {<br />
var browser_version = parseInt($.browser.version.split('.')[0]);<br />
if(<br />
($.browser.msie && browser_version < 10)<br />
|| ($.browser.mozilla && browser_version < 24)<br />
|| ($.browser.chrome && browser_version < 30)<br />
|| ($.browser.opera && browser_version < 20)<br />
|| ($.browser.safari && browser_version < 7)<br />
|| false<br />
){<br />
$.get("//vdai.lrv.lt/lt/general/oldbrowser?ajax=1").done(function(r) {<br />
if(r){<br />
$('body').append(r);<br />
}<br />
});<br />
}<br />
});<br />
</script><section id="ccc" class="closed" style="z-index: 214748364" data-domain="lrv.lt"><div id="ccc-overlay"></div><div id="ccc-icon"><div class="triangle"><img src="/Project/Modules/Gpdr/assets/images/BDAR.svg" alt="BDAR"/></div></div><div id="ccc-module"><div id="ccc-content"><div id="ccc-close"><svg xmlns="http://www.w3.org/2000/svg" height="24" viewBox="0 0 24 24" width="24"><path d="M19 6.41L17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"></path></svg></div><p> To ensure the best browsing experience, we use cookies on this website. You can revoke your consent at any time by changing your web browser settings and deleting the saved cookies.</p><p class="ccc-policy-links"> <a href="https://ivpk.lrv.lt/slapuku-naudojimo-taisykles" class="ccc-notify-button ccc-button-solid" target="_blank">Read the cookie</a> <a href="https://vdai.lrv.lt/lt/asmens-duomenu-apsauga" class="ccc-notify-button ccc-button-solid">privacy policy</a> </p><hr><div id="ccc-optional-categories"><div data-index="0" class="optional-cookie"><h3 id="ccc-necessary-title"> Cookies are required</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-necessary-cookies" checked="checked" disabled="disabled"> <span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p id="ccc-necessary-description"> Necessary cookies enable the basic functions of the website. The website cannot function properly without these cookies, they can only be disabled by changing your browser settings. </p><div class="ccc-alert"></div><hr/></div><div data-index="1" class="optional-cookie"><h3 class="optional-cookie-header"> Statistics cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-stats-cookies" /><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> Analytical cookies help us to improve our website by collecting and providing information about its use. </p><div class="ccc-alert"></div><hr/></div><div data-index="2" class="optional-cookie"><h3 class="optional-cookie-header"> Language selection cookies</h3><div class="checkbox-toggle"> <label class="checkbox-toggle-label"><input class="checkbox-toggle-input" type="checkbox" name="gpdr-language-cookies"><span class="checkbox-toggle-on">On</span> <span class="checkbox-toggle-off">Off</span><span class="checkbox-toggle-toggle" data-index="0"></span></label></div><p> The language selection cookies remember the language you have selected.</p><div class="ccc-alert"></div><hr/></div><div class="buttons-wrap"> <button class="btn btn-outline-primary close-window"><span class="text-uppercase">Confirm</span><br></button> <button class="btn btn-primary accept-all-cookies"><span class="text-uppercase">Confirm</span></button> <button class="btn btn-outline-primary close-window">selected cookies</button> <button class="btn btn-primary accept-all-cookies"><br>All cookies</button> </div></div><div id="ccc-info"></div></div></div></section><main><div class="wrapper"><div class="header"><div class="header_links"><div class="inner_wrap"><div class="center clearfix"><div id="mobile-header"><div class="first"> <button type="button" class="navbar-open collapsed" data-toggle="collapse" data-target="#navbar" aria-label="Navigacija" title="Navigation"><span class="sr-only">Navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button></div><div class="center"> <a href="http://lrv.lt/lt" class="title">My government is <span class="beta_title">BETA</span></a></div><div class="last text-nowrap"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Site map"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a></div></div><div class="right-header"> <a class="sitemap_link to_right" href="//vdai.lrv.lt/lt/svetaines-medis" title="Structure"><i class="fa fa-sitemap" aria-hidden="true"></i></a> <a class="language to_right" href="//vdai.lrv.lt/en/" aria-label="en language">en</a> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable" class="disabilities_icon to_right"></a></div><ul class="head_nav to_right"><li> <a href="http://ministraspirmininkas.lrv.lt/lt/">Prime Minister</a></li><li> <a href="http://lrvk.lrv.lt/lt">Government Office</a></li><li> <a href="http://lrv.lt/lt/ministerijos">Ministries</a></li><li> <a href="http://lrv.lt/lt/istaigos">Institutions</a></li><li> <a href="//epilietis.lrv.lt/">E. citizen</a></li><li class="disabilities_link"> <a accesskey="n" href="//vdai.lrv.lt/lt/?disabilities_action=enable">For the disabled</a> </li></ul></div></div></div><div class="inst_name_logo"><div class="inner_wrap"><div class="main_logo"><img src="/assets/images/lr_logo.png" alt="LR"></div><div class="name"> State Data Protection Inspectorate </div><div class="clear"><!-- clear --></div></div></div><div></div><nav id="datails-menu" class="navbar-default"><div class="datails-menu-top"></div> <button type="button" class="navbar-open collapsed"<br />
aria-controls="navbar"><span class="icon"><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></span></button><div id="navbar" class="collapse"> <button type="button" class="navbar-close collapsed" aria-expanded="false" aria-controls="navbar"><i></i></button><div class="top_links"> <a href="#" class="to_left home"><i></i>Home</a> <a href="#" class="to_right newsletter">News subscription</a> <div class="clear"><!-- clear --></div></div><div id="nawbar-first-scroll"><div class="scroll"><ul class="nav first"><li class="active "> <a<br />
href="//vdai.lrv.lt/lt/naujienos">News</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/struktura-ir-kontaktai">Structure and contacts</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/struktura">Structure</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kontaktai-1">Contacts</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/struktura-ir-kontaktai/kaip-mus-rasti">How to find us</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/teisine-informacija">Legal information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktai">Legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-projektai">Draft legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisine-praktika">Legal practice</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/tyrimai-ir-analizes">Research and analysis</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teises-aktu-pazeidimai">Violations of legislation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/teisine-informacija/teisinio-reguliavimo-stebesena">Monitoring of legal regulation</a></li></ul></div></div></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/veiklos-sritys-1">Areas of activity</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/prevenciniai-tikrinimai">Preventive inspections</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/isankstines-konsultacijos">Prior consultation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/auditai">Audits</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/skundu-nagrinejimas">Complaints handling</a></li><li class=" "> <a href="/asmens-duomenu-apsaugos-reforma/pranesimas-apie-duomenu-saugumo-pazeidima">Data security breaches</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/tarptautinis-bendradarbiavimas">International cooperation</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/veiklos-sritys-1/visuomenes-informavimas">Informing the public</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/korupcijos-prevencija">Corruption prevention</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/administracine-informacija">Administrative information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/nuostatai">Regulations</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/planavimo-dokumentai">Planning documents</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/praneseju-apsauga">Protection of whistleblowers</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/darbo-uzmokestis">Wage</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/paskatinimai-ir-apdovanojimai">Incentives and awards</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/viesieji-pirkimai">Procurement</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/biudzeto-vykdymo-ataskaitu-rinkiniai">Budget implementation report sets</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/finansiniu-ataskaitu-rinkiniai">Sets of financial statements</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/ukio-subjektu-prieziura">Supervision of economic operators</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/tarnybiniai-lengvieji-automobiliai">Official passenger cars</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/administracine-informacija/veiklos-ataskaitos">Activity reports</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/paslaugos">Services</a></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/nuorodos">Links</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/dsp-ir-dap">DSP and DAP</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/pranesimas-apie-duomenu-saugumo-pazeidima">Data breach notification</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/dsp-ir-dap/duomenu-apsaugos-pareigunas">Data Protection Officer</a></li></ul></div></div></li><li class=" "> <a<br />
href="//vdai.lrv.lt/lt/asmens-duomenu-apsauga">Protection of personal data</a></li><li class=" dropdown-submenu"> <a<br />
href="//vdai.lrv.lt/lt/naudinga-informacija">useful information</a><div class="second-nawbar"><div class="scroll"><ul class="nav second"><li class=" "> <a href="klausimai-duk">Frequently Asked Questions (FAQ)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/rekomendacijos-gaires-ir-kt">Recommendations, guidelines, etc.</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/covid-19-ir-bdar">COVID-19 and BDAR</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/patikrinimu-rezultatu-apibendrinimai">Summaries of inspection results</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/teismu-sprendimai-pagal-vdai-skundus">Court decisions (according to VDAI complaints)</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/2018-m-duomenu-apsaugos-reforma-1">2018 data protection reform</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/viesosios-konsultacijos-iki-bdar">Public consultation before BDAR</a></li><li class=" "> <a target="_blank" href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-2-work-projektas">SolPriPa 2 WORK project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/solpripa-projektas">SOLPriPa PROJECT</a></li><li class=" dropdown-submenu"> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai">Projects</a><ul class="nav thrid"><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/es-dvyniu-projektas-nr-ua-47b-ukrainos-parlamento-vyriausiojo-zmogaus-teisiu-komisaro">EU twinning project no. UA / 47b &quot;Strengthening the institutional capacity of the High Commissioner for Human Rights of the Parliament of Ukraine to protect human rights and freedoms in line with European best practice&quot;</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/valstybines-duomenu-apsaugos-inspekcijos-valstybes-tarnautoju-ir-darbuotoju-kvalifikacijos-tobulinimas">Improving the qualification of civil servants and employees of the State Data Protection Inspectorate</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/informaciniu-sistemu-susiejimo-ir-modernizavimo-projektas">Information systems interconnection and modernization project</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/projektai/projektas-valstybines-duomenu-apsaugos-inspekcijos-ir-lietuvos-bibliotekininku-draugijos-bendradarbiavimo-didinimas-igyvendinant-asmens-duomenu-apsaugos-politika">Project “Increasing the cooperation between the State Data Protection Inspectorate and the Lithuanian Librarians&#39; Association in implementing the personal data protection policy”</a></li></ul></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/vaikams-ir-jaunimui">For children and young people</a></li><li class=" "> <a href="//vdai.lrv.lt/lt/naudinga-informacija/atviri-duomenys-1">Open data</a></li><li class=" "> <a href="https://vdai.lrv.lt/forms/ada-vdai-2020">Surveys</a></li><li class=" "> <a href="events">Events archive</a></li><li class=" "> <a href="https://vdai.lrv.lt/lt/skelbimai">Advertisements</a> </li></ul></div></div></li></ul></div></div><ul class="head_nav"></ul></div></nav></div><div class="main_content clearfix"><div class="inner_wrap"></div><div class="inner_wrap"><h1> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</h1><ol class="breadcrumb"><li> <a href="//vdai.lrv.lt/lt/" aria-label="home">Home</a></li><li class=""> <a href="//vdai.lrv.lt/lt/naujienos"<br />
>News</a></li><li class="active"> A fine has been imposed for breaches of the General Data Protection Regulation in the Center of Registers</li></ol><div class="top_line"> <a href="javascript:window.print()" class="print_link nodeco">Print<i class="fa fa-print fa-fw" aria-hidden="true"></i></a> <div class="clear"><!-- clear --></div></div><div class="clear"><!-- clear --></div><div class="content text to_left"><div class="event_startDate single"><div class="row startDate_wrap"><div class="col-xs-12 col-sm-5"><div class="col-xs-6 col-sm-5"><h5> Data</h5></div><div class="col-xs-6 col-sm-7"><p> 2021 03 02</p></div></div><div class="col-xs-12 col-sm-7"><div class="col-xs-6 col-sm-5 col-md-4"><h5> Evaluation</h5></div><div class="col-xs-6 col-sm-7 col-md-8"> <span class="ratingContainter"><a href="#" data-like_url="//vdai.lrv.lt/lt/ratings/like?ajax=1&amp;entity=News.Ratings&amp;itemId=177&amp;style=star" class="rating_action star_icon "><span class="counter"><i></i></span>5</a></span> </div></div></div></div><div class="news_photo_wrapper"><img class="news_photo" src="//vdai.lrv.lt/uploads/vdai/news/images/852x536_crop/267_1f8b031415a579c0c0281cf144b17b1d.png" alt="Registry center bauda.png" style="max-width: 1920px; max-height: 1080px;"></div><p style="text-align: justify;"><br /> After 2020 July 20 The State Data Protection Inspectorate (VDAI), having conducted an investigation under the General Data Protection Regulation (BDAR), in 2021, carried out an incident of the State Enterprise Center of Registers that disrupted the operation of state registers and state information systems managed by the State Enterprise Center of Registers. February. imposed a fine for improper implementation of technical and organizational data security measures.</p><p style="text-align: justify;"> SE Register Center 15 thousand. A fine of EUR 1 million was imposed for infringements of Article 32 (1) (b) and (c) of the BDAR, ie failure to ensure the integrity, availability and resilience of data processing systems and services and failure to restore access to personal data in the event of a physical or technical incident within the legal deadline.</p><p style="text-align: justify;"> Registers and state information systems maintained by the State Enterprise Center of Registers that were affected during the personal data security breach:</p><ul><li style="text-align: justify;"> Electronic health services and collaboration infrastructure information system;</li><li style="text-align: justify;"> Real estate register;</li><li style="text-align: justify;"> Real estate cadastre;</li><li style="text-align: justify;"> Register of Legal Entities;</li><li style="text-align: justify;"> Population Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of seizure deeds;</li><li style="text-align: justify;"> Mortgage Register of the Republic of Lithuania;</li><li style="text-align: justify;"> Register of wills;</li><li style="text-align: justify;"> Register of marriage contracts;</li><li style="text-align: justify;"> Register of credentials;</li><li style="text-align: justify;"> Register of Inactive and Limited Persons;</li><li style="text-align: justify;"> Register of contracts;</li><li style="text-align: justify;"> Information system for participants of legal entities;</li><li style="text-align: justify;"> Bailiffs information system;</li><li style="text-align: justify;"> License information system;</li><li style="text-align: justify;"> Money Restriction Information System;</li><li style="text-align: justify;"> Legal aid services information system;</li><li style="text-align: justify;"> Registration service information system;</li><li style="text-align: justify;"> Electronic signature and timestamp service;</li><li style="text-align: justify;"> Register center document management system;</li><li style="text-align: justify;"> Personnel administration system of the Register Center;</li><li style="text-align: justify;"> Accounting software of the Register Center.</li></ul><p style="text-align: justify;"> Considering that the State Enterprise Center of Registers is the data processor and / or data controller of these 22 registers and information systems, taking into account the level of development of technical possibilities, implementation costs and the nature, scope, context and objectives of data processing, as well as data processing costs. various risks and seriousness risks to the rights and freedoms of natural persons without appropriate technical and organizational measures to ensure a level of security commensurate with the risks, in breach of Article 32 (1) (b) and (c) BDAR and Article 83 (2) (a), (d) and The factors listed in points g) (related to the nature, gravity, duration and scope of the data), which are to be recognized as aggravating the infringement of the SE Center of Registers, it was decided to impose an administrative fine on the SE Center of Registers.</p><p style="text-align: justify;"> Pursuant to the Law on the Legal Protection of Personal Data, a supervisory authority may impose an administrative fine on an authority or institution that violates the provisions of Article 83 (4) (a), (b) and (c) of the BDAR up to 0.5 per cent of the authority&#39;s or institution&#39;s current year&#39;s budget and other gross annual income, but not more than thirty thousand euros.</p><p style="text-align: justify;"> In determining the amount of the administrative fine, VDAI took into account the mitigating factors listed in Article 83 (2) (b), (c), (e), (f) and (h) of the BDAR, ie lack of intent, efforts to close cooperation with the SDPI and the absence of previous violations of a similar nature. The SDPI also took into account that the State Enterprise Center of Registers, when implementing security measures, is dependent on both the data controller, the Ministry of Health of the Republic of Lithuania, and other institutions dealing with the consolidation of state IT resources, and decided that the fine is a proportionate measure to to ensure compliance with the provisions of the BDAR in the future.</p><p style="text-align: justify;"> VDAI points out that ensuring the security of personal data is not only the duty of the data controller, but also the direct responsibility of the data processor provided for in Article 32 of the BDAR. The controller is directly liable for non-compliance or improper performance of this obligation.</p><p style="text-align: justify;"></p><p style="text-align: justify;"> Related information:<br /> <a href="https://vdai.lrv.lt/lt/naujienos/del-valstybes-imoneje-registru-centras-ivykusio-incidento" target="_blank">Due to an incident in the State Enterprise Center of Registers &gt;&gt;</a></p><p style="text-align: justify;"></p><div class="clear"><!-- clear --></div><div class="share"> <span class="title to_left" aria-label="Share">Share</span><ul class="soc_icons to_left"><li> <a href="http://www.facebook.com/sharer/sharer.php?u=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Facebook" target="_blank"><i class="fa fa-facebook" aria-hidden="true"></i></a></li><li> <a href="https://www.linkedin.com/sharing/share-offsite/?url=http%3A%2F%2Fvdai.lrv.lt%2Flt%2Fnaujienos%2Fskirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-registru-centre" title="Linkedin" target="_blank"><i class="fa fa-linkedin" aria-hidden="true"></i></a> </li></ul><div class="clear"><!-- clear --></div></div></div><div id="sidebar" class="to_right"><div class="also_read"><h4> Also read</h4> <a href="//vdai.lrv.lt/lt/naujienos/valstybine-duomenu-apsaugos-inspekcija-iesko-it-skyriaus-vyriausiojo-specialisto">The State Data Protection Inspectorate is looking for a chief specialist of the IT department in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete-1">2021. March 4 9-12 SolPriPa 2 WORK project presentation conference online in</a> <a href="//vdai.lrv.lt/lt/naujienos/2020-m-asmens-duomenu-apsaugos-srities-teismu-sprendimu-apibendrinimas">2020 Summary of court decisions in the field of personal data protection in</a> <a href="//vdai.lrv.lt/lt/naujienos/2021-m-kovo-4-d-9-12-val-solpripa-2-work-projekto-pristatymo-konferencija-internete">2021 March 4 9-12 SolPriPa 2 WORK Project Presentation Conference Online</a> <a href="//vdai.lrv.lt/lt/naujienos/skirta-bauda-del-bendrojo-duomenu-apsaugos-reglamento-pazeidimu-programeleje-karantinas">Fined for Violations of the General Data Protection Regulation in the Quarantine App</a></div></div><div class="clear"><!-- clear --></div></div><div class="back_top"> <a href="javascript:history.go(-1);" class="back_button" style="display: none;"><i class="fa fa-angle-left" aria-hidden="true"></i>Back</a><a href="#" class="up_button" aria-label="Go up"><i></i></a> <div class="clear"><!-- clear --></div></div></div><div class="footer clearfix"><div class="inner_wrap"><div class="footer_table"><div class="footer_cell credentials"><p> L.Sapiegos st. 17, 10312 Vilnius (Entrance from the left), tel. (8 5) 271 28 04, (8 5) 279 1445, fax. (8 5) 261 9494, el. p. ada@ada.lt</p><p> Data on the State Data Protection Inspectorate are collected and stored in the Register of Legal Entities. Code 188607912</p><p> <strong>Consultation tel. (8 5) 212 7532, Monday to Thursday, 9 a.m. to 11 a.m. and 1pm to 3pm</strong></p><div class="credentials main_copyright"> © Government of the Republic of Lithuania</div></div><div class="footer_cell logos"><div> <a href="ES banerio nuoroda" target="_blank" title="The name of the EU banner"><img src="/assets/images/es_banner.jpg" width="150" height="60" alt="The name of the EU banner"></a></div><div class="copyright"> <a href="http://www.kryptis.lt" target="_blank" title="www.kryptis.lt"><img src="/assets/images/copyright.png" alt="Direction"></a> </div></div></div></div><div class="clear"><!-- clear --></div></div></div></main><script>$(function() { <br />
$('.ck_toggle_text').each(function() { $(this).before('<a class="ck_href ck_expand_href">'+(typeof $(this).attr('title') != "undefined" && $(this).attr('title') != '' ? $(this).attr('title') : 'Išskleisti') + '</a>').append('<a class="ck_href ck_collapse_href">Suskleisti</a>'); } );<br />
$('body').on('click','a.ck_expand_href',function() { $(this).hide(); $(this).next('.ck_toggle_text').toggleClass('ck_hide_text'); } );<br />
$('body').on('click','a.ck_collapse_href',function() { $(this).parent('.ck_toggle_text').prev('.ck_expand_href').show(); $(this).parent('.ck_toggle_text').toggleClass('ck_hide_text'); } )} );</script><script type="text/javascript" src="/assets/scripts/jquery.touchSwipe.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/vendors/jquery/jquery-migrate-3.1.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.fracs-0.15.0.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/imgLiquid-min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/lightslider/jquery.lightSlider.js?1614947813"></script><script type="text/javascript" src="/Project/Modules/Gpdr/assets/ccc-script.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/gallery.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/browser/jquery.browser.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery_ui/jquery-ui.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/popper.js/dist/umd/popper.min.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/bootstrap_3.3.2/js/bootstrap.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/fancybox_2.1.5/jquery.fancybox.pack.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.nicescroll.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery-scrolltofixed-min.fix.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.core.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.widget.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.mouse.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.sortable.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/select2.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/node_modules/select2/dist/js/i18n/lt.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-select2.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/jquery.ui.datepicker.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/vendors/jquery/plugins/ui-1.10.3/i18n/jquery.ui.datepicker-lt.min.js?1614947813"></script><script type="text/javascript" src="/Framework/assets/js/cms-datepicker.js?1614947813"></script><script type="text/javascript" src="/assets/vendors/jcarousel/jquery.jcarousel.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/jquery.cycle2.min.js?1614947813"></script><script type="text/javascript" src="/assets/scripts/AudioPlayer/js/audioplayer.fix.js"></script><script type="text/javascript" src="/assets/scripts/scripts.js?1614947813"></script></body></html><br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)&diff=11200
UODO (Poland)
2020-08-24T12:39:58Z
<p>AK: /* Applicable Procedural Law */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Prezes Urzędu Ochrony Danych Osobowych<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoPL.png|center|250px]]<br />
|-<br />
|Name:||Prezes Urzędu Ochrony Danych Osobowych<br />
|-<br />
|Abbreviation :||UODO<br />
|-<br />
|Jurisdiction:||[[Data Protection in Poland|Poland]]<br />
[[Category: Poland]]<br />
|-<br />
|Head:||Jan Nowak<br />
|-<br />
|Deputy:||Mirosław Sanek<br />
|-<br />
|Adress:||ul. Stawki 2 <br />
<br />
00-193 Warsaw<br />
<br />
POLAND<br />
|-<br />
|Webpage:||[https://uodo.gov.pl/ uodo.gov.pl]<br />
|-<br />
|Email:||[mailto:kancelaria@uodo.gov.pl kancelaria@uodo.gov.pl]<br />
|-<br />
|Phone:||+48 22 531 03 00<br />
|-<br />
|Twitter:||[https://twitter.com/PDPO_Poland The Personal Data Protection Office in Poland]<br />
|-<br />
|Procedural Law:||n/a<br />
|-<br />
|Decision Database:||[https://uodo.gov.pl/pl/129 Decyzje Prezesa UODO]<br />
|-<br />
|Translated Decisions:||[[:Category:UODO (Poland)]]<br />
|-<br />
|Head Count:||n/a<br />
|-<br />
|Budget:||n/a<br />
|}<br />
<br />
'''The President of the Personal Data Protection Office''' (''Prezes Urzędu Ochrony Danych Osobowych'') is the national Data Protection Authority for Poland. It resides in Warsaw and is in charge of enforcing GDPR in Poland.<br />
<br />
The President of the Personal Data Protection Office performs his or her tasks through the Personal Data Protection Office (''Urząd Ochrony Danych Osobowych'').<br />
<br />
==Structure==<br />
The President of the Office<br />
<br />
*Director of the Office (''Dyrektor Biura'')<br />
*Case Law and Legislation Department (''Departament Orzecznictwa i Legislacji'')<br />
**Legislation Division (Wydział Legislacji)<br />
**Data Protection Officers Cooperation Division (''Wydział Współpracy z Inspektorami Ochrony Danych'')<br />
**Codes and Certification Division (''Wydział Kodeksów i Certyfikacji'')<br />
*''Departament Współpracy Międzynarodowej i Edukacji''<br />
*Inspections and Breaches Department (''Departament Kontroli i Naruszeń'')<br />
**Inspections Division (''Wydział Kontroli'')<br />
**Breaches Division (''Wydział Naruszeń'')<br />
*Communication Department (''Departament Komunikacji Społecznej'')<br />
*Complaints Department (''Departament Skarg'')<br />
*''Departament Kar i Egzekucji''<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
''[http://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU19600300168 Kodeks postępowania administracyjnego]'' (Code of administrative procedure).<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us filling this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us filling this section!''<br />
<br />
===Appeals===<br />
''You can help us filling this section!''<br />
<br />
==Practical Information==<br />
''You can help us filling this section!''<br />
<br />
==Statistics==<br />
''You can help us filling this section!''<br />
<br />
{{DataProtectionAuthorities}}</div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKE.561.3.2020&diff=10933
UODO (Poland) - DKE.561.3.2020
2020-07-22T15:39:59Z
<p>AK: Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKE..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKE.561.3.2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=UODO<br />
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKE.561.3.2020<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
<br />
|Type=Investigation<br />
|Outcome=Violation Found<br />
|Date_Decided=06.07.2020<br />
|Date_Published=17.07.2020<br />
|Year=2020<br />
|Fine=25000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 31 GDPR<br />
|GDPR_Article_Link_1=Article 31 GDPR<br />
|GDPR_Article_2=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#1e<br />
|GDPR_Article_3=Article 58(1)(f) GDPR<br />
|GDPR_Article_Link_3=Article 58 GDPR#1f<br />
<br />
<br />
<br />
|Party_Name_1=Surveyor General of Poland <br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The President of the Personal Data Protection (UODO) imposed a fine of 100 000 PLN (approx. 25 000 EUR) on the Surveyor General of Poland for the failure to provide the supervisory authority with access to premises, data processing equipment and means, access to personal data and information required to conduct the inspection by the UODO. The UODO stated a violation of Article 31 and Article 58(1)(e) and (f) GDPR. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The UODO notified the Surveyor General of Poland about a planned audit in the Central Office for Geodesy and Cartography. The audit concerned the the making available by the Chief Surveyor of the State of personal data from the land and building register through the GEOPORTAL2 website. The audit was planned to clarify the following questions:<br />
<br />
1. The legal basis for the processing, including making personal data available.<br />
2. Sources of obtaining personal data.<br />
3. The scope and type of personal data made available.<br />
4. The manner and purpose of sharing the personal data.<br />
5. Is the processing of personal data carried out on the basis of the authorisation given by the controller of personal data or the processor (Article 29 of Regulation 2016/679).<br />
6. Has the Chief National Surveyor implemented appropriate technical and organisational measures to ensure an adequate level of security of data (Article 32, Article 24(1) and (2) of Regulation 2016/679).<br />
7. Has the Chief National Surveyor appointed a Data Protection Officer (Article 37 of Regulation 2016/679).<br />
<br />
The Chief National Surveyor declared that he will not sign the submitted authorisations and refused to give his consent to carry out inspection activities within the scope resulting from the submitted authorisations. According to his assessment, the inspection is to concern the land and mortgage register number, which is not a personal data within the meaning of the Act of 17 May 1989 on the Geodesic and cartographic law (Journal of Laws of 2020, item 276 as amended).<br />
<br />
However, the Surveyor General of Poland consented to the performance of the inspection activities in the scope of determining whether appropriate technical and organisational measures have been implemented to ensure an adequate level of security of the data being subject to protection, and whether his Office has appointed a Data Protection Officer. <br />
<br />
=== Dispute ===<br />
The UODO provided that it was impossible to establish it has not been established whether the Surveyor General of Poland has implemented appropriate technical measures to ensure data security, due to impossibility to gain access for the UODO inspectors to the IT systems used by the Surveyor General of Poland and to conduct the necessary inspections of the IT system during the inspection.<br />
<br />
In view of the above, in the course of the inspection it was only established what organisational measures the Surveyor General of Poland used for data security and whether a Data Protection Officer was appointed.<br />
<br />
=== Holding ===<br />
In view of the declined consent to carry out full inspection activities and the expressive lack of will to cooperate, the UODO inspectors could not determine the legal basis, the technical and organisational measures to ensure data security on the website GEOPORTAL2. The UODO deemed the inspection to be thwarted by the Surveyor General of Poland.<br />
<br />
The UODO has therefore found a violation of Article 58(1) of the GDPR by the Surveyor General of Poland and imposed an administrative fine of approx. 25 000 EUR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Warsaw, 17 July 2020<br />
DECISION<br />
DKE.561.3.2020<br />
<br />
Pursuant to Article 104 § 1 of the Act of 14 June 1960, the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7 section 1 and section 2, Article 60 and Article 102 section 1 point 1 and section 3 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 256). 1781) in connection with Article 31, Article 57 paragraph 1 point (a), Article 58 paragraph 1 points (e) and (f) and Article 58 paragraph 2 point (i) in connection with Article 83 paragraph 1 and 2, Article 83 paragraph 4 point (a) and Article 83 paragraph 5 point (e) of the Regulation of the European Parliament and of the Council of the EU 2016/679 of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), after conducting ex officio administrative proceedings to impose on the Chief Surveyor of the Country with its registered office in Warsaw at 2 Wspólna Street, represented by advocates P. T. and S. K. (Kancelaria [...]), an administrative fine, the President of the Office for the Protection of Personal Data, stating that the Head of the National Geodesist, with its registered office in Warsaw at ul. Wspólna 2, infringed the provisions of Article 31 and 58(1)(e) and (f) of Regulation 2016/679, consisting in the failure to provide the President of the Office for the Protection of Personal Data, in the course of controlling the observance of the provisions on the protection of personal data, ref. [...], access to premises, equipment and means for the processing of personal data and access to personal data and information necessary for the President of the Office for the Protection of Personal Data to carry out his tasks, as well as failure to cooperate with the President of the Office for the Protection of Personal Data during this inspection, imposes an administrative fine of PLN 100,000 (in words: one hundred thousand zlotys) on the Chief Surveyor of the Country with its registered office in Warsaw, Wspólna 2 Street.<br />
<br />
EXPLANATORY MEMORANDUM<br />
<br />
On [...] February 2020. The President of the Office for the Protection of Personal Data (hereinafter referred to as "the President of the Office for the Protection of Personal Data") carried out an inspection of personal data processing in the Poviat Starosty in J. (Ref. No. of the control act [...]). The inspection concerned making available by the Starost of J., through the GEOPORTAL2 website (www.geoportal.gov.pl), personal data from the land and building register kept by the Starosts. During the inspection it was established that Starost J. does not publish personal data from the land and building register on this portal, but - on the basis of a relevant agreement - transfers them (including land and mortgage register numbers) to the Chief Surveyor of the Country, who then makes the obtained data available on GEOPORTAL2. Due to the above, the President of UODO decided that it is necessary to carry out an inspection of personal data processing in the scope of making personal data from the land and building register available through GEOPORTAL2 to the Chief Surveyor of the Country. The Chief National Surveyor was informed about the inspection planned for [...] March 2020 (marked as [...]) by telephone and in a letter delivered on that day by e-mail.<br />
<br />
On [...] March 2020 the inspectors (employees of the Office for the Protection of Personal Data authorised by the President of the Office for the Protection of Personal Data) went to the Head Office of Geodesy and Cartography to start the planned inspection. The inspectors presented their service cards to the Chief Surveyor of the Country and submitted their personal authorizations, which defined the detailed scope of the inspection in the following way: "The inspection will include making available by the Chief Surveyor of the State through the GEOPORTAL website2, personal data from the land and building register, by establishing:<br />
<br />
1. The legal basis for the processing, including making personal data available.<br />
2. Sources of obtaining personal data.<br />
3. The scope and type of personal data made available.<br />
4. The manner and purpose of providing personal data to the bottom.<br />
5. Is the processing of personal data carried out on the basis of the authorization given by the controller of personal data or the processor (Article 29 of Regulation 2016/679).<br />
6. Has the Chief National Surveyor implemented appropriate technical and organisational measures to ensure an adequate level of security of the protected data (Article 32, Article 24(1) and (2) of Regulation 2016/679).<br />
7. Has the Chief National Councillor appointed a Data Protection Officer (Article 37 of Regulation 2016/679).<br />
<br />
As it results from the inspection protocol, signed by the inspectors and by the Chief Geodesist of the Country, drawn up on [...] March 2020, after presenting the legitimacy and submitting the authorizations to carry out the inspection, the Chief Geodesist of the Country declared that he will not sign the submitted authorizations and refuses to give his consent to carry out inspection activities within the scope resulting from the submitted authorizations. Justifying his position in this case, he indicated that according to his assessment, within the scope indicated in the inspection authorizations, the inspection is to concern the land and mortgage register number, which is not a personal data within the meaning of the Act of 17 May 1989. Geodesic and cartographic law (Journal of Laws of 2020, item 276 as amended), hereinafter referred to as the "Geodesic and cartographic law". On the submitted authorizations, the Chief Surveyor of the Country has made a written note of the content: "I refuse to give my consent to carry out control activities within the scope of the submitted authorisation (points 1 to 5) due to the lack of objectivity of the control, which I justify in my letter [...] of [...].03.2020, in the shortest possible way, it results from the fact that the scope of control is to focus on the land and mortgage register number, which is not a personal data within the meaning of the Geodetic and Cartographic Law. I request that the scope of control be clarified in accordance with the basis for its initiation". The Chief Surveyor of the State then declared that he agreed to carry out inspection activities only to the extent that this results from points 6 and 7 of the inspection authorisations. Only then did he sign the inspectors' personal authorisations by placing the words 'Signed in accordance with the declaration below' next to his signature. In accordance with the above mentioned statement, the Chief Surveyor of the Country presented to the inspection file a letter with the signature [...], which indicated, among other things, the legal basis for classifying the land and mortgage register number as the subject matter, i.e. Article 20(1)(1) of the Surveying and Cartographic Law and § 73 of the Regulation of the Minister of Regional Development and Construction of 29 March 2001 on the land and building registration.<br />
<br />
In view of the unequivocally expressed lack of consent of the Chief Surveyor of the Country to perform inspection activities within the scope specified in points 1-5 of the registered authorisations, the inspectors abandoned the activities in this scope, making arrangements only within the scope specified in points 6 and 7 of the authorisations. Within the scope of control, to which the Chief Surveyor of the Country, who controls, among others, the following, has given his consent:<br />
<br />
1. they questioned as a witness Mr. W. I. - Chief National Surveyor,<br />
2. they have obtained a copy of the sample agreement with the starost on cooperation in the establishment and maintenance of common elements of the technical infrastructure for the publication of PZGiK data,<br />
3. obtained copies of documents certifying the general organisational measures implemented by the Chief Surveyor of the country (not specifically related to the GEOPRTAL portal2) to ensure the security of protected data,<br />
4. they obtained copies of documents confirming the appointment of Mr [...] as Data Protection Inspector in the Main Office of Geodesy and Cartography by the Chief Surveyor of the Country,<br />
5. they questioned Mr. [...] - the Chief Specialist in the Department [...] in the Main Office of Geodesy and Cartography as a witness,<br />
6. have obtained a printout of the Regulations of www.geoportal.gov.pl,<br />
7. obtained copies of the Register of processing activities including risk analysis and assessment of the effects on data protection and the Register of categories of processing activities with risk analysis.<br />
<br />
In the course of the inspection, the inspectors - due to the lack of consent of the Chief National Surveyor - did not assess the technical measures implemented to ensure the security of the protected data (including the data processed through the GEOPORTAL portal2), in particular they did not inspect the places, objects, media devices and IT systems used for data processing. Moreover, due to, inter alia, the refusal of the Chief National Surveyor to sign the protocol of testimony submitted on [...] March 2020. - the inspectors did not obtain full and binding explanations, having legal effect, of the subject matter covered by the inspection.<br />
<br />
Due to the lack of purpose of further inspection, caused by the lack of consent of the Chief Surveyor of the Country for inspection activities concerning the scope specified in points 1-5 of the registered inspection authorizations and lack of cooperation from his side in this scope, the inspectors decided to finish the inspection on March [...], 2020. On that day, the inspection report was drawn up by the inspectors, then signed by the Chief Surveyor of the Country (without any reservations).<br />
<br />
In connection with the fact that it was impossible to control the processing of personal data from the land and building register on the GEOPORTAL2 portal by the Chief Inspectorate of the Country, the present proceedings were initiated ex officio in order to impose an administrative fine on the Chief Inspector of the Country for breach of Articles 31 and 58(1)(a) and (b) of the Act of Accession. e) and f) of Regulation 2016/679, consisting in the lack of cooperation with the President of PODO in the performance of his tasks, making it impossible to carry out inspections in the field of personal data processing, as well as not providing the President of PODO with access to premises, equipment and means for personal data processing and access to personal data and information necessary for the President of PODO to perform his tasks.<br />
<br />
The Chief Surveyor of the Country was informed about the initiation of the proceedings and the collection of evidence in the case by letter of [...] March 2020, delivered to him electronically via the ePUAP platform.<br />
<br />
By letter dated [...] April 2020. (delivered to the President of UODO [...] April 2020), the attorney of the Chief National Surveyor requested that the attorneys of the Chief National Surveyor be allowed to inspect the case file and make a photocopy of the files, or that a copy of the entire case file be made available electronically. In response to the request, copies of the entire case file were presented to the attorney of the Regional Surveyor by mail, by letter of [...] May 2020, delivered to the attorney [...] May 2020.<br />
<br />
By letter dated [...] May 2020 (delivered to the President of UODO [...] May 2020), the attorney of the Chief Regional Surveyor presented the position of the Chief Regional Surveyor, indicating that 'the initiation and conduct of proceedings by the President of UODO in this case is pointless and should therefore be discontinued in full'. The attorney of the Chief Regional Surveyor argued in particular that:<br />
<br />
1. "The scope of the inspection was pointless as it concerned the use of information which does not constitute personal data and in respect of which the Chief Inspectorate of the Country does not decide on the purposes and methods of processing (so he could not have the status of a data controller). The GKK did not thwart the inspection, but only questioned the scope of the inspection, which was to concern the processing of personal data in the form of a land and mortgage register number.<br />
2. "The inspection [...] was carried out not at the Chief Surveyor of the Country, but at the Chief Office of Geodesy and Cartography, which is a separate controller of personal data from the point of view of the provisions of the GDR.<br />
3. "The President of UODO unjustifiably considered that the Chief Surveyor of the Country - who took part in the inspection proceedings as a person representing the inspected person, i.e. the Chief Office of Geodesy and Cartography - did not cooperate with the President of UODO in the performance of his tasks'.<br />
4. "The President of UODO unjustifiably stated that the Chief Surveyor of the Country prevented the inspection of personal data processing at the controlled entity, i.e. the Main Office of Geodesy and Cartography.<br />
5. "The President of the UODO unjustifiably considered that the Chief Surveyor of the country did not provide the President of the UODO with access to the premises, equipment and means for processing personal data in connection with the control carried out in the Main Office of Geodesy and Cartography, and did not provide access to information necessary for the President of the UODO to perform his tasks".<br />
6. "Consequently, the President of the UODO unduly found that GGK could have infringed Articles 31 and 58(1)(e) and (f) of the GDPR."<br />
<br />
After considering all the evidence gathered in the case, the President of UODO weighed the following.<br />
<br />
According to Article 57(1)(a) of Regulation 2016/679, as the supervisory authority within the meaning of Article 51 of Regulation 2016/679, the President of the PPA has the task of monitoring and enforcing the application of the Regulation on its territory. Within the framework of his competences, the President of the PPA has the task, inter alia, of conducting proceedings for the application of Regulation 2016/679 (Article 57(1)(f)). In order to be able to carry out these tasks, the President of the PPA has a number of powers, as set out in Article 58(1) of Regulation 2016/679, to conduct proceedings, including the power to order the controller and processor to provide all information necessary for the performance of its tasks (Article 58(1)(f) of Regulation 2016/679). (Article 58(1)(a), the power to obtain from the controller and the processor access to all personal data and to all information necessary for the performance of their tasks (Article 58(1)(e)) and the power to obtain access to all premises of the controller and the processor, including the data processing equipment and means, in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f). Infringement of the provisions of Regulation 2016/679, as a result of the failure of the public authority, being the controller or processor, to ensure access to the data and information referred to above, resulting in a breach of the authority's powers specified in Article 58 (1)(f). The authority may - in accordance with Article 83(5)(e) in fine of Regulation 2016/679 in connection with Article 102(1) and (3) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "u.o.d.o.". - administrative fine of up to PLN 100,000.<br />
<br />
It should also be noted that the administrator and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of Regulation 2016/679. Failure to comply with this obligation is also at risk - pursuant to Article 83(4)(a) of Regulation 2016/679 in conjunction with Article 102(1) and (3) of the Polish Commercial Companies Code. - an administrative fine of up to PLN 100,000.<br />
<br />
The "procedure laid down in EU or Member State law" indicated in Article 58(1)(f) of Regulation 2016/679 for the exercise of the power of the supervisory authority to obtain access to the premises of the controller and the processor, including the equipment and means of data processing, is, under Polish law, described in Chapter 9 of the Polish Commercial Companies Code. (Articles 78 - 91), the procedure of "control of the observance of personal data protection regulations". In accordance with Article 78 of the Polish Data Protection Act. The President of UODO carries out a control of the observance of the provisions on personal data protection (paragraph 1), and this control may be carried out "in accordance with the control plan approved by the President of the Office or on the basis of information obtained by the President of the Office or as part of monitoring the observance of the application of Regulation 2016/679". (paragraph 2). Controllers (authorized employees of the Office for the Protection of Personal Data) are entitled - as provided for in Article 84(1) of the Polish Data Protection Act. - right: 1. enter the land and buildings, premises or other premises from 6.00 a.m. to 10.00 p.m., 2. inspect the documents and information directly related to the subject matter of the inspection, 3. carry out an inspection of places, objects, devices, carriers and IT or ICT systems used for data processing, 4. demand written or oral explanations and questioning as a person's witness to the extent necessary to establish the facts, 5. have expert opinions and opinions prepared. The inspector shall establish the facts on the basis of evidence gathered (using the powers indicated above) in the inspection proceedings, in particular documents, objects, inspections and oral or written explanations and statements (Article 87 of the Polish Commercial Companies Code).<br />
<br />
Referring to the above mentioned provisions with regard to the facts of the present case, it should be stated that the President of UODO had the right to initiate and carry out with the Chief Surveyor of the Country an inspection of personal data processing; he also had a justification for making findings in this type of proceedings (inspection proceedings regulated in Chapter 9 of U.o.d.o.).<br />
<br />
The control powers of the President of UODO were formulated - in the above mentioned provisions of Regulation 2016/679 and U.o.d.o. - broadly; their use is limited only to the purpose - checking whether the provisions on personal data protection are observed. It is worth noting that the condition for such a control is not even a justified suspicion of a violation. The legislator explicitly allows in Article 78(2) of the Polish Commercial Companies Code for the possibility to carry out the control 'in accordance with [...] the control plan', i.e. without prior information indicating the irregularities in the processing of personal data taking place in a particular entity, and even without information indicating whether the entity is processing personal data at all (the control of such an entity would have to establish such circumstance in the first place - before making further arrangements concerning e.g. legality and lawfulness of processing). General and broad definition of the task to be performed by the President of the PPA ("monitoring and enforcement of the application of the Regulation" referred to in Article 57(1)(a) of Regulation 2016/679, "control of compliance with the rules on personal data protection" referred to in Article 78(1) of the U.o.d.o.) leaves the President of the PPA to define both the circle of controlled entities and the scope of controls. This task should be understood broadly - not only as checking whether a specific entity in a particular case violates the provisions on personal data protection in a specific way, but also as a task undertaken in order to identify the types, areas of occurrence and scale of problems related to the application of the provisions on personal data protection (in particular Regulation 2016/679), eliminate them and prevent them in the future. In the context of the freedom left to the President of UODO to determine the entity subject to the inspection and the scope of the inspection, it should be stated that in the present case the President of UODO had a particularly justified basis for initiating and carrying out the inspection with the Chief Surveyor of the Country to the extent that he considered necessary for the performance of the task of monitoring the application of Regulation 2016/679. As a result of the inspection carried out on [...] February 2020 in the Poviat Starosty in J. (ref. act of control [...]) obtained information on transferring personal data from the land and building register (including land and mortgage register numbers) and further processing (making them available) through the GEOPORTAL portal2 to the Chief Surveyor of the Country by the Starost of J. The mere fact of having these data at the disposal of the Chief Geodesist of the Country constitutes a sufficient basis for carrying out an inspection at his premises for the purpose of - as stated in Article 87 of the Polish Commercial Companies Code. - only to gather evidence allowing to establish the factual state of the case (and not the legal assessment of this state, which - in the case of suspicion of an infringement - takes place in a separate administrative procedure). It follows from the essence of control understood in this way that the controlled entity cannot question - at the stage of initiation and conduct of control - its legitimacy and scope. As the Supreme Administrative Court rightly pointed out in the judgment of 3 March 2016 in the case ref. II OSK 1667/14 (concerning a fine imposed by the Chief Sanitary Inspector on the grounds of the Act of 25 August 2006 on food and nutrition safety (Journal of Laws of 2019, item 1252, as amended) in connection with preventing the official control of food): "The court of first instance and the authorities inspected in the administrative court proceedings are right that the plant inspected is not entitled to decide on the scope of inspection. This is the exclusive domain of the inspection bodies." (Lex No 2113109). This statement, in the opinion of the President of UODO, is of general significance and also applies to the control of compliance with the provisions on personal data protection. The place for questioning the legal assessment of the facts of the case (and this is what the Chief Surveyor of the Country in this case is actually about, in fact, questioning the scope of the inspection, related to the claim that the land and mortgage register number does not constitute a personal data) is a possible infringement procedure initiated on the basis of evidence gathered during the inspection procedure.<br />
<br />
As shown above, the control powers of the President of UODO are limited by the purpose of the control, which is to check compliance with the provisions on personal data protection. The position of the Chief Surveyor of the Country expressed during the inspection, and developed in the letter of his proxy of [...] May 2020, that the data in the form of land and mortgage register numbers do not constitute personal data, is in fact a statement that the inspection (to the extent specified in points 1-5 of the registered inspection authorisations) did not fall within this objective. Such an assertion must definitely be regarded as incorrect. Without prejudging in this Decision the qualification of these data as personal data in the present case, it should be pointed out that, at the time the inspection was initiated, the President of the UODO had at least legitimate grounds for such qualification. This justification resulted from the consistently held position of the President of UODO and earlier the Inspector General for the Protection of Personal Data, as well as from the position of the doctrine and the jurisprudence of administrative courts (see the judgment of the Supreme Administrative Court of 18 February 2014 ref. I OSK 1839/12 - LEX no. 1449867, the judgment of the Supreme Administrative Court of 26 September 2018 ref. I OSK 276/17 - LEX no. 2737936, the judgment of the Supreme Administrative Court of 26 September 2018 ref. I OSK 11/17 - LEX no. 2573629). The actions of the Chief Surveyor of the State aimed at thwarting or hindering the inspection should therefore be considered inadmissible, in particular when these actions are based solely on the subjective legal assessment of the inspected person (even if they are supported by selected, unrepresentative voices of doctrine and court rulings). Such an action would lead to an unacceptable situation where, by making it impossible to establish the facts of the case, the inspected person deprives the independent reviewing authority of the possibility to make its own, reliable and comprehensive legal assessment of the situation, which could be subject to subsequent verification by the competent judicial and administrative authorities if necessary.<br />
<br />
In line with the above argumentation of the Chief National Inspectorate, the position put forward by his representative in his letter of [...] May 2020 that 'the scope of the control carried out is devoid of purpose, since it concerns the use of information [...] in respect of which the Chief National Inspector does not decide on the purposes and means of processing (and could not therefore have the status of data controller)' should be assessed. The assessment of whether the Chief Surveyor is a controller (or perhaps a co-controller, or possibly a processor) in the processing of data on the GEOPRTAL portal2 is an element of the facts to be determined during the inspection. At the moment of initiating the inspection, the President of UODO had information that in the GEOPORTAL2 portal, whose administrator is the Chief Surveyor of the Country, information which constitutes (or may constitute) personal data is processed, in particular the land and mortgage register numbers assigned to the properties presented in the portal. The above has been confirmed by the results of an inspection carried out in the Poviat Starosty in J. (file reference [...]), from which it appeared that the Chief Land Surveyor obtained data (including land and building register numbers) from the land and building register kept by the Starost of J., in order to further process them through the GEOPORTAL portal2. Additionally, it is worth pointing out that in the Rules and Regulations of the www.geoportal.gov.pl website (located on the website www.geoportal.gov.pl.) there is information directly indicating that the administrator of personal data processed in the GEOPORTAL2 portal is the Chief Surveyor of the Country ("The administrator of your personal data is the Chief Surveyor of the Country with its registered office in Warsaw, Wspólna 2, 00-926 Warsaw"). Such information justified the need to carry out an inspection of compliance with the regulations on personal data protection, among others, in order to determine the role of the Chief Surveyor of the Country in this data processing process. The position of the Chief Surveyor of the Country, presented in the letter of his proxy of [...] May 2020, also assumes erroneously that the entity subject to the control of the President of UODO may only be the entity which decides about the purposes and methods of processing, i.e. the controller (which - in his own opinion - is not the controller in the case under consideration). The Chief Surveyor of the Country seems not to notice that the obligation to provide access to personal data and information necessary for the performance of the tasks of the President of PODO and access to premises, equipment and means of data processing, referred to in Article 58(1)(e) and (f), lies not only with the controller, but also with the co-administrator and the entity processing personal data. Denying his role of the controller, the Chief Surveyor of the Country seems not to exclude that he processes personal data from the land and building register as a processor - on behalf of the controllers (starosts), on the basis of agreements which could in fact be assessed as the agreements referred to in Article 28(3) of Regulation 2016/679). The above uncertainty as to the role played in the process of processing in GEOPORTAL2 the data obtained from the land and building register, which could be removed in the course of the inspection, proves the legitimacy of carrying out the inspection at the Chief Surveyor of the Country to the full extent - specified in the inspectors' personal authorisations. Similarly, as far as the obligation to cooperate with the supervisory authority, specified in Article 31 of Regulation 2016/679, is concerned, it is addressed not only to the administrator but also to the processor.<br />
<br />
Referring to the last one, presented by the representative of the National Surveyor General in a letter dated [...] May 2020, the aspect justifying - in his opinion - the refusal to give consent for the inspection to be carried out by the President of UODO, i.e. to state that 'the inspection [...] was carried out not at the Head Surveyor's Office, but at the Head Office of Geodesy and Cartography, which from the point of view of the provisions of UODO is a separate controller of personal data', it should be noted that it is based only on the fact that in several places in the documents relating to the inspection (in the inspectors' personal authorisations, The President of UODO indicated the Main Office of Geodesy and Cartography as the place where the control activities were to be (were) carried out, due to the fact that it is in the Main Office of Geodesy and Cartography as an organizational unit with the help of which the Main Surveyor of the Country carries out his tasks, that personal data and sources of information, premises, equipment and means for the processing of personal data, access to which was necessary for the President of UODO to gather evidence in the case, are located. The analysis of the entire content of documents concerning the inspection (in particular those preparing the inspection - the inspection notice of [...] March 2020 and the personal inspection authorizations of [...] March 2020) shows unequivocally that the purpose of the inspection was related to the realization of the statutory task of the Chief Surveyor of the Country which is to create and maintain the GEOPORTAL portal2. This is evidenced by such statements as: "the scope of the inspection will include making available by the Chief National Surveyor...", "please prepare documentation concerning the processing of personal data by the Chief National Surveyor". (both from the notification of the inspection), "the inspection will include making available by the Chief National Surveyor...", "whether the Chief National Surveyor has implemented appropriate technical and organisational measures...", "whether the Chief National Surveyor has appointed a Data Protection Officer...". (the last three of the registered inspectors' authorisations). As indicated by the Chief National Surveyor's representative himself in his letter of [...] May 2020, the task of creating and maintaining the GEOPORTAL portal2 was formulated in the provisions of Article 5 of the Act of 17 May 1989. Geodetic and cartographic law (Journal of Laws of 2020, item 276 as amended) and Article 13.1 of the Act of 4 March 2010 on spatial information infrastructure (Journal of Laws of 2020, item 177 as amended). The latter provision stipulates that the Chief Geodesist of the Country creates and maintains a geoportal of spatial information infrastructure as a central point of access to services related to spatial data sets and services; however, it does not provide for any participation in this task for the Chief Geodesy and Cartography Office. The above provision defining competence and responsibility for the functioning of the GEOPORTAL2 portal, combined with the subject and scope of control indicated by the President of the UODO, should not leave (especially to the central authority competent in matters of geodesy and cartography) any doubt as to the definition of the entity subject to control. It should be additionally emphasized that the Chief Surveyor of the Country, both at the time of commencement and during the inspection, did not raise any reservations as to the identification of the entity to be inspected, although he had the opportunity to do so (by making a statement on the inspectors' personal authorizations about their lack of consent to carry out the inspection, by making such reservations to the minutes of the hearing as a witness or in the form of a reservation to the inspection report). In the opinion of the President of UODO, the reservation concerning the indication of the controlled entity was formulated by the Chief Surveyor of the country post factum - solely for the purpose of justifying the infringement of the provisions on personal data protection. <br />
<br />
Summarizing the above considerations, it should be stated that the justification for the refusal to give consent to the inspection of personal data processing by the Chief Surveyor of the country during the inspection, developed by his representative in the position presented to the President of UODO in his letter of [...] May 2020, does not deserve to be accepted in any point. The President of UODO had the right and justification to carry out an inspection with the Chief Surveyor of the Country. The scope of this inspection was within the objectives set out in Article 57(1)(a) of Regulation 2016/679 ('monitoring and enforcement of the Regulation') and Article 78(1) of the Polish Civil Code. ('monitoring of compliance with data protection rules'). The action of the Chief Surveyor of the Country as the inspected, consisting in the refusal to give consent to carry out the inspection within the scope specified in points 1-5 of the personal authorisations of the inspected persons, made it impossible to carry out inspection activities in this area to the full extent (in particular the inspection of IT and ICT systems in which personal data are processed by the Chief Surveyor of the Country, receiving in this respect the explanations of the Chief Surveyor of the Country, receiving explanations and testimonies of the employees of the Chief Surveyor of the Country, obtaining an insight into the documents constituting the basis for obtaining personal data processed in the GEOPORTAL portal2 - e.g. "the inspection of the data protection of personal data". The General Surveyor of the Country and the heads of district authorities). The refusal of the Chief Surveyor of the Country to carry out the inspection within the scope specified in points 1-5 of the registered authorisations of the inspected persons, which means a declaration of lack of any cooperation with the inspectors in this respect, caused the inspectors to withdraw from activities in this respect. The Supreme Administrative Court in the aforementioned judgment of 3 March 2016 in the case ref. II OSK 1667/14 rightly indicated that: "one should agree with the position that in order for the inspection to achieve its objective it requires at least a minimum degree of cooperation from the inspected party. That cooperation must relate to the full extent of the authority's powers'. In the present case, there was no cooperation on the part of the Chief Surveyor of the State in the field of control, which he arbitrarily considered to be unfounded.<br />
<br />
With reference to the above findings to the obligations imposed by the provisions of Regulation 2016/679 on the controller and processor, and concerning their relation to the supervisory body, it should be stated that the Chief National Inspectorate, in the course of the inspection proceedings under the heading [...], violated his action:<br />
<br />
1. Article 58(1)(e) of Regulation 2016/679, which requires him to ensure that the President of the PPA has access to all personal data and all information necessary for the supervisory authority to carry out its tasks,<br />
2. Article 58(1)(f) of Regulation 2016/679 requiring him to ensure that the President has access to all premises of the controller and the processor, including the equipment and means of processing, in accordance with the procedures laid down in Union or Member State law,<br />
3. Article 31 of Regulation 2016/679 which requires him to cooperate with the President of UODO, at his request, in the performance of his tasks.<br />
In connection with the above infringements of Regulation 2016/679, the President of the UODO concludes that in the present case there are grounds for imposing on the Chief National Surveyor, pursuant to Articles 83(4)(a) and 83(5)(a) and 83(5)(a) of Regulation 2016/679, the conditions for the imposition of the obligation under Article 83(4)(a) and 83(5)(b) of Regulation 2016/679 on the Chief National Surveyor are met. e) in fine of Regulation 2016/679 - an administrative fine for failure to ensure access by the Chief Surveyor of the State to premises, equipment and means for processing personal data and access to personal data and information necessary for the President of the PPA to perform his tasks, as well as for failure to cooperate with the President of the PPA during this inspection.<br />
<br />
Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, a number of circumstances listed in points a) through k) of the aforementioned provision are addressed. When deciding to impose an administrative penalty payment on the Chief National Surveyor in the present case and when setting the amount of the fine, the President of the UODO took into account, among other things, the following aggravating circumstances affecting the assessment of the infringement:<br />
<br />
1. Nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).<br />
<br />
An infringement that is subject to administrative pecuniary sanctions in this case undermines a system designed to protect one of the fundamental rights of the individual, which is the right to the protection of his or her personal data or, more broadly, to the protection of his or her privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of individuals' rights in this respect. In order to be able to carry out these tasks, supervisory authorities have been equipped with a number of inspection powers, administrative investigation powers and remedial powers. On the other hand, certain obligations are imposed on controllers and processors, correlated with the powers of the supervisory authorities, including the obligation to cooperate with the supervisory authorities and to provide those authorities with access to personal data and other information necessary for the performance of their tasks, as well as access to premises, equipment and means of processing personal data. The actions of the Chief Inspectorate of the Country in the course of the inspection under the heading [...], aimed at thwarting its performance within the scope indicated in points 1-5 and point 6 (as regards the technical measures implemented to ensure an appropriate level of security) of the registered inspection authorizations, and resulting in the lack of access to evidence indicating the legality and lawfulness of the processing by the Chief Inspector of the Country of personal data coming from the land and building register, should therefore be considered to be detrimental to the entire system of personal data protection, and therefore of great importance and reprehensible nature. The seriousness of the infringement is further increased by the fact that the infringement committed by the Chief National Inspectorate, albeit one-off (which took place on [...] March 2020), has had effects lasting until now. The lack of cooperation of the Chief Surveyor of the Country, expressed in the refusal to recognise the right of the President of UODO to control the compliance of his processing of personal data from the land and building register in the GEOPRTAL2 portal with the regulations, is current, which is confirmed by the position of the Chief Surveyor of the Country expressed in the letter of his proxy of [...] May 2020. Moreover, it should be pointed out as an aggravating circumstance that a violation of the rights of a public authority, i.e. the President of UODO, was committed by another public authority - the Chief Surveyor of the Country. In the opinion of the President of UODO, the public authority should be expected to have a special, greater understanding and respect for the actions taken by other authorities within the framework of their statutory tasks than in the case of private entities, and a greater degree of cooperation in the performance of these tasks.<br />
<br />
2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).<br />
<br />
In the opinion of the President of UODO, there is an intentional lack of willingness on the part of the Chief Surveyor of the Country to cooperate in providing the authority with all the information (evidence) necessary to determine whether the data processing processes being subject to control have a legal basis and are processed in accordance with the law. The lack of consent of the Chief Surveyor of the Country to carry out the inspection and his declaration of non-cooperation in this respect has been expressed unequivocally and firmly. The argumentation presented to justify this position of the Chief Surveyor is, as shown above, completely unfounded and - in the opinion of the President of UODO - was largely created post factum in order to justify the unwillingness to submit to a justified and lawful examination by an independent supervisory body. Given that the Chief Surveyor of the Country is a public entity (and additionally a central body within the structure of the surveying and cartographic services), an entity which processes personal data of citizens on a large scale within the scope of its competence, it should also be assumed that he was (and still is) aware that his conduct may constitute a breach of the provisions of Regulation 2016/679, and agrees with this state of affairs.<br />
<br />
3. Lack of cooperation with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83 (2) (f) of Regulation 2016/679).<br />
<br />
In the course of the present proceedings concerning the imposition of an administrative fine, the Chief Surveyor of the Country maintained his disagreement with the inspection in the disputed scope (based on the position denying the President of UODO the right to examine the processing of personal data from the land and building register in GEOPORTAL2). It also did not express any willingness to cooperate with the President of UODO in order to rectify the infringement, which could consist, in particular, in providing full and exhaustive explanations to the extent to which the inspection was thwarted.<br />
<br />
The other conditions for imposing an administrative penalty payment set out in Article 83(1)(a) and (b) of the Treaty on the Functioning of the European Union The other prerequisites for imposing an administrative fine set out in Art. 83 par. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement by the President of UODO (including the following: any relevant previous breaches on the part of the controller or processor, the manner in which the supervisory authority learned about the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller or processor with the supervisory authority and not the relationship of the controller or processor with the data subject), could not be taken into account in this case (including: the number of persons harmed and the extent of the harm suffered by them, actions taken by the controller or processor to minimise the harm suffered by the data subjects, the degree of responsibility of the controller or processor taking into account the technical and organisational measures implemented by the controller or processor, the categories of personal data concerned by the breach).<br />
<br />
According to the wording of Article 83 paragraph 1 of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Chief National Surveyor in these proceedings meets these criteria. It will discipline the Chief Surveyor of the Country to properly cooperate with the President of UODO in future proceedings conducted by the President of UODO with his participation. The maximum penalty imposed by the present decision, as specified in Article 102(1) of Ustawa o.o.d.o., is, in the opinion of the President of UODO, justified and proportional to the seriousness of the infringement found. The penalty will also serve as a deterrent; it will send a clear signal both to the Chief National Surveyor and to other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of UODO that disregarding the obligations related to cooperation with him (in particular, hindering the control of compliance with the provisions on personal data protection) constitutes a serious infringement and as such will be subject to financial sanctions.<br />
<br />
In this case, the provisions of Art. 102 section 1 and 3 of the Polish Commercial Companies Code apply, according to which the amount of the administrative fine imposed - on the basis and under the conditions specified in Art. 83 of the Regulation 2016/679 - on a public finance sector unit within the meaning of the Act of 27 August 2009 on Public Finance (Journal of Laws of 2019, item 869 as amended), is limited to PLN 100,000.<br />
<br />
In view of the above, the President of the UODO ruled as in the operative part of this decision. <br />
<br />
The decision is final. A party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of UODO (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court shall suspend the execution of a decision on an administrative fine.<br />
<br />
Pursuant to Article 105 Section 1 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2019, item 1781), the administrative fine should be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Voivodship Administrative Court, or from the date when the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. If the deadline for payment of the administrative fine is postponed or spread in instalments, the President of UODO charges interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Art. 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.<br />
<br />
<br />
<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKE.561.2.2020&diff=10932
UODO (Poland) - DKE.561.2.2020
2020-07-22T14:37:32Z
<p>AK: Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKE..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKE.561.2.2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=UODO<br />
|Original_Source_Link_1=https://uodo.gov.pl/en/553/1145<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
<br />
|Type=Other<br />
|Outcome=<br />
|Date_Decided=06.07.2020<br />
|Date_Published=16.07.2020<br />
|Year=2020<br />
|Fine=1170<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_1=Article 58 GDPR#1e<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The President of the Personal Data Protection Office (UODO) imposed a fine of 5 000 (approx. 1170 EUR) on an individual entrepreneur running a non-public nursery and pre-school for failure to provide the UODO with access to personal data and other information necessary for the performance of its tasks (Article 58(1)(e) GDPR).<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The controller notified to the President of the UODO a personal data breach, which consisted in losing access to personal data stored in the run private nursery and pre-school.<br />
<br />
Given the lack of information necessary to carry out an assessment of the notification, the supervisory authority requested the controller to clarify the facts three times. The entrepreneur failed to respond to the requests of the President of the UODO.<br />
<br />
=== Dispute ===<br />
The controller notified a personal data breach to the President of the UODO and should have therefore expected the supervisory authoritie's further communication on the matter. In its assessment of the data breach, the UODO took into account the activity conducted by the controller - the processing concerned personal data related to children, who require special protection.<br />
<br />
=== Holding ===<br />
The UODO decided that disregarding an obligation to cooperate, on request, with the supervisory authority, especially by hindering access to information necessary for the performance of its tasks, is a serious infringement of Article 58(1)(e) GDPR and as such is subject to an fine.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Warsaw, 16 July 2020<br />
DECISION<br />
DKE.561.2.2020<br />
<br />
Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, p. 1, as amended) (hereinafter referred to as "Regulation 2016/679"), following an administrative procedure initiated ex officio to impose on Ms A. T. conducting business activity under the name of [...] in administrative Ł., the President of the Office for the Protection of Personal Data, stating the infringement by Mrs A. T. conducting business activity under the name of [...] in Ł., the provision of Article 58(1)(e) of the Regulation 2016/679, consisting in not providing access to personal data and other information necessary for the President of the Office for the Protection of Personal Data to perform his tasks, i.e. to assess the infringement of personal data protection under Article 34(1) and (2) of the Regulation 2016/679 reported by Mrs A. T. conducting business activity under the name [...] in Ł,<br />
<br />
imposes on Mrs A. T. conducting business activity under the name [...] in Ł. an administrative fine in the amount of 5.000 PLN (in words: five thousand PLN), which is equivalent to 1.168,39 EUR, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as of January 28, 2020.<br />
<br />
EXPLANATORY MEMORANDUM<br />
<br />
The Office for the Protection of Personal Data [...] June 2019 received a notification of a personal data protection breach submitted by Mrs A. T. conducting business activity under the name [...] with a permanent place of business in Ł. (hereinafter also referred to as the 'Entrepreneur'). The infringement of personal data protection consisted in the loss by the Entrepreneur of access to personal data stored in the registered office of his institution, i.e. the Non-public Nursery School and Kindergarten [...], located in Ł. The infringement occurred as a result of taking illegal actions, in the opinion of the Entrepreneur, by an external entity, i.e. the intrusion of persons acting on behalf of entity G. Spółka z ograniczoną odpowiedzialnością" Spółka Komandytowa with its registered office in R. (hereinafter also referred to as "the Company"), to the facility during a performance of children for parents. These persons, when handing out leaflets about the alleged debt of the Entrepreneur, informed the gathered about closing the facility and launching a new one in this place. The Company replaced all the locks in the premises at an unknown date, so the Entrepreneur could not open the above mentioned facility. The equipment of the kindergarten, including computers and documentation containing personal data of employees, children attending the kindergarten and nursery school and their legal guardians were closed inside. The Entrepreneur indicated that the infringement concerned about 200 persons and the scope of personal data of the above mentioned persons included: first and last names, parents' first names, date of birth, bank account number, address of residence or stay, PESEL registration number, e-mail address, series and number of ID card, telephone number. In the opinion of the Entrepreneur, there was a high risk of violation of rights or freedoms of natural persons, therefore 120 persons (all legal guardians of children and employees) were notified about the violation by phone or in person.<br />
<br />
Due to the lack of information necessary for the President of the Office for the Protection of Personal Data to assess the infringement, pursuant to Article 58(1)(a) and (e) of Regulation 2016/679, in the letter of [...] June 2019. (ref. [...] ) addressed to the address of the permanent place of business activity of the Entrepreneur, i.e. [...] (address indicated in the CEiDG), the President of the Office for the Protection of Personal Data (hereinafter also: "President of the Office for the Protection of Personal Data") invited the Entrepreneur to present anonymized content of the notification addressed to the persons concerned by the infringement, in order to determine whether the controller, in accordance with Article 34(1) and (2) of Regulation 2016/679, notified the data subjects of a personal data protection breach.<br />
<br />
Moreover, in this letter the President of PDPO indicated to the Entrepreneur that in accordance with Article 34 paragraph 2 of Regulation 2016/679, the notification should clearly and simply describe the nature of the personal data protection breach and contain at least the information and measures referred to in Article 33 paragraph 3 points b), c) and d) of Regulation 2016/679 , i.e: (1) the name and contact details of the data protection officer or other contact point from which more information may be obtained; (2) a description of the possible consequences of the personal data breach; (3) a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to minimise its possible adverse effects.<br />
<br />
Letter of [...] June 2019. (ref. [...] [...] July 2019) was returned to the sender with the words 'not returned on time'. Therefore, by letter of [...] July 2019, the President of UODO once again asked the undertaking to provide anonymised content of the notice addressed to the persons concerned. The letter was also addressed to the Entrepreneur at his permanent place of business: […]. [...] the correspondence was sent back to the sender with the words 'the return was not made on time'.<br />
<br />
The next letter from the President of UODO dated [...] September 2019 was sent both to the address of the permanent place of business: [...] as well as an address for service: [...] (address for service as indicated in CEiDG). The call was addressed to the Entrepreneur at the address of his permanent place of business: [...], was personally collected by the Entrepreneur [...] September 2019. At this point it should be noted that the notice received by the Entrepreneur [...] September 2019, a letter of [...] September 2019, containing information about the "renewed" sending of the notice to the Entrepreneur. However, the summons addressed to the address for service, [...] October 2019, was sent back to the sender with the annotation 'addressee unknown at the indicated address'. Due to the failure of the Entrepreneur to provide the information necessary to resolve the case under ref. [...], the President of UODO once again, by letter of [...] November 2019 addressed to the address of the permanent place of business, called on the Entrepreneur to present anonymized content of the notice addressed to the persons concerned by the infringement. On December [...], 2019, the correspondence was returned to the sender with the annotation 'return not undertaken on time'. To date, the administrator has not responded to any of the abovementioned notices.<br />
<br />
By letter dated [...] September 2019. The entrepreneur was informed that failure to respond to the summonses of the President of UODO may, pursuant to Article 83(5)(e) of Regulation 2016/679, result in an administrative fine. <br />
<br />
In connection with the failure of the Entrepreneur to provide the information necessary to determine whether the controller in accordance with art. 34 sec. 1 and 2 of Regulation 2016/679 notified the data subjects about the violation of personal data protection, the President of PDPO initiated ex officio against the Entrepreneur - pursuant to art. 83 sec. 5 lit. e) of Regulation 2016/679, in connection with the violation by the Entrepreneur of art. 58 sec. 1 lit. a) and e) of Regulation 2016/679 - administrative proceedings to impose an administrative fine (under the signature [...] ). The letter informing about the initiation of the procedure of [...] February 2020 was addressed to the Entrepreneur at its permanent place of business: […]. In that letter, the Entrepreneur was also requested - in order to determine the basis for the penalty, on the basis of Article 101a.1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781) - to present a financial statement concerning his activity for 2019 or - in the absence thereof - a statement on the amount of turnover and financial result achieved by him in 2019.<br />
<br />
Letters of [...] February 2020. The entrepreneur did not receive it either. On [...] March 2020, the letter was returned to the broadcaster with the words 'not received on time'. <br />
<br />
After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following.<br />
<br />
Pursuant to Article 57(1)(a) of Regulation 2016/679, the President of the Office for Personal Data Protection, as the supervisory authority within the meaning of Article 51 of Regulation 2016/679, shall monitor and enforce the application of the Regulation on its territory. Within the scope of its competences, the President of PPAs conducts, inter alia, proceedings for the application of Regulation 2016/679 (Article 57(1)(h)), including proceedings for reporting infringements to the supervisory authority (Article 33(1)). In order to enable the President of the PPA to perform his tasks, the President of the PPA has a number of powers, set out in Article 58(1) of Regulation 2016/679, to order the controller and the processor to provide all information necessary for the performance of his tasks (Article 58(1)(a) and the power to obtain from the controller and the processor access to all personal data and all information necessary for the performance of his tasks (Article 58(1)(e). The infringement of the provisions of Regulation 2016/679, consisting in the failure of the controller or the processor to provide access to the data and information referred to above, resulting in the infringement of the authority's powers specified in Article 58(1) (including the right to obtain the data and information necessary for the performance of its tasks), shall be subject, in accordance with Article 83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover in the previous financial year, the higher amount shall apply. It should also be noted that the administrator and the processor are obliged to cooperate with the supervisory authority in the performance of its tasks, as provided for in Article 31 of Regulation 2016/679.<br />
<br />
Referring to the above mentioned provisions of Regulation 2016/679 to the facts established in this case and described at the beginning of the justification of this decision, it should be stated that the Entrepreneur, as the controller of personal data of employees, children attending a kindergarten and a nursery school and their legal guardians, processed in a non-public nursery school and kindergarten [...] located in Ł, has breached his obligation to provide the President of the Office for Foreigners with access to information necessary for the performance of his tasks - in this case to assess whether the controller, in accordance with Article 34(1) and (2) of Regulation 2016/679, has notified the data subjects of a personal data protection breach. Such action of the Company constitutes a breach of Article 58(1)(e) of Regulation 2016/679.<br />
<br />
The above-described conduct of the Entrepreneur consisting in:<br />
<br />
1. three times failure to collect correspondence addressed to the Entrepreneur by the President of UODO (through the Polish Post Office) despite the fact that the Entrepreneur reported a personal data protection breach and should expect the position of the data protection authority in this case,<br />
2. failure to respond to the call of the President of UODO (letter of [...] September 2019 received by the Entrepreneur [...] September 2019) to present anonymized content of the personal data breach notification addressed to the persons concerned,<br />
<br />
- indicates a lack of cooperation with the President of the PPA in establishing the facts of the case and correctly resolving it, or at least a gross disregard for his obligations to cooperate with the President of the PPA in the performance of his tasks under Regulation 2016/679. The above statement is further justified by the fact that the Entrepreneur in no way attempted to justify the fact that there was no response to the summons addressed to him.<br />
<br />
It should be pointed out here that making it difficult and impossible to gain access to the information which the President of PPAPA requested and demanded from the Entrepreneur, and which is undoubtedly in the Entrepreneur's possession (information with anonymised content of the notice addressed to the persons affected by the infringement), hinders a thorough examination of the case and results in excessive and unjustified prolongation of proceedings.<br />
<br />
In view of the above findings, the President of the PPA finds that in the present case there are premises justifying the imposition of an administrative fine on the Entrepreneur - pursuant to Article 83 sec. 5(e) in fine of Regulation 2016/679 - for failure to provide the Entrepreneur with access to information necessary for the President of the PPA to perform his tasks, i.e. to resolve a case under the name [...].<br />
<br />
Pursuant to Article 83 sec. 2 of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case. In each case, a number of circumstances listed in paragraph 2(a) to (k) of the abovementioned provision are referred to. When deciding to impose an administrative fine on an undertaking in the present case and when setting the amount of the fine, the President of UODO took into account the following aggravating circumstances affecting the assessment of the infringement:<br />
<br />
<br />
1. Nature, gravity and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).<br />
<br />
An infringement that is subject to administrative pecuniary sanctions in this case undermines a system designed to protect one of the fundamental rights of the individual, which is the right to the protection of his or her personal data or, more broadly, to the protection of his or her privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, is the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of individuals' rights in this respect. In order to be able to carry out these tasks, supervisory authorities have been equipped with a number of inspection powers, administrative investigation powers and remedial powers. On the other hand, certain obligations are imposed on controllers and processors, correlated with the powers of the supervisory authorities, including the obligation to cooperate with the supervisory authorities and to ensure that they have access to information necessary for the performance of their tasks. Therefore, the actions of the Entrepreneur in the present case, consisting in preventing access to the information requested by the President of UODO, and resulting in hindering and unjustifiably prolonging the proceedings conducted by this authority, should be considered as detrimental to the system of personal data protection, and therefore of great importance and reprehensible nature. The gravity of the infringement is further increased by the fact that the infringement committed by the Entrepreneur was not an incidental event; the Entrepreneur's action was continuous and long-lasting. It lasts from the lapse of the deadline set for submitting explanations in the first letter of the President of UODO of [...] June 2019, to the present day.<br />
<br />
<br />
Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).<br />
<br />
In the opinion of the President of UODO, there is a lack of willingness on the part of the Entrepreneur to cooperate in providing the authority with all information necessary to resolve the case in the course of which the authority requested it. This is evidenced in particular by the repeated failure to collect correspondence addressed to the Entrepreneur and the lack of response to the only request of the President of UODO received by the Entrepreneur. At this point it should be emphasized that the Entrepreneur was aware of the fact that by not receiving the correspondence and not responding to one of the personally received letters he violated the provision of Article 83(2)(b) of Regulation 2016/679.<br />
<br />
It should also be pointed out that receiving correspondence addressed to the Entrepreneur related to the activity conducted by him/her constitutes an obligation which should be required from the entity conducting business activity, in particular when the activity involves processing of children's personal data (requiring special protection, as mentioned in recital 38 of Regulation 2016/679).<br />
<br />
It should also be noted that at no stage of [...] proceedings, as well as in the present proceedings, has the Entrepreneur attempted to justify such proceedings. Considering that the Entrepreneur is an entity professionally participating in legal and economic trade, whose activity is related to the processing of personal data (in connection with the type of business activity - day care for children - requiring the acquisition, storage and provision of data of natural persons, in this case employees, children attending a kindergarten and nursery school and their legal guardians), it should be considered that this was and still is a deliberate action of the Entrepreneur preventing the President of UODO from accessing information necessary for the performance of its tasks, which constitutes an infringement of the provisions of Regulation 2016/679.<br />
<br />
3. Lack of cooperation with the supervisory authority to remove the infringement and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).<br />
<br />
In the course of this proceeding concerning the imposition of an administrative fine, there is no cooperation with a supervisory authority on the part of the Entrepreneur. The Entrepreneur has not submitted any explanations to the case ref. [...]. <br />
<br />
Other prerequisites for the administrative fine indicated in art. 83. par. 1 of the Regulation 2016/679). The other prerequisites for the administrative fine indicated in Article 83 sec. 2 of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the infringement by the President of UODO (including: all relevant previous infringements on the part of the controller, the way the supervisory authority learned about the infringement, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the infringement (concerning the relationship of the controller with the supervisory authority and not the relationship of the controller with the data subject), could not be taken into account in this case (including: the number of persons harmed and the extent of the harm suffered by them, actions taken by the controller to minimise the harm suffered by the data subjects, the degree of responsibility of the controller taking into account the technical and organisational measures implemented by the controller, categories of personal data concerned by the breach). <br />
<br />
According to Article 83(1) of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on an Entrepreneur in these proceedings meets these criteria. The penalty imposed on the Entrepreneur should discipline him/her to properly cooperate with the President of UODO, both in the further course of the proceedings under [...] and in any other proceedings conducted in the future with the Entrepreneur before the President of UODO. The penalty imposed by this Decision is, in the opinion of the President of UODO, proportional to the gravity of the infringement found and to the possibility of being borne by the Entrepreneur without major damage to his business. The penalty will also serve as a deterrent; it will send a clear signal both to the Entrepreneur and to other entities obliged under the provisions of Regulation 2016/679 to cooperate with the President of PPA that disregarding the obligations related to cooperation with the President of PPA (in particular, hindering access to information necessary for the performance of his tasks) constitutes a serious infringement and as such will be subject to financial sanctions. At this point it should be pointed out that the imposition of an administrative fine on the Entrepreneur is - in the face of the Entrepreneur's previous conduct as a party to the proceedings [...] - necessary. A financial penalty is a measure at the disposal of the President of UODO, which should enable access to information necessary in the proceedings. <br />
<br />
Due to the failure of the Entrepreneur to present the financial data for 2019 requested by the President of UODO, when determining the amount of the administrative fine in this case, the President of UODO took into account, on the basis of Article 101a sec. 2 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the estimated size of the enterprise and the specificity, scope and scale of its activity.<br />
<br />
Pursuant to the wording of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of the Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date. In this case, the exchange rate of PLN 4.2794 for EUR 1 shall apply.<br />
<br />
In view of the above, the President of UODO ruled as in the operative part of this decision. <br />
<br />
The decision is final. Pursuant to Article 53(1) of the Law of 30 August 2002. - Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325 as amended), a party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days of its delivery, through the President of the Office for Personal Data Protection (address: ul. Stawki 2, 00 - 193 Warsaw).<br />
<br />
A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court shall suspend the execution of a decision on an administrative fine.<br />
<br />
In the proceedings before the Provincial Administrative Court, a party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.<br />
<br />
Pursuant to Article 105(1) of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781), the administrative fine shall be paid within 14 days from the date of expiry of the time limit for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In case of postponement of the deadline for paying the administrative fine or its distribution in instalments, the President of the Office for Personal Data Protection calculates interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Art. 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKE.561.1.2020&diff=10931
UODO (Poland) - DKE.561.1.2020
2020-07-22T14:26:01Z
<p>AK: Created page with "{{DPAdecisionBOX |Jurisdiction=Poland |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoPL.png |DPA_Abbrevation=UODO |DPA_With_Country=UODO (Poland) |Case_Number_Name=DKE..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Poland<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoPL.png<br />
|DPA_Abbrevation=UODO<br />
|DPA_With_Country=UODO (Poland)<br />
<br />
|Case_Number_Name=DKE.561.1.2020<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=UODO<br />
|Original_Source_Link_1=https://uodo.gov.pl/decyzje/DKE.561.1.2020<br />
|Original_Source_Language_1=Polish<br />
|Original_Source_Language__Code_1=PL<br />
<br />
|Type=Complaint<br />
|Outcome=Other Outcome<br />
|Date_Decided=06.07.2020<br />
|Date_Published=10.07.2020<br />
|Year=2020<br />
|Fine=3500<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 31 GDPR<br />
|GDPR_Article_Link_1=Article 31 GDPR<br />
|GDPR_Article_2=Article 58(1)(e) GDPR<br />
|GDPR_Article_Link_2=Article 58 GDPR#1e<br />
<br />
<br />
<br />
|Party_Name_1=D. S. <br />
|Party_Link_1=<br />
|Party_Name_2=East Power Sp. z o.o. <br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=n/a<br />
|<br />
}}<br />
<br />
The President of the Personal Data Protection Office (UODO) imposed a fine of 15 000 PLN (approx. 3500 EUR) on East Power company from Jelenia Góra for failing to provide the supervisory authority with access to personal data and other information necessary for the performance of its tasks. The Polish DPA found that the company violated Art 58(1)(e) GDPR. <br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Mr. D. S., a German citizen, submitted a complaint against the processing of his personal data by the company East Power Sp. z o.o. with a registered address in Jelenia Góra, Poland. The complainant submitted that his personal data was used for marketing purposes despite that he objected to such processing.<br />
<br />
The complaint was lodged with the German data protection authority competent for Rhineland-Palatinate, but it was taken over for consideration by the President of the UODO, who was the so-called lead authority in this case, because the company is established in Poland. <br />
<br />
=== Dispute ===<br />
The UODO has contacted the company and asked to answer the following questions:<br />
<br />
1. On what legal basis, for what purpose and to what extent the company is currently processing the complainant's personal data and from what source the data was obtained.<br />
<br />
2. Whether the complainant has requested that the company delete his personal data.<br />
<br />
3. In case the complainant requested the deletion of his personal data, why and on what legal basis was his request not complied with.<br />
<br />
The company did not reply to the set of questions; the UODO has repeated its request. The company responded that it had not processed the complainant's personal data neither before nor at the time of the request made by the UODO. The company also informed that it had not disclosed the complainant's personal data. At the same time, the President of the company's Management Board stated that "the Company obtained the Complainant's personal data from the Internet", where "they are available in the Google search engine".<br />
<br />
The company addressed only one of the two requests, and the explanations provided were incomplete and contradictory. The UODO has therefore sent another request to clarify the answer provided. The company did not respond to the third request of the Polish DPA. <br />
<br />
=== Holding ===<br />
Based on the facts of the case and on the analysis of the GDPR provisions, the UODO has stated that the company acts as a controller of complainant's personal data. The UODO referred to the company's obligation to cooperate with the supervisory authority under Article 31 GDPR. Since the company did not comply with its obligation to provide the President of UODO with access to information necessary for the performance of his tasks - in this case, the substantive settlement of the case, such inaction of the company constituted a breach of Article 58(1)(e) of the GDPR. <br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.<br />
<br />
<pre><br />
Warsaw, 10 July 2020<br />
DECISION<br />
DKE.561.1.2020<br />
<br />
The Commission shall be assisted by the European Parliament and the Council in the context of Article 31, Article 58(1)(e) in conjunction with Article 83(1) to (3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2012, p. 1). 2016, p. 1, as amended) (hereinafter referred to as the "Regulation 2016/679"), after conducting ex officio administrative proceedings to impose an administrative fine on East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street, the President of the Office for Personal Data Protection, stating that East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street, the provision of Article 58(1)(e) of Regulation 2016/679, consisting in failure to provide access to personal data and other information necessary for the President of the Office for the Protection of Personal Data to carry out his tasks, that is, to consider the complaint of Mr D. S. for processing of his personal data by East Power Sp. z o.o. with its registered office in Jelenia Góra in breach of Regulation 2016/679,<br />
<br />
imposes on East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street an administrative fine in the amount of PLN 15,000 (in words: fifteen thousand zlotys), which is equivalent to EUR 3,505.16, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as of 28 January 2020.<br />
<br />
JUSTIFICATION<br />
<br />
The Office for Personal Data Protection received a complaint from Mr. D. S., a German citizen, residing in N. (hereinafter referred to as the "Complainant"), for processing by East Power Sp. z o.o. with its registered office in Jelenia Góra at 29a/17 Wiejska Street (hereinafter referred to as the "Company"), owner of the website. [...].de, his personal data for marketing purposes in spite of objections raised. President of the Office for the Protection of Personal Data (hereinafter referred to as the "President of the Office for the Protection of Personal Data") within the framework of the initiated administrative proceedings conducted to consider the complaint (under the signature [...]), asked the Company in a letter of [...] March 2019 to respond to the content of the complaint and to answer the following detailed questions about the case:<br />
<br />
1. on what legal basis, for what purpose and to what extent the Company is currently processing the complainant's personal data and from what source the data was obtained,<br />
2. whether the Complainant has requested that the Company delete its personal data,<br />
3. why and on what legal basis, if the Complainant asks for his personal data to be deleted, his request has not yet been complied with.<br />
<br />
The above letter, correctly delivered to the Company [...] March 2019, remained unanswered.<br />
<br />
Therefore, by letter of [...] May 2019, the President of the UODO again asked the Company to respond to the content of the complaint and to answer the detailed questions already formulated in the previous letter. This letter was delivered to the Company on [...] May 2019. In his letter of [...] June 2019 in response to the above request of the President of UODO, the President of the Company's Management Board stated that "the Company did not process, at that time or currently, the Complainant's personal data" and that "the Company did not make available, at that time or currently, the Complainant's personal data". At the same time, the President of the Company's Management Board stated that "the Company obtained the Complainant's personal data from the Internet", where "they are available in the Google search engine".<br />
<br />
Considering the above explanations of the Company to be insufficient, the President of the UODO, in his letter of [...] September 2019, requested the Company to provide additional explanations in the case, in particular:<br />
<br />
on what legal basis, for what purpose and to what extent the Company has currently processed or is currently processing the Complainant's personal data,<br />
the merger relationship on [...] June 2018. The Company and Mr. P. K., who, acting on behalf of the Company, sent the Complainant's e-mail address on that day a message of a marketing nature, in the Complainant's opinion,<br />
whether, and if so, how the Company responded to the Complainant's request of [...] June 2018 to delete its personal data and stop sending marketing content to it,<br />
if the Company did not comply with the Complainant's request, why and on what legal basis it did so.<br />
<br />
The Company did not respond to the above letter, duly delivered to the Company on [...] September 2019.<br />
<br />
By letters of [...] May 2019 and [...] September 2019. The Company was informed that failure to respond to the summonses of the President of the UODO may - in accordance with Article 83(5)(e) of Regulation 2016/679 - impose an administrative fine on the Company.<br />
<br />
In connection with the Company's failure to provide the information necessary to resolve the [...] case, initiated by the Complainant's complaint, the President of the PTO initiated ex officio against the Company - pursuant to Article 83(5)(e) of Regulation 2016/679, in connection with the Company's breach of Article 58(1)(a) and (e) of Regulation 2016/679 - administrative proceedings to impose an administrative fine on the Company (under reference DKE.561.1.2020.RZ). The Company was informed about the initiation of the proceedings by letter dated [...] February 2020, delivered to the Company [...] February 2020. In that letter, the Company was also requested - in order to determine the basis for the penalty, on the basis of Article 101a.1 of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781) - to present the Company's financial statements for 2019 or - in the absence thereof - a statement on the amount of turnover and financial result achieved by the Company in 2019.<br />
<br />
In response to the letter informing about the initiation of proceedings to impose an administrative fine on the Company, the President of the Management Board of the Company sent a letter to the President of UODO of [...] February 2020, in which he requested withdrawal from imposing an administrative fine in the proceedings DKE.561.1.2020.RZ and for discontinuation of the proceedings in the case of [...]. At the same time, in the same letter, the President of the Management Board of the Company submitted explanations to the case [...]. He indicated in particular that:<br />
<br />
The Company is not currently processing the Complainant's personal data, but previously it was obtained "from publicly available databases" and processed in the scope of the Complainant's name, surname and e-mail address "for the purpose of one-time delivery of e-mails to the Complainant";<br />
P. K. was an employee of the Company and 'the activities performed by Mr K. were therefore performed by him as an employee of the Company, within the scope of the activities presented to him'. With reference to this part of the explanations, the President of the Management Board of the Company presented in an attachment to his letter copies of three employment contracts (dated [...] April 2018, dated [...] August 2018 and dated [...] April 2019) concluded between the Company and Mr Pi. Ko;<br />
at the request of the Complainant of [...] June 2018. The Company "ceased all correspondence, did not send any further e-mails to the Complainant due to its request and deleted the Complainant's personal data".<br />
<br />
The Company did not present its letter of February [...], 2020, enclosing its financial statements for 2019, stating that it 'has not yet prepared' such a document. The Company also did not submit a statement on the amount of turnover and financial result achieved in 2019, which the President of UODO demanded in case the financial statement could not be presented.<br />
<br />
The Company conducts - on the territory of Poland and Germany - activities in the field of, among others, employment agency (including temporary work) and human resources management in enterprises.<br />
<br />
After reviewing all the evidence gathered in the case, the President of the Office for Personal Data Protection weighed the following.<br />
<br />
In accordance with Article 57(1)(a) of Regulation 2016/679, the President of the UODO, as the supervisory authority within the meaning of Article 51 of Regulation 2016/679, shall monitor and enforce the application of the Regulation on its territory. Within the scope of his competences, the President of the PPA shall, inter alia, hear complaints lodged by data subjects, conduct investigations into such complaints to an appropriate extent and inform the complainant of the progress and outcome of such investigations within a reasonable period of time (Article 57(1)(f)). In order to enable the performance of the tasks so defined, the President of the PPA has a number of powers in relation to the proceedings, as set out in Article 58(1) of Regulation 2016/679, including the power to order the controller and the processor to provide any information necessary for the performance of its tasks (Article 58(1)(a)) and the power to obtain from the controller and the processor access to all personal data and to all information necessary for the performance of its tasks (Article 58(1)(e)). The infringement of the provisions of Regulation 2016/679, consisting in the failure of the controller or the processor to provide access to the data and information referred to above, resulting in the infringement of the authority's powers specified in Article 58(1) (including the right to obtain data and information necessary for the performance of its tasks), shall be subject, in accordance with Article 83(5)(e) in fine of Regulation 2016/679, to an administrative fine of up to EUR 20,000,000, and in the case of an enterprise - up to 4% of its total annual worldwide turnover in the previous financial year, the higher amount being applicable. It should also be noted that the administrator and the processor are obliged to cooperate with the supervisory authority in the performance of their tasks, as provided for in Article 31 of Regulation 2016/679.<br />
<br />
With reference to the above mentioned provisions of Regulation 2016/679 to the facts established in this case and described at the beginning of the grounds for this decision, it should be stated that the Company - controller of personal data of the Complainant D. S. - as a party to the proceedings under the President of UODO, infringed its obligation to provide the President of UODO with access to information necessary for the performance of his tasks - in this case, the substantive settlement of this case. Such action of the Company constitutes a breach of Article 58(1)(e) of Regulation 2016/679.<br />
<br />
In the proceedings under the number [...], the President of UODO called on the Company three times to provide explanations necessary to consider the case.<br />
<br />
The first letter issued in the case by the President of UODO [...] March 2019 (correctly delivered to the Company [...] March 2019) remained unanswered.<br />
<br />
Response to the second call of the President of UODO (of [...] May 2019, correctly delivered to the Company [...] May 2019) was far from complete (no comprehensive answer to any of the three specific questions asked in the letter of the President of UODO), contradictory (the Company, on the one hand, stated that it obtained the Complainant's personal data from the Internet and, on the other hand, stated that it 'did not process, at that time or currently, the Complainant's personal data') and, in the opinion of the President of UODO, disregarding both the authority and the case in which the authority requested clarifications.<br />
<br />
The third letter sent by the President of UODO to the Company (dated [...] September 2019, correctly delivered to the Company [...] September 2019), containing a clarification of the basic issues related to data processing (including the very notion of 'data processing') and additional questions aimed at establishing the facts of the case, again remained unanswered.<br />
<br />
More extensive explanations were provided by the Company only in the letter of [...] February 2020 in response to the letter of the President of UODO informing about the initiation of the present procedure concerning the imposition of an administrative fine for failure to provide access to information requested by the President of UODO. However, even these explanations are incomplete and will require further investigation in case [...]. In particular, this concerns the answer to the question on the merger relationship on [...] June 2018. The Company and Mr. P. K., who, acting on behalf of the Company, sent a marketing message to the Complainant's e-mail address on that day. In response to this question, the Company stated that P. K. was employed by the Company on the basis of an employment contract. At the same time, it attached to its letter copies of three employment contracts, which not only did not confirm the Company's explanations, but caused additional doubts as to the actual state of affairs. Firstly, according to the content of all three employment contracts, Mr Pi was a party to them. Ko., and not Mr. P. K. (The Company did not explain in its letter why this discrepancy occurred). Secondly, the duration of the contracts referred to periods both before and after the date expressly requested by the President of the UODO (the date on which Mr P. K. sent an e-mail to the complainant, i.e. [...] June 2018); they did not cover that particular day (the fixed-term employment contract of [...] April 2018 was concluded for the period from [...] April 2018 to [...] May 2018, the fixed-term employment contract of [...] August 2018 was concluded for the period from [...] September 2018 to [...] April 2019 and the permanent employment contract of [...] April 2019 was in force from [...] May 2019). Nor did the Company explain this discrepancy in its letter.<br />
<br />
The above-described Company's proceedings in the case with the signature [...] (failure to respond to the summonses of the President of UODO and providing incomplete, unspecific, evasive and contradictory answers to specific, not too complicated and not requiring specialist knowledge in the field of personal data protection questions of the President of UODO) indicates a lack of willingness to cooperate with the President of UODO in determining the facts of the case and correctly resolving it, or at least a gross disregard for his obligations to cooperate with the President of UODO in the performance of his tasks under the Regulation 2016/679. The above statement is additionally justified by the fact that the Company did not try to justify in any way the lack of any response to the two requests for explanations, nor did it contact the Office for Personal Data Protection in order to indicate any doubts it might have regarding the scope of information requested by the President of PDPO.<br />
<br />
It should be pointed out here that obstructing and preventing access to information which the President of UODO has requested and requested from the Company and which is undoubtedly held by the Company (e.g. information about the relationship between the Company and Mr. P. K. ), stands in the way of a thorough consideration of the case, and also results in excessive and unjustified prolongation of the proceedings, which is contrary to the basic principles governing administrative proceedings - as defined in Article 12.1 of the Administrative Procedure Code of 14 June 1960 (Journal of Laws of 2020, item 256).<br />
<br />
In view of the above findings, the President of the Office of Competition and Consumer Protection (UODO) states that in this case there are premises justifying the imposition of an administrative fine on the Company - pursuant to Article 83 Section 5(e) in fine of Regulation 2016/679 - in connection with the Company's failure to provide access to information necessary for the President of the Office of Competition and Consumer Protection (UODO) to carry out his tasks, i.e. to resolve the case under reference [...]. Referring to the request contained in the Company's letter of [...] February 2020 to withdraw from the imposition of an administrative fine in these proceedings, the President of the PPA indicates that he sees no grounds for a positive outcome. The Company has not justified its request in any way, in particular, it has not attempted to justify its action infringing the provisions of Regulation 2016/679 and has not removed the infringement itself by providing full and exhaustive explanations allowing to issue a decision in the [...] case.<br />
<br />
According to Article 83(2) of Regulation 2016/679, administrative fines shall be imposed depending on the circumstances of each individual case. In each case, a number of the circumstances set out in points (a) to (k) of the abovementioned provision are addressed. When deciding on the imposition of an administrative fine on the Company in this case and determining its amount, the President of UODO took into account - among them - the following circumstances affecting the assessment of the infringement:<br />
<br />
1. The nature, seriousness and duration of the infringement (Article 83(2)(a) of Regulation 2016/679).<br />
<br />
An infringement subject to administrative pecuniary sanctions in the present case undermines a system designed to protect one of the fundamental rights of the individual, which is the right to the protection of his or her personal data or, more broadly, to the protection of his or her privacy. An important element of this system, the framework of which is set out in Regulation 2016/679, are the supervisory authorities, which are entrusted with tasks related to the protection and enforcement of individuals' rights in this respect. In order to be able to carry out these tasks, supervisory authorities have been equipped with a number of inspection powers, administrative investigation powers and remedial powers. On the other hand, certain obligations are imposed on controllers and processors, correlated with the powers of the supervisory authorities, including the obligation to cooperate with the supervisory authorities and to provide those authorities with access to information necessary for the performance of their tasks. The Company's actions in this case, which consist in making it difficult and impossible to access the information requested by the President of UODO, and resulting in the hindering and unjustified prolongation of the proceedings conducted by him, should therefore be considered to be detrimental to the entire system of personal data protection, and therefore of great importance and reprehensible nature. The gravity of the infringement is further increased by the fact that the infringement committed by the Company was not a one-off and incidental event; the Company's actions were continuous and long-lasting. It lasts from the expiry of the deadline set for submitting explanations in the first letter of the President of UODO, i.e. from [...] April 2019 to the present day (with respect to some information requested by the President of UODO).<br />
<br />
2. Intentional nature of the infringement (Article 83(2)(b) of Regulation 2016/679).<br />
<br />
In the opinion of the President of UODO, there is a lack of willingness on the part of the Company to cooperate in providing the authority with all information necessary to resolve the case in the course of which the authority requested it. This is evidenced, in particular, by the lack of any response to two out of three summonses from the President of UODO addressed to it and received by it. Also the explanations that the Company finally submitted to the President of UODO (incomplete, exchangeable, contradictory) prove the lack of willingness to cooperate with the authority or at least a gross disregard for its obligations related to such cooperation, unacceptable especially in the case of an entity processing personal data professionally (in connection with the type of services provided - through work - requiring obtaining, storing and making available the data of natural persons who are potential employees). It should be emphasized that the Company at no stage of [...] proceedings, as well as in these proceedings, has made an attempt to justify such proceedings. Considering that the Company is an entrepreneur, an entity professionally participating in legal and economic turnover, whose activity is connected with the processing of personal data (in connection with the employment agency services provided), it should also be assumed that it was (and still is) aware of the fact that its conduct constitutes a breach of the provisions of Regulation 2016/679.<br />
<br />
3. Unsatisfactory cooperation with the supervisory authority to remedy the breach and mitigate its possible negative effects (Article 83(2)(f) of Regulation 2016/679).<br />
<br />
In the course of the present proceedings concerning the imposition of an administrative fine, the Company has submitted (by letter of [...] February 2020) additional explanations to the case under the signature [...], however, as it has been shown in detail above, the President of the Office of Competition and Consumer Protection (UODO) cannot consider these explanations to be complete, exhaustive and allow for a decision in the case.<br />
<br />
The other prerequisites for the administrative fine indicated in Article 83(1)(a) and (b) of the Act of Accession. The other conditions for imposing an administrative fine set forth in Article 83(2) of Regulation 2016/679 did not affect (aggravating or mitigating) the assessment of the breach by the President of PPAs (including: all relevant previous breaches on the part of the controller, the manner in which the supervisory authority became aware of the breach, compliance with measures previously applied in the same case, application of approved codes of conduct or approved certification mechanisms) or, due to the specific nature of the breach (concerning the relationship of the controller with the supervisory authority and not the relationship of the controller with the data subject), could not be taken into account in the present case (including: the number of persons harmed and the extent of the harm suffered by them, actions taken by the controller to minimise the harm suffered by the data subjects, the degree of responsibility of the controller taking into account the technical and organisational measures implemented by the controller, categories of personal data concerned by the breach).<br />
<br />
According to Article 83(1) of Regulation 2016/679, the administrative fine imposed by the supervisory authority should be effective, proportionate and dissuasive in each individual case. In the opinion of the President of UODO, the penalty imposed on the Company in these proceedings meets these criteria. It will discipline the Company to properly cooperate with the President of UODO, both in the further course of the proceedings under the [...] name, as well as in possible other proceedings conducted in the future with the Company's participation before the President of UODO. The penalty imposed by this Decision is, in the opinion of the President of UODO, proportionate to the seriousness of the infringement and to the Company's ability to bear it without significant damage to its business. The penalty will also act as a deterrent and will send a clear signal to both the Company and other entities obliged under Regulation 2016/679 to cooperate with the President of UODO that disregarding the obligations to cooperate with him (in particular, obstructing access to information necessary for the performance of his tasks) constitutes a serious infringement and as such will be subject to financial sanctions. At this point it should be pointed out that the imposition of an administrative fine on the Company is - in view of the Company's previous conduct as a party to the proceedings [...] - necessary; it is the only measure at the disposal of the President of PPA, which will make it possible to obtain access to information necessary in the proceedings. In view of the Company's failure to provide the financial data for 2019 requested by the President of UODO, when determining the amount of the administrative fine in this case, the President of UODO took into account, pursuant to Article 101a clause 2 of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781), the estimated size of the Company and the specificity, scope and scale of its operations.<br />
<br />
Pursuant to the wording of Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January of each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date. In this case, the exchange rate of PLN 4.2794 for EUR 1 shall apply.<br />
<br />
In view of the above, the President of UODO ruled as in the operative part of this decision. <br />
<br />
The decision is final. A party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, via the President of UODO (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with art. 231 in connection with art. 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2019, item 2325). Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to an administrative court shall suspend the execution of a decision on an administrative fine.<br />
<br />
In the proceedings before the Provincial Administrative Court, a party has the right to apply for a right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.<br />
<br />
Pursuant to Article 105(1) of the Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781), the administrative fine shall be paid within 14 days from the date of expiry of the time limit for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland (NBP O/O Warszawa) no. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In case of postponement of the deadline for paying the administrative fine or its distribution in instalments, the President of the Office for Personal Data Protection calculates interest on the unpaid amount on an annual basis, using the reduced rate of interest for late payment announced pursuant to Art. 56d of the Act of 29 August 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Pers%C3%B3nuvernd_-_2020010613&diff=10595
Persónuvernd - 2020010613
2020-06-22T08:40:11Z
<p>AK: Created page with "{{DPAdecisionBOX |Jurisdiction=Iceland |DPA-BG-Color= |DPAlogo=LogoIS.png |DPA_Abbrevation=Persónuvernd |DPA_With_Country=Persónuvernd (Iceland) |Case_Number_Name=20200105..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Iceland<br />
|DPA-BG-Color=<br />
|DPAlogo=LogoIS.png<br />
|DPA_Abbrevation=Persónuvernd<br />
|DPA_With_Country=Persónuvernd (Iceland)<br />
<br />
|Case_Number_Name=2020010591<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=Personuvernd<br />
|Original_Source_Link_1=https://www.personuvernd.is/urlausnir/alit-um-ofullnaegjandi-oryggi-personuupplysinga-sem-unnt-var-ad-midla-i-gegnum-vefsidu-umbodsmanns-borgarbua.<br />
|Original_Source_Language_1=Icelandic<br />
|Original_Source_Language__Code_1=IS<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Decided=05.03.2020<br />
|Date_Published=16.03.2020<br />
|Year=2020<br />
|Fine=None<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32 GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR<br />
<br />
<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
|Party_Name_5=<br />
|Party_Link_5=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
|<br />
}}<br />
<br />
The Icelandic DPA decided that the electronic complaint form on the webpage of the Citizens' Ombudsman violated Articles 5 (1)(f) and 32 GDPR. The use of HTTPS protocols must be used to minimise the risk of unauthorized access to information shared through websites.<br />
<br />
==English Summary==<br />
<br />
===Facts===<br />
In Iceland, any person who feels unfairly treated by the authorities may lodge a complaint with the Ombudsman. The complainant in the concerned case states that the electronic submission for a complaint to the Ombudsman does not comply with the GDPR. The electronic form requests sensitive personal information about complainants, but the form was only accessible on the official website that supported the HTTP protocol and not the HTTPS protocol. The complainant said she had sent an ombudsman on this issue but had not responded to it until several months later. <br />
<br />
The Ombudsman responded that the website has been updated and is now supported by HTTPS protocols.<br />
<br />
===Dispute===<br />
The Icelandic DPA had to decide whether an appropriate security of information on individuals could be ensured through an electronic complaint form on the Citizens' Ombudsman's website. <br />
<br />
===Holding===<br />
The Icelandic DPA assessed the requirements of the Articles 32, 5 (1)(f) GDPR. According to the provision laid down, appropriate security measures may include, inter alia, the use of artificial identifiers and encrypted personal information and the ability to ensure the continued confidentiality of processing systems. <br />
HTTP protocols are the rules for unencrypted data transfer between each user's hardware browser and a web server hosting e.g. website, through the Internet. HTTPS protocols are the rules for encrypted data transfer in such cases.<br />
The Icelandic DPA is of the opinion that when sharing personal information through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use HTTPS protocols.<br />
According to the above, the Icelandic DPA considered that the processing of personal data by means of the electronic complaint form was not compliant with the GDPR. However, the Citizens' Ombudsman website now supports HTTPS protocols. Therefore, the Icelandic DPA did not consider grounds for further action on the matter.<br />
<br />
==Comment==<br />
<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
The decision below is a machine translation of the Icelandic original. Please refer to the Icelandic original for more details.<br />
<br />
<pre><br />
Opinion on inadequate security of personal information that could be disseminated through the Citizens' Ombudsman's website<br />
<br />
03/16/2020<br />
<br />
Privacy has given an opinion as to whether the Citizens' Ombudsman has provided appropriate security of information on individuals that could be disseminated through an electronic complaint form on the official website that supported the HTTP protocol. Among other things, the opinion states that when personal information is disseminated through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use encrypted communications. The Data Protection Authority considered that the processing of the citizen ombudsman did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.<br />
opinion<br />
<br />
<br />
On March 5, 2020, provided Privacy, with reference to point 2. Article 43 Act no. 90/2018, on privacy and processing of personal information, as follows: 2020010591 (formerly 2019020444):<br />
I.<br />
procedures<br />
<br />
1.<br />
Complaint and Procedure<br />
<br />
On February 25, 2019, the Privacy Complaint received from [A] (hereinafter referred to as the complainant) an incomplete security measure on the website of the Office of the Citizens. Specifically, the complaint is that the Ombudsman's electronic complaint form was not available on a Web site that supported HTTPS protocols (which stands for HyperText Transfer Protocol Secure), but only HTTP protocols (which stands for HyperText Transfer Protocol). The complaint was followed by a screenshot of the Citizens' Ombudsman's website as well as a copy of a complainant's email communication with the staff of the bureau, which included information security on the bureau's website.<br />
<br />
By letter, date. May 6, 2019, reiterated by letter, dated On June 14, the Citizens' Ombudsman was notified of the above complaint and given the opportunity to comment on it. A reply was sent by the Ombudsman by letter, dated. July 11th By letter, date. On August 28, the complainant was invited to comment on the citizen ombudsman's reply. The complainant replied by email on September 2nd.<br />
<br />
All of the above data have been taken into account in resolving the case, although not all of them are specifically explained in the following opinion.<br />
2.<br />
Complainant's point of view<br />
<br />
The complaint is based on the fact that the arrangement for electronic submission of complaints to the Ombudsman has violated the provisions of Act no. 90/2018, on Privacy and Processing of Personal Information, on Security in the Processing of Personal Information. The Office's electronic form requests sensitive personal information about complainants, but the form was only accessible on the official website that supported the HTTP protocol and not the HTTPS protocol. The complainant said she had sent an ombudsman on this issue but had not responded to it until several months later.<br />
<br />
In addition, the alternate way in which the City Ombudsman instructs the complainant to send complaints to the office via e-mail is not secure as e-mail passes through various servers.<br />
3.<br />
The views of the city's ombudsman<br />
<br />
The aforementioned Resident Ombudsman Response Letter states that the Office's website has been updated and is now supported by HTTPS protocols and that the Ombudsman now considers the Web site to meet all of the most stringent security requirements.<br />
II.<br />
Assumptions and conclusion<br />
<br />
1.<br />
Demarcation of case - membership<br />
<br />
This case concerns whether the appropriate security of information on individuals, which could be disseminated through an electronic complaint form on the Citizens' Ombudsman website, was ensured.<br />
<br />
According to the first sentence of Art. Paragraph 2 Article 39 Act no. 90/2018, any registered individual has the right to file a complaint with the Data Protection Authority if he / she considers that the processing of personal data about him / her violates Regulation (EU) 2016/679 or the provisions of the Act. The Privacy Statement then determines whether a violation has occurred.<br />
<br />
The complaint does not state that the complainant filed a complaint with the Citizens' Citizen through the Office's Web site before the Office introduced additional security measures on its Web site. Accordingly, it cannot be seen that the complainant's personal information was processed in the manner that his complaint relates to. In addition, in order for a complainant to be involved in the Protection of Privacy, he must also fulfill the conditions of having direct, substantial, specific and legitimate interests, in accordance with the principles of administrative law. When very many people have similar interests in resolving a case, the interests are classified as general, rather than specific, and therefore not conducive to creating a party position in the case. In all of the above, the Data Protection Authority does not consider material to render a ruling on whether a violation has occurred in the processing of the complainant's personal information, cf. Paragraph 2 Article 39 Act no. 90/2018.<br />
<br />
Nonetheless, it is clear that there is a question of whether it is sufficient that the government offers that personal information be sent to the government through electronic complaint forms on websites that use HTTP protocols. According to paragraph 2. Article 43 Act no. 90/2018, the Data Protection Authority may, on its own initiative or upon request, submit opinions to the government or other parties on any matter relating to the protection of personal data. The Data Protection Authority has decided to examine the above issues on the basis of a cited provision.<br />
3.<br />
Scope - Guarantor<br />
<br />
Scope of Act no. 90/2018, on privacy and processing of personal information, and Regulation (EU) 2016/679, cf. Paragraph 1 Article 4 of the Act, and thus the authority of the Data Protection Authority, cf. Paragraph 1 Article 39 of the Act, covers the processing of personal data that is partially or fully automated and the processing of methods other than automatic processing of personal data that is or should be part of a file.<br />
<br />
Personal information includes information about a person or person who is personally identifiable and can be considered as personally identifiable if he or she can be directly or indirectly identified by reference to his or her identity or one or more of the characteristics characteristic of him, cf. Item 2 Article 3 of the Act and Paragraph 1. Article 4 Regulation.<br />
<br />
Processing means an action or series of actions in which personal information is processed, whether the processing is automatic or not, cf. Item 4 Article 3 of the Act and Paragraph 2. Article 4 Regulation.<br />
<br />
As previously stated, this issue is concerned with whether appropriate security of information on individuals could be ensured through an electronic complaint form on the Citizens' Ombudsman's website. Respectfully, and with due regard to the foregoing provisions, this matter concerns the processing of personal information that falls under the sphere of privacy.<br />
<br />
The person responsible for processing personal data complies with Act no. 90/2018 is named as the guarantor. According to paragraph 6. Article 3 the Act refers to an individual, legal entity, governmental authority or other party who decides alone or in collaboration with other purposes and methods for the processing of personal information, cf. Item 7 Article 4 Regulation. As is the case here, the Citizens' Ombudsman is considered responsible for the processing of the transfer of personal information, which is entered into an electronic complaint form to the office, through its website.<br />
2.<br />
Legal environment and opinion<br />
<br />
The processing of personal data must satisfy all the basic requirements of the first paragraph. Article 8 Act no. 90/2018, cf. Article 5 Regulation (EU) 2016/679. Among other things, it is stipulated that they should be processed in such a way as to ensure the appropriate security of personal information, cf. Item 6 provision. According to the first paragraph. Article 27 The Act requires the responsible party to take appropriate technical and organizational measures to ensure the adequate security of personal information, taking into account the latest technology, costs, nature, scope, context and purpose of the processing and the risks, misconduct and misrepresentation, for the rights and freedoms of individuals, Article 32 Regulation. In the first paragraph. the regulatory provision lays down that appropriate measures may include, inter alia, the use of artificial identifiers and encrypted personal information and the ability to ensure the continued confidentiality of processing systems. Then the second paragraph of Art. the provision that, when assessing acceptable security, should in particular take into account the risks involved in processing, in particular as regards, inter alia, the publication or access to personal information of unauthorized persons. Furthermore, paragraph 39 of the preamble to the Regulation states that the processing of personal data should be such as to ensure appropriate security and confidentiality of information, including: to prevent unauthorized access or use of personal information and the equipment used in the processing.<br />
<br />
HTTP protocols are the rules for unencrypted data transfer between each user's hardware browser and a web server hosting e.g. website, through the Internet. HTTPS protocols are the rules for encrypted data transfer in such cases.<br />
<br />
Privacy is of the opinion that when sharing personal information through websites that use HTTP protocols, there is a significant risk that a third party will be able to access the personal information unauthorized. This risk is less when sharing through websites that use HTTPS protocols, but then encryption is encrypted. Furthermore, the sponsors are rather slow to make websites so that they support HTTPS protocols without much cost.<br />
<br />
According to the above, the Privacy Policy considers that the processing of the Citizens' Ombudsman, which involved the provision of personal information, in connection with complaints to the Office, through an electronic complaint form on a website supported by HTTP protocols, was not compliant with the law no. 90/2018 and Regulation (EU) 2016/679. However, the Citizens' Ombudsman website now supports HTTPS protocols. In all respects, Privacy does not consider grounds for further action on the matter.<br />
<br />
At l i t s o rð:<br />
<br />
Processing of the Citizens' Ombudsman for personal data, which consisted of transferring them, through a website that was supported by HTTP protocols, did not comply with Act no. 90/2018 and Regulation (EU) 2016/679.<br />
<br />
In Privacy, March 5, 2020<br />
<br />
Björg Thorarensen<br />
chairman<br />
<br />
Adalsteinn Jónasson Ólafur Garðarsson<br />
<br />
Vilhelmína Haraldsdóttir Þorvarður Kári Ólafsson<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Rb._Gelderland_-_C/05/368427&diff=10286
Rb. Gelderland - C/05/368427
2020-05-23T16:09:53Z
<p>AK: /* Holding */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Rb. Gelderland - C/05/368427<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:courtsNL.png|center|250px]]<br />
|-<br />
|Court:||[[:Category:Rb. Gelderland (Netherlands)|Rb. Gelderland (Netherlands)]]<br />
[[Category:Rb. Gelderland (Netherlands)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the Netherlands|Netherlands]]<br />
[[Category:Netherlands]]<br />
|-<br />
|Relevant Law:||[[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] <br />
[[Category:Article 2(2)(c) GDPR]]<br />
<br />
[[Article 8 GDPR#1|Article 8(1) GDPR]]<br />
[[Category:Article 8(1) GDPR]]<br />
|-<br />
|Decided:||13.5.2020<br />
[[Category:2020]]<br />
|-<br />
|Published:||13.5.2020<br />
|-<br />
|Parties:||n/a<br />
|-<br />
|National Case Number:||C/05/368427 / KG ZA 20-106<br />
|-<br />
|European Case Law Identifier:||<small>ECLI:NL:RBGEL:2020:2521</small><br />
|-<br />
|Appeal from:||n/a<br />
|-<br />
|Language:||Dutch<br />
[[Category:Dutch]]<br />
|-<br />
|Original Source:||[https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:2521&showbutton=true&keyword=AVG de Rechtspraak (in NL)]<br />
|}<br />
<br />
The Court of First Instance of Gelderland decided that the processing of personal data (photos) of the plaintiff’s minor children by their grandmother is unlawful and should be based on the legal representative’s consent. The Court ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” of Article 2(2)(c) GDPR. <br />
<br />
==English Summary==<br />
===Facts===<br />
A mother of three underage children (plaintiff) filed a claim in the Court to cease the posting of her children’s photos by their grandmother (defendant) on social media. The plaintiff argued that the defendant had not obtained a consent from her or her ex-partner – the legal representatives of one of the children concerned.<br />
<br />
===Dispute===<br />
Despite several letters requesting the defendant to remove photos from her Facebook page, the defendant did not comply with the request.<br />
The defendant’s child (child 1), whom the current proceedings concern, is under 16 years old. The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires their legal representative(s)’ consent.<br />
The plaintiff, as a legal representative, had not given permission to post photos of her children on social media. In the case of child 1, his father also had not granted permission to the defendant.<br />
<br />
===Holding===<br />
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires the permission of their legal representative(s).<br />
<br />
The Court ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” Article 2(2)(c) GDPR. Therefore, such processing of plaintiff’s photos falls within the scope of the GDPR.<br />
<br />
Given the lack of consent, the Court ordered the defendant to remove the photo of child 1 from her Facebook page as well as to remove the photo of the plaintiff from the Pinterest account. In addition, the defendant is prohibited from posting without permission photos of plaintiff’s minor children on social media.<br />
<br />
==Comment==<br />
''Share your comment here!''<br />
<br />
==Further Resources==<br />
* [https://blog.iusmentis.com/2020/05/19/oma-moet-van-rechter-fotos-kleinkinderen-van-social-media-verwijderen/ Oma moet van rechter foto’s kleinkinderen van social media verwijderen] where Arnoud Engelfriet explains that the court is wrong stating that [https://wetten.overheid.nl/BWBR0040940/2020-01-01/#Hoofdstuk1_Artikel5 Article 5 UAVG] stipulates that for publishing pictures of minors, permission of their legal representative(s) is required. Instead it stipulates when permission is required, their legal representative(s) have to give the permission. So if a different legal basis from [[Article 6 GDPR]] is used, no permission is necessary.<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RBGEL:2020:2521<br />
<br />
Authority<br />
Court of Gelderland<br />
Date of pronunciation<br />
13-05-2020<br />
Date of publication<br />
Case number<br />
C/05/368427<br />
Jurisdictions<br />
Civil Justice<br />
Special features<br />
First instance - single<br />
Interim injunction<br />
By contradiction<br />
Content indication<br />
Post photos of underage children on social media. AVG. Personal and household activity? Permission from legal representatives.<br />
Places<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
Ruling<br />
judgment<br />
COURT OF MONEY<br />
Team canton and commercial law<br />
Sitting Place Arnhem<br />
Case number / reel number: C/05/368427 / KG ZA 20-106<br />
Judgment in preliminary relief proceedings of 13 May 2020<br />
in the matter of<br />
[plaintiff]<br />
residing at [residence 1] ,<br />
plaintiff,<br />
attorney at law J.W.J. Hopmans in Groesbeek,<br />
by<br />
[defendant],<br />
residing at [residence 2] ,<br />
defendant,<br />
appeared in person.<br />
The parties will hereinafter be referred to as [plaintiff] and [defendant].<br />
1 The proceedings<br />
1.1.<br />
The course of the procedure is evidenced by<br />
-<br />
the indictment of 16 April 2020 with productions 1 to 6<br />
-<br />
the emails of 20 and 27 April 2020 of [defendant] with attachments<br />
-<br />
the email message of 29 April 2020 from [plaintiff] with a production<br />
-<br />
the [plaintiff's] pleadings submitted in connection with the Corona measures prior to the oral hearing<br />
-<br />
the oral hearing on the Corona measures held by telephone on 29 April 2020.<br />
1.2.<br />
Finally, a judgment has been rendered.<br />
2 The facts<br />
2.1.<br />
[plaintiff] is the daughter of [defendant]. Due to an argument, the parties have had no contact with each other for over a year now.<br />
2.2.<br />
plaintiff] has three now minor children: child 1] , born on [date of birth], [child 2] , born on [date of birth], and [child 3] , born on [date of birth].<br />
claimant] and her ex-partner [ex-partner] have joint parental authority over [child 1] . About [child 2] and [child 3] [plaintiff] has only parental authority.<br />
2.3.<br />
In the period from April 2012 to April 2019 [child 1] lived with his grandparents, [defendant] and her husband. After that he went to live with his father, [ex-partner], in [residence 3].<br />
2.4.<br />
defendant] has (in the past) placed pictures of the children of [plaintiff] on her Facebook page.<br />
2.5.<br />
By letter of February 29, 2020, [plaintiff] wrote to [defendant], among other things, the following:<br />
(...) You have been asked several times via the police to [place] , to remove the pictures on your social media concerning my minor children. Since you do not comply with this request and I, as authoritative party, do not want my minor children to be shown on social media, please inform yourself once again to remove the photographs by this means. If you do not do this, I will take further steps. In addition, my lawyer has already indicated that for each day that you exhibit photos of my minor children without permission from the authority, there will be a penalty payment.<br />
So you have until Thursday 5 March to remove the photos from all your social media platforms. If you do not do this you will soon hear from my attorney.<br />
2.6.<br />
In a letter dated 18 March 2020, [plaintiff's] lawyer has again summoned [defendant] to remove all posted pictures of the children of [plaintiff] and not to post any pictures of the children on social media in the future.<br />
2.7.<br />
On 24 March 2020, [plaintiff] informed her lawyer of the following, among other things:<br />
The letter that you sent does not matter to Ms. [remark of interlocutory judge: [defendant] ]. This is evidenced by the fact that on Sunday she already put a new profile photo of my children on fb.<br />
I want madam to be dealt with by the court now...<br />
2.8.<br />
Through What's App, [ex-partner] has confirmed to [plaintiff] that he too does not want pictures of [child 1] to be posted on Facebook.<br />
3 The dispute<br />
3.1.<br />
Plaintiff] claims that the Court in preliminary relief proceedings, enforceable provisionally, will prohibit [defendant] from posting, showing or otherwise distributing photographs of the minor children of [plaintiff] on social media, as well as order [defendant] to immediately remove all photographs of [plaintiff's] children already placed by her on social media, all this on forfeiture of a penalty of € 250.00 for each day or part of a day that [defendant] fails to do so as of service of the judgment to be given in this case, with an order that [defendant] pay the costs of the proceedings.<br />
3.2.<br />
plaintiff] bases her claims on the fact that [defendant] is acting unlawfully, or in violation of the Dutch Data Protection Act or the General Data Protection Ordinance (AVG), by placing photographs of the minor children of [plaintiff] on social media without her permission. Because of the privacy of the children and in order to protect them, [plaintiff] does not want pictures of the children to be posted on social media. Publishing photographs of the children on social media seriously infringes the privacy of her children, according to [plaintiff].<br />
3.3.<br />
[defendant] Respond. She acknowledges that in the past she posted photos of her grandchildren on her Facebook page. However, she argues that she respects the privacy of her grandchildren and that in the meantime she has removed all photos from Facebook, except for a photo of [child 1]. She asks the Court in preliminary relief proceedings whether she may only leave this photo on her Facebook page, now that she has a special relationship with [child 1] because she has taken care of him for a longer period of time.<br />
3.4.<br />
In so far as relevant, the arguments of the parties will be discussed in more detail below.<br />
4 The assessment<br />
4.1.<br />
The urgent interest in the requested provisions stems sufficiently from [plaintiff's] assertions.<br />
4.2.<br />
It follows from the statements of [defendant] , which are not at least insufficiently substantiated, that at this moment there is only a photo of [child 1] on [defendant's] Facebook page. During the oral hearing by telephone, however, it came up that [defendant] also has a photo of [plaintiff] and her children on Pinterest, of which [plaintiff] wishes it to be removed as well. Defendant] has remarked about the photo on Pinterest that there may still be a photo there, but that she has not used Pinterest for years.<br />
Therefore, the Court in preliminary relief proceedings considered it to be insufficiently disputed that at this moment only a photo of [child 1] is still on [defendant's] Facebook page and a photo of [plaintiff] and the children on [defendant's] account with Pinterest.<br />
4.3.<br />
The question is whether [defendant] is obliged to remove the pictures of the children of [plaintiff] from social media, including Facebook and Pinterest. The Court in preliminary relief proceedings considered the following.<br />
4.4.<br />
It has not been stated or proven that [plaintiff] or [defendant] is the maker of the photo of [child 1] on Facebook or the photo of [plaintiff] and her children on Pinterest. This means that in the scope of these interlocutory proceedings it must be assumed that the provisions of the Copyright Act do not apply to the present dispute.<br />
4.5.<br />
The General Data Protection Regulation (hereinafter: AVG) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. However, this Regulation does not apply to the processing of personal data by a natural person in the exercise of a purely personal or household activity. Although it cannot be excluded that the placing of a photo on a personal Facebook page falls under a purely personal or household activity, in the preliminary opinion of the Court in preliminary relief proceedings, it has not been sufficiently established how [defendant] set up or protected her Facebook account or her Pinterst account. It is also unclear whether the photographs can be found through a search engine such as Google. In addition, with Facebook it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties. In view of these circumstances it has not appeared in the scope of these preliminary relief proceedings that there is a purely personal or domestic activity of [defendant]. This means that the provisions of the General Data Protection Act (AVG) and the General Data Protection Implementation Act (hereinafter: UAVG) apply to the present dispute.<br />
4.6.<br />
The UAVG stipulates that the permission of their legal representative(s) is required for the posting of photographs of minors who have not yet reached the age of 16. It has been established that the minor children of [plaintiff] are under the age of 16 and that [plaintiff], as legal representative, has not given permission to [defendant] to post photographs of her children on social media. In the case of [child 1], his father did not give [defendant] permission either. In view of this the Court in preliminary relief proceedings will order [defendant] to remove the photo of [child 1] on Facebook and the photo of [plaintiff] and her children on Pinterest. In addition, [defendant] will be prohibited from posting pictures of the minor children of [plaintiff] on social media without permission (as referred to in the AVG and UAVG). The emotional importance of [defendant] to be allowed to place photographs on social media cannot lead to a different judgment in this respect.<br />
4.7.<br />
The amount of the periodic penalty payment claimed will be moderated and capped as stated below. For the term within which the already placed photographs on social media have to be removed, the Court in preliminary relief proceedings will take into account that [defendant] has declared not to use Pinterest anymore and that therefore more time may be needed to remove the photograph.<br />
4.8.<br />
In view of the family relationship between the parties, the litigation costs between the parties will be compensated, in the sense that each party will bear its own costs.<br />
5 The decision<br />
The judge in preliminary relief proceedings<br />
5.1.<br />
condemns [defendant] to remove (or have removed) the photo of [child 1] on her Facebook account and the photo of [plaintiff] and her children on her Pinterest account within ten days after service of this judgment,<br />
5.2.<br />
condemns [defendant] to pay to [plaintiff] a penalty payment of € 50.00 for each day she fails to comply with the main order given in 5.1, up to a maximum of € 1,000.00,<br />
5.3.<br />
prohibits [defendant] from posting, displaying or otherwise distributing photographs of [plaintiff's] minor children on social media,<br />
5.4.<br />
condemns [defendant] to pay to [plaintiff] a penalty of € 50.00 for each day she violates the prohibition mentioned under 5.3. after the service of this judgment, up to a maximum of € 1,000.00,<br />
5.5.<br />
declares this judgment provisionally enforceable,<br />
5.6.<br />
Compensates for the costs of these proceedings between the parties, in the sense that each party bears its own costs,<br />
5.7.<br />
Rejects the more or otherwise advanced.<br />
This judgment has been handed down by Mr. S.J. Peerdeman and publicly pronounced and signed by Mr. K. van Vlimmeren-van Ommen on 13 May 2020.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Rb._Gelderland_-_C/05/368427&diff=10285
Rb. Gelderland - C/05/368427
2020-05-23T16:09:02Z
<p>AK: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Rb. Gelderland - C/05/368427<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:courtsNL.png|center|250px]]<br />
|-<br />
|Court:||[[:Category:Rb. Gelderland (Netherlands)|Rb. Gelderland (Netherlands)]]<br />
[[Category:Rb. Gelderland (Netherlands)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the Netherlands|Netherlands]]<br />
[[Category:Netherlands]]<br />
|-<br />
|Relevant Law:||[[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] <br />
[[Category:Article 2(2)(c) GDPR]]<br />
<br />
[[Article 8 GDPR#1|Article 8(1) GDPR]]<br />
[[Category:Article 8(1) GDPR]]<br />
|-<br />
|Decided:||13.5.2020<br />
[[Category:2020]]<br />
|-<br />
|Published:||13.5.2020<br />
|-<br />
|Parties:||n/a<br />
|-<br />
|National Case Number:||C/05/368427 / KG ZA 20-106<br />
|-<br />
|European Case Law Identifier:||<small>ECLI:NL:RBGEL:2020:2521</small><br />
|-<br />
|Appeal from:||n/a<br />
|-<br />
|Language:||Dutch<br />
[[Category:Dutch]]<br />
|-<br />
|Original Source:||[https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:2521&showbutton=true&keyword=AVG de Rechtspraak (in NL)]<br />
|}<br />
<br />
The Court of First Instance of Gelderland decided that the processing of personal data (photos) of the plaintiff’s minor children by their grandmother is unlawful and should be based on the legal representative’s consent. The Court ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” of Article 2(2)(c) GDPR. <br />
<br />
==English Summary==<br />
===Facts===<br />
A mother of three underage children (plaintiff) filed a claim in the Court to cease the posting of her children’s photos by their grandmother (defendant) on social media. The plaintiff argued that the defendant had not obtained a consent from her or her ex-partner – the legal representatives of one of the children concerned.<br />
<br />
===Dispute===<br />
Despite several letters requesting the defendant to remove photos from her Facebook page, the defendant did not comply with the request.<br />
The defendant’s child (child 1), whom the current proceedings concern, is under 16 years old. The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires their legal representative(s)’ consent.<br />
The plaintiff, as a legal representative, had not given permission to post photos of her children on social media. In the case of child 1, his father also had not granted permission to the defendant.<br />
<br />
===Holding===<br />
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires the permission of their legal representative(s).<br />
<br />
The Court ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” Article 2(2)(c) GDPR. Therefore, such processing of plaintiff’s photos falls within the scope of the GDPR.<br />
<br />
Given the lack of consent, the Court ordered the defendant to remove the photo of child 1 from her Facebook page as well as to remove the photo of the plaintiff from the Pinterest account. In addition, the defendant will be prohibited from posting without permission photos of plaintiff’s minor children on social media.<br />
<br />
==Comment==<br />
''Share your comment here!''<br />
<br />
==Further Resources==<br />
* [https://blog.iusmentis.com/2020/05/19/oma-moet-van-rechter-fotos-kleinkinderen-van-social-media-verwijderen/ Oma moet van rechter foto’s kleinkinderen van social media verwijderen] where Arnoud Engelfriet explains that the court is wrong stating that [https://wetten.overheid.nl/BWBR0040940/2020-01-01/#Hoofdstuk1_Artikel5 Article 5 UAVG] stipulates that for publishing pictures of minors, permission of their legal representative(s) is required. Instead it stipulates when permission is required, their legal representative(s) have to give the permission. So if a different legal basis from [[Article 6 GDPR]] is used, no permission is necessary.<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RBGEL:2020:2521<br />
<br />
Authority<br />
Court of Gelderland<br />
Date of pronunciation<br />
13-05-2020<br />
Date of publication<br />
Case number<br />
C/05/368427<br />
Jurisdictions<br />
Civil Justice<br />
Special features<br />
First instance - single<br />
Interim injunction<br />
By contradiction<br />
Content indication<br />
Post photos of underage children on social media. AVG. Personal and household activity? Permission from legal representatives.<br />
Places<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
Ruling<br />
judgment<br />
COURT OF MONEY<br />
Team canton and commercial law<br />
Sitting Place Arnhem<br />
Case number / reel number: C/05/368427 / KG ZA 20-106<br />
Judgment in preliminary relief proceedings of 13 May 2020<br />
in the matter of<br />
[plaintiff]<br />
residing at [residence 1] ,<br />
plaintiff,<br />
attorney at law J.W.J. Hopmans in Groesbeek,<br />
by<br />
[defendant],<br />
residing at [residence 2] ,<br />
defendant,<br />
appeared in person.<br />
The parties will hereinafter be referred to as [plaintiff] and [defendant].<br />
1 The proceedings<br />
1.1.<br />
The course of the procedure is evidenced by<br />
-<br />
the indictment of 16 April 2020 with productions 1 to 6<br />
-<br />
the emails of 20 and 27 April 2020 of [defendant] with attachments<br />
-<br />
the email message of 29 April 2020 from [plaintiff] with a production<br />
-<br />
the [plaintiff's] pleadings submitted in connection with the Corona measures prior to the oral hearing<br />
-<br />
the oral hearing on the Corona measures held by telephone on 29 April 2020.<br />
1.2.<br />
Finally, a judgment has been rendered.<br />
2 The facts<br />
2.1.<br />
[plaintiff] is the daughter of [defendant]. Due to an argument, the parties have had no contact with each other for over a year now.<br />
2.2.<br />
plaintiff] has three now minor children: child 1] , born on [date of birth], [child 2] , born on [date of birth], and [child 3] , born on [date of birth].<br />
claimant] and her ex-partner [ex-partner] have joint parental authority over [child 1] . About [child 2] and [child 3] [plaintiff] has only parental authority.<br />
2.3.<br />
In the period from April 2012 to April 2019 [child 1] lived with his grandparents, [defendant] and her husband. After that he went to live with his father, [ex-partner], in [residence 3].<br />
2.4.<br />
defendant] has (in the past) placed pictures of the children of [plaintiff] on her Facebook page.<br />
2.5.<br />
By letter of February 29, 2020, [plaintiff] wrote to [defendant], among other things, the following:<br />
(...) You have been asked several times via the police to [place] , to remove the pictures on your social media concerning my minor children. Since you do not comply with this request and I, as authoritative party, do not want my minor children to be shown on social media, please inform yourself once again to remove the photographs by this means. If you do not do this, I will take further steps. In addition, my lawyer has already indicated that for each day that you exhibit photos of my minor children without permission from the authority, there will be a penalty payment.<br />
So you have until Thursday 5 March to remove the photos from all your social media platforms. If you do not do this you will soon hear from my attorney.<br />
2.6.<br />
In a letter dated 18 March 2020, [plaintiff's] lawyer has again summoned [defendant] to remove all posted pictures of the children of [plaintiff] and not to post any pictures of the children on social media in the future.<br />
2.7.<br />
On 24 March 2020, [plaintiff] informed her lawyer of the following, among other things:<br />
The letter that you sent does not matter to Ms. [remark of interlocutory judge: [defendant] ]. This is evidenced by the fact that on Sunday she already put a new profile photo of my children on fb.<br />
I want madam to be dealt with by the court now...<br />
2.8.<br />
Through What's App, [ex-partner] has confirmed to [plaintiff] that he too does not want pictures of [child 1] to be posted on Facebook.<br />
3 The dispute<br />
3.1.<br />
Plaintiff] claims that the Court in preliminary relief proceedings, enforceable provisionally, will prohibit [defendant] from posting, showing or otherwise distributing photographs of the minor children of [plaintiff] on social media, as well as order [defendant] to immediately remove all photographs of [plaintiff's] children already placed by her on social media, all this on forfeiture of a penalty of € 250.00 for each day or part of a day that [defendant] fails to do so as of service of the judgment to be given in this case, with an order that [defendant] pay the costs of the proceedings.<br />
3.2.<br />
plaintiff] bases her claims on the fact that [defendant] is acting unlawfully, or in violation of the Dutch Data Protection Act or the General Data Protection Ordinance (AVG), by placing photographs of the minor children of [plaintiff] on social media without her permission. Because of the privacy of the children and in order to protect them, [plaintiff] does not want pictures of the children to be posted on social media. Publishing photographs of the children on social media seriously infringes the privacy of her children, according to [plaintiff].<br />
3.3.<br />
[defendant] Respond. She acknowledges that in the past she posted photos of her grandchildren on her Facebook page. However, she argues that she respects the privacy of her grandchildren and that in the meantime she has removed all photos from Facebook, except for a photo of [child 1]. She asks the Court in preliminary relief proceedings whether she may only leave this photo on her Facebook page, now that she has a special relationship with [child 1] because she has taken care of him for a longer period of time.<br />
3.4.<br />
In so far as relevant, the arguments of the parties will be discussed in more detail below.<br />
4 The assessment<br />
4.1.<br />
The urgent interest in the requested provisions stems sufficiently from [plaintiff's] assertions.<br />
4.2.<br />
It follows from the statements of [defendant] , which are not at least insufficiently substantiated, that at this moment there is only a photo of [child 1] on [defendant's] Facebook page. During the oral hearing by telephone, however, it came up that [defendant] also has a photo of [plaintiff] and her children on Pinterest, of which [plaintiff] wishes it to be removed as well. Defendant] has remarked about the photo on Pinterest that there may still be a photo there, but that she has not used Pinterest for years.<br />
Therefore, the Court in preliminary relief proceedings considered it to be insufficiently disputed that at this moment only a photo of [child 1] is still on [defendant's] Facebook page and a photo of [plaintiff] and the children on [defendant's] account with Pinterest.<br />
4.3.<br />
The question is whether [defendant] is obliged to remove the pictures of the children of [plaintiff] from social media, including Facebook and Pinterest. The Court in preliminary relief proceedings considered the following.<br />
4.4.<br />
It has not been stated or proven that [plaintiff] or [defendant] is the maker of the photo of [child 1] on Facebook or the photo of [plaintiff] and her children on Pinterest. This means that in the scope of these interlocutory proceedings it must be assumed that the provisions of the Copyright Act do not apply to the present dispute.<br />
4.5.<br />
The General Data Protection Regulation (hereinafter: AVG) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. However, this Regulation does not apply to the processing of personal data by a natural person in the exercise of a purely personal or household activity. Although it cannot be excluded that the placing of a photo on a personal Facebook page falls under a purely personal or household activity, in the preliminary opinion of the Court in preliminary relief proceedings, it has not been sufficiently established how [defendant] set up or protected her Facebook account or her Pinterst account. It is also unclear whether the photographs can be found through a search engine such as Google. In addition, with Facebook it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties. In view of these circumstances it has not appeared in the scope of these preliminary relief proceedings that there is a purely personal or domestic activity of [defendant]. This means that the provisions of the General Data Protection Act (AVG) and the General Data Protection Implementation Act (hereinafter: UAVG) apply to the present dispute.<br />
4.6.<br />
The UAVG stipulates that the permission of their legal representative(s) is required for the posting of photographs of minors who have not yet reached the age of 16. It has been established that the minor children of [plaintiff] are under the age of 16 and that [plaintiff], as legal representative, has not given permission to [defendant] to post photographs of her children on social media. In the case of [child 1], his father did not give [defendant] permission either. In view of this the Court in preliminary relief proceedings will order [defendant] to remove the photo of [child 1] on Facebook and the photo of [plaintiff] and her children on Pinterest. In addition, [defendant] will be prohibited from posting pictures of the minor children of [plaintiff] on social media without permission (as referred to in the AVG and UAVG). The emotional importance of [defendant] to be allowed to place photographs on social media cannot lead to a different judgment in this respect.<br />
4.7.<br />
The amount of the periodic penalty payment claimed will be moderated and capped as stated below. For the term within which the already placed photographs on social media have to be removed, the Court in preliminary relief proceedings will take into account that [defendant] has declared not to use Pinterest anymore and that therefore more time may be needed to remove the photograph.<br />
4.8.<br />
In view of the family relationship between the parties, the litigation costs between the parties will be compensated, in the sense that each party will bear its own costs.<br />
5 The decision<br />
The judge in preliminary relief proceedings<br />
5.1.<br />
condemns [defendant] to remove (or have removed) the photo of [child 1] on her Facebook account and the photo of [plaintiff] and her children on her Pinterest account within ten days after service of this judgment,<br />
5.2.<br />
condemns [defendant] to pay to [plaintiff] a penalty payment of € 50.00 for each day she fails to comply with the main order given in 5.1, up to a maximum of € 1,000.00,<br />
5.3.<br />
prohibits [defendant] from posting, displaying or otherwise distributing photographs of [plaintiff's] minor children on social media,<br />
5.4.<br />
condemns [defendant] to pay to [plaintiff] a penalty of € 50.00 for each day she violates the prohibition mentioned under 5.3. after the service of this judgment, up to a maximum of € 1,000.00,<br />
5.5.<br />
declares this judgment provisionally enforceable,<br />
5.6.<br />
Compensates for the costs of these proceedings between the parties, in the sense that each party bears its own costs,<br />
5.7.<br />
Rejects the more or otherwise advanced.<br />
This judgment has been handed down by Mr. S.J. Peerdeman and publicly pronounced and signed by Mr. K. van Vlimmeren-van Ommen on 13 May 2020.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Rb._Gelderland_-_C/05/368427&diff=10284
Rb. Gelderland - C/05/368427
2020-05-23T16:06:57Z
<p>AK: /* Holding */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Rb. Gelderland - C/05/368427<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:courtsNL.png|center|250px]]<br />
|-<br />
|Court:||[[:Category:Rb. Gelderland (Netherlands)|Rb. Gelderland (Netherlands)]]<br />
[[Category:Rb. Gelderland (Netherlands)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the Netherlands|Netherlands]]<br />
[[Category:Netherlands]]<br />
|-<br />
|Relevant Law:||[[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] <br />
[[Category:Article 2(2)(c) GDPR]]<br />
<br />
[[Article 8 GDPR#1|Article 8(1) GDPR]]<br />
[[Category:Article 8(1) GDPR]]<br />
|-<br />
|Decided:||13.5.2020<br />
[[Category:2020]]<br />
|-<br />
|Published:||13.5.2020<br />
|-<br />
|Parties:||n/a<br />
|-<br />
|National Case Number:||C/05/368427 / KG ZA 20-106<br />
|-<br />
|European Case Law Identifier:||<small>ECLI:NL:RBGEL:2020:2521</small><br />
|-<br />
|Appeal from:||n/a<br />
|-<br />
|Language:||Dutch<br />
[[Category:Dutch]]<br />
|-<br />
|Original Source:||[https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:2521&showbutton=true&keyword=AVG de Rechtspraak (in NL)]<br />
|}<br />
<br />
The Court of First Instance of Gelderland decided that the processing of personal data (photos) of the plaintiff’s minor children by their grandmother is unlawful and should be based on the legal representative’s consent. The Court has ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” of Article 2(2)(c) GDPR. <br />
<br />
==English Summary==<br />
===Facts===<br />
A mother of three underage children (plaintiff) filed a claim in the Court to cease the posting of her children’s photos by their grandmother (defendant) on social media. The plaintiff argued that the defendant had not obtained a consent from her or her ex-partner – the legal representatives of one of the children concerned.<br />
<br />
===Dispute===<br />
Despite several letters requesting the defendant to remove photos from her Facebook page, the defendant did not comply with the request.<br />
The defendant’s child (child 1), whom the current proceedings concern, is under 16 years old. The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires their legal representative(s)’ consent.<br />
The plaintiff, as a legal representative, had not given permission to post photos of her children on social media. In the case of child 1, his father also had not granted permission to the defendant.<br />
<br />
===Holding===<br />
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires the permission of their legal representative(s).<br />
<br />
The Court ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” Article 2(2)(c) GDPR. Therefore, such processing of plaintiff’s photos falls within the scope of the GDPR.<br />
<br />
Given the lack of consent, the Court ordered the defendant to remove the photo of child 1 from her Facebook page as well as to remove the photo of the plaintiff from the Pinterest account. In addition, the defendant will be prohibited from posting without permission photos of plaintiff’s minor children on social media.<br />
<br />
==Comment==<br />
''Share your comment here!''<br />
<br />
==Further Resources==<br />
* [https://blog.iusmentis.com/2020/05/19/oma-moet-van-rechter-fotos-kleinkinderen-van-social-media-verwijderen/ Oma moet van rechter foto’s kleinkinderen van social media verwijderen] where Arnoud Engelfriet explains that the court is wrong stating that [https://wetten.overheid.nl/BWBR0040940/2020-01-01/#Hoofdstuk1_Artikel5 Article 5 UAVG] stipulates that for publishing pictures of minors, permission of their legal representative(s) is required. Instead it stipulates when permission is required, their legal representative(s) have to give the permission. So if a different legal basis from [[Article 6 GDPR]] is used, no permission is necessary.<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RBGEL:2020:2521<br />
<br />
Authority<br />
Court of Gelderland<br />
Date of pronunciation<br />
13-05-2020<br />
Date of publication<br />
Case number<br />
C/05/368427<br />
Jurisdictions<br />
Civil Justice<br />
Special features<br />
First instance - single<br />
Interim injunction<br />
By contradiction<br />
Content indication<br />
Post photos of underage children on social media. AVG. Personal and household activity? Permission from legal representatives.<br />
Places<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
Ruling<br />
judgment<br />
COURT OF MONEY<br />
Team canton and commercial law<br />
Sitting Place Arnhem<br />
Case number / reel number: C/05/368427 / KG ZA 20-106<br />
Judgment in preliminary relief proceedings of 13 May 2020<br />
in the matter of<br />
[plaintiff]<br />
residing at [residence 1] ,<br />
plaintiff,<br />
attorney at law J.W.J. Hopmans in Groesbeek,<br />
by<br />
[defendant],<br />
residing at [residence 2] ,<br />
defendant,<br />
appeared in person.<br />
The parties will hereinafter be referred to as [plaintiff] and [defendant].<br />
1 The proceedings<br />
1.1.<br />
The course of the procedure is evidenced by<br />
-<br />
the indictment of 16 April 2020 with productions 1 to 6<br />
-<br />
the emails of 20 and 27 April 2020 of [defendant] with attachments<br />
-<br />
the email message of 29 April 2020 from [plaintiff] with a production<br />
-<br />
the [plaintiff's] pleadings submitted in connection with the Corona measures prior to the oral hearing<br />
-<br />
the oral hearing on the Corona measures held by telephone on 29 April 2020.<br />
1.2.<br />
Finally, a judgment has been rendered.<br />
2 The facts<br />
2.1.<br />
[plaintiff] is the daughter of [defendant]. Due to an argument, the parties have had no contact with each other for over a year now.<br />
2.2.<br />
plaintiff] has three now minor children: child 1] , born on [date of birth], [child 2] , born on [date of birth], and [child 3] , born on [date of birth].<br />
claimant] and her ex-partner [ex-partner] have joint parental authority over [child 1] . About [child 2] and [child 3] [plaintiff] has only parental authority.<br />
2.3.<br />
In the period from April 2012 to April 2019 [child 1] lived with his grandparents, [defendant] and her husband. After that he went to live with his father, [ex-partner], in [residence 3].<br />
2.4.<br />
defendant] has (in the past) placed pictures of the children of [plaintiff] on her Facebook page.<br />
2.5.<br />
By letter of February 29, 2020, [plaintiff] wrote to [defendant], among other things, the following:<br />
(...) You have been asked several times via the police to [place] , to remove the pictures on your social media concerning my minor children. Since you do not comply with this request and I, as authoritative party, do not want my minor children to be shown on social media, please inform yourself once again to remove the photographs by this means. If you do not do this, I will take further steps. In addition, my lawyer has already indicated that for each day that you exhibit photos of my minor children without permission from the authority, there will be a penalty payment.<br />
So you have until Thursday 5 March to remove the photos from all your social media platforms. If you do not do this you will soon hear from my attorney.<br />
2.6.<br />
In a letter dated 18 March 2020, [plaintiff's] lawyer has again summoned [defendant] to remove all posted pictures of the children of [plaintiff] and not to post any pictures of the children on social media in the future.<br />
2.7.<br />
On 24 March 2020, [plaintiff] informed her lawyer of the following, among other things:<br />
The letter that you sent does not matter to Ms. [remark of interlocutory judge: [defendant] ]. This is evidenced by the fact that on Sunday she already put a new profile photo of my children on fb.<br />
I want madam to be dealt with by the court now...<br />
2.8.<br />
Through What's App, [ex-partner] has confirmed to [plaintiff] that he too does not want pictures of [child 1] to be posted on Facebook.<br />
3 The dispute<br />
3.1.<br />
Plaintiff] claims that the Court in preliminary relief proceedings, enforceable provisionally, will prohibit [defendant] from posting, showing or otherwise distributing photographs of the minor children of [plaintiff] on social media, as well as order [defendant] to immediately remove all photographs of [plaintiff's] children already placed by her on social media, all this on forfeiture of a penalty of € 250.00 for each day or part of a day that [defendant] fails to do so as of service of the judgment to be given in this case, with an order that [defendant] pay the costs of the proceedings.<br />
3.2.<br />
plaintiff] bases her claims on the fact that [defendant] is acting unlawfully, or in violation of the Dutch Data Protection Act or the General Data Protection Ordinance (AVG), by placing photographs of the minor children of [plaintiff] on social media without her permission. Because of the privacy of the children and in order to protect them, [plaintiff] does not want pictures of the children to be posted on social media. Publishing photographs of the children on social media seriously infringes the privacy of her children, according to [plaintiff].<br />
3.3.<br />
[defendant] Respond. She acknowledges that in the past she posted photos of her grandchildren on her Facebook page. However, she argues that she respects the privacy of her grandchildren and that in the meantime she has removed all photos from Facebook, except for a photo of [child 1]. She asks the Court in preliminary relief proceedings whether she may only leave this photo on her Facebook page, now that she has a special relationship with [child 1] because she has taken care of him for a longer period of time.<br />
3.4.<br />
In so far as relevant, the arguments of the parties will be discussed in more detail below.<br />
4 The assessment<br />
4.1.<br />
The urgent interest in the requested provisions stems sufficiently from [plaintiff's] assertions.<br />
4.2.<br />
It follows from the statements of [defendant] , which are not at least insufficiently substantiated, that at this moment there is only a photo of [child 1] on [defendant's] Facebook page. During the oral hearing by telephone, however, it came up that [defendant] also has a photo of [plaintiff] and her children on Pinterest, of which [plaintiff] wishes it to be removed as well. Defendant] has remarked about the photo on Pinterest that there may still be a photo there, but that she has not used Pinterest for years.<br />
Therefore, the Court in preliminary relief proceedings considered it to be insufficiently disputed that at this moment only a photo of [child 1] is still on [defendant's] Facebook page and a photo of [plaintiff] and the children on [defendant's] account with Pinterest.<br />
4.3.<br />
The question is whether [defendant] is obliged to remove the pictures of the children of [plaintiff] from social media, including Facebook and Pinterest. The Court in preliminary relief proceedings considered the following.<br />
4.4.<br />
It has not been stated or proven that [plaintiff] or [defendant] is the maker of the photo of [child 1] on Facebook or the photo of [plaintiff] and her children on Pinterest. This means that in the scope of these interlocutory proceedings it must be assumed that the provisions of the Copyright Act do not apply to the present dispute.<br />
4.5.<br />
The General Data Protection Regulation (hereinafter: AVG) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. However, this Regulation does not apply to the processing of personal data by a natural person in the exercise of a purely personal or household activity. Although it cannot be excluded that the placing of a photo on a personal Facebook page falls under a purely personal or household activity, in the preliminary opinion of the Court in preliminary relief proceedings, it has not been sufficiently established how [defendant] set up or protected her Facebook account or her Pinterst account. It is also unclear whether the photographs can be found through a search engine such as Google. In addition, with Facebook it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties. In view of these circumstances it has not appeared in the scope of these preliminary relief proceedings that there is a purely personal or domestic activity of [defendant]. This means that the provisions of the General Data Protection Act (AVG) and the General Data Protection Implementation Act (hereinafter: UAVG) apply to the present dispute.<br />
4.6.<br />
The UAVG stipulates that the permission of their legal representative(s) is required for the posting of photographs of minors who have not yet reached the age of 16. It has been established that the minor children of [plaintiff] are under the age of 16 and that [plaintiff], as legal representative, has not given permission to [defendant] to post photographs of her children on social media. In the case of [child 1], his father did not give [defendant] permission either. In view of this the Court in preliminary relief proceedings will order [defendant] to remove the photo of [child 1] on Facebook and the photo of [plaintiff] and her children on Pinterest. In addition, [defendant] will be prohibited from posting pictures of the minor children of [plaintiff] on social media without permission (as referred to in the AVG and UAVG). The emotional importance of [defendant] to be allowed to place photographs on social media cannot lead to a different judgment in this respect.<br />
4.7.<br />
The amount of the periodic penalty payment claimed will be moderated and capped as stated below. For the term within which the already placed photographs on social media have to be removed, the Court in preliminary relief proceedings will take into account that [defendant] has declared not to use Pinterest anymore and that therefore more time may be needed to remove the photograph.<br />
4.8.<br />
In view of the family relationship between the parties, the litigation costs between the parties will be compensated, in the sense that each party will bear its own costs.<br />
5 The decision<br />
The judge in preliminary relief proceedings<br />
5.1.<br />
condemns [defendant] to remove (or have removed) the photo of [child 1] on her Facebook account and the photo of [plaintiff] and her children on her Pinterest account within ten days after service of this judgment,<br />
5.2.<br />
condemns [defendant] to pay to [plaintiff] a penalty payment of € 50.00 for each day she fails to comply with the main order given in 5.1, up to a maximum of € 1,000.00,<br />
5.3.<br />
prohibits [defendant] from posting, displaying or otherwise distributing photographs of [plaintiff's] minor children on social media,<br />
5.4.<br />
condemns [defendant] to pay to [plaintiff] a penalty of € 50.00 for each day she violates the prohibition mentioned under 5.3. after the service of this judgment, up to a maximum of € 1,000.00,<br />
5.5.<br />
declares this judgment provisionally enforceable,<br />
5.6.<br />
Compensates for the costs of these proceedings between the parties, in the sense that each party bears its own costs,<br />
5.7.<br />
Rejects the more or otherwise advanced.<br />
This judgment has been handed down by Mr. S.J. Peerdeman and publicly pronounced and signed by Mr. K. van Vlimmeren-van Ommen on 13 May 2020.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Rb._Gelderland_-_C/05/368427&diff=10283
Rb. Gelderland - C/05/368427
2020-05-23T16:05:46Z
<p>AK: /* Holding */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Rb. Gelderland - C/05/368427<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:courtsNL.png|center|250px]]<br />
|-<br />
|Court:||[[:Category:Rb. Gelderland (Netherlands)|Rb. Gelderland (Netherlands)]]<br />
[[Category:Rb. Gelderland (Netherlands)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the Netherlands|Netherlands]]<br />
[[Category:Netherlands]]<br />
|-<br />
|Relevant Law:||[[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] <br />
[[Category:Article 2(2)(c) GDPR]]<br />
<br />
[[Article 8 GDPR#1|Article 8(1) GDPR]]<br />
[[Category:Article 8(1) GDPR]]<br />
|-<br />
|Decided:||13.5.2020<br />
[[Category:2020]]<br />
|-<br />
|Published:||13.5.2020<br />
|-<br />
|Parties:||n/a<br />
|-<br />
|National Case Number:||C/05/368427 / KG ZA 20-106<br />
|-<br />
|European Case Law Identifier:||<small>ECLI:NL:RBGEL:2020:2521</small><br />
|-<br />
|Appeal from:||n/a<br />
|-<br />
|Language:||Dutch<br />
[[Category:Dutch]]<br />
|-<br />
|Original Source:||[https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:2521&showbutton=true&keyword=AVG de Rechtspraak (in NL)]<br />
|}<br />
<br />
The Court of First Instance of Gelderland decided that the processing of personal data (photos) of the plaintiff’s minor children by their grandmother is unlawful and should be based on the legal representative’s consent. The Court has ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” of Article 2(2)(c) GDPR. <br />
<br />
==English Summary==<br />
===Facts===<br />
A mother of three underage children (plaintiff) filed a claim in the Court to cease the posting of her children’s photos by their grandmother (defendant) on social media. The plaintiff argued that the defendant had not obtained a consent from her or her ex-partner – the legal representatives of one of the children concerned.<br />
<br />
===Dispute===<br />
Despite several letters requesting the defendant to remove photos from her Facebook page, the defendant did not comply with the request.<br />
The defendant’s child (child 1), whom the current proceedings concern, is under 16 years old. The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires their legal representative(s)’ consent.<br />
The plaintiff, as a legal representative, had not given permission to post photos of her children on social media. In the case of child 1, his father also had not granted permission to the defendant.<br />
<br />
===Holding===<br />
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires the permission of their legal representative(s).<br />
<br />
The Court ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” Article 2(2)(c) GDPR. Therefore, such processing of plaintiff’s photos falls within the scope of the GDPR.<br />
<br />
Given the lack of consent, the Court decided to commend the defendant to remove the photo of child 1 from her Facebook page as well as to remove the photo of the plaintiff from the Pinterest account. In addition, the defendant will be prohibited from posting without permission photos of plaintiff’s minor children on social media.<br />
<br />
==Comment==<br />
''Share your comment here!''<br />
<br />
==Further Resources==<br />
* [https://blog.iusmentis.com/2020/05/19/oma-moet-van-rechter-fotos-kleinkinderen-van-social-media-verwijderen/ Oma moet van rechter foto’s kleinkinderen van social media verwijderen] where Arnoud Engelfriet explains that the court is wrong stating that [https://wetten.overheid.nl/BWBR0040940/2020-01-01/#Hoofdstuk1_Artikel5 Article 5 UAVG] stipulates that for publishing pictures of minors, permission of their legal representative(s) is required. Instead it stipulates when permission is required, their legal representative(s) have to give the permission. So if a different legal basis from [[Article 6 GDPR]] is used, no permission is necessary.<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RBGEL:2020:2521<br />
<br />
Authority<br />
Court of Gelderland<br />
Date of pronunciation<br />
13-05-2020<br />
Date of publication<br />
Case number<br />
C/05/368427<br />
Jurisdictions<br />
Civil Justice<br />
Special features<br />
First instance - single<br />
Interim injunction<br />
By contradiction<br />
Content indication<br />
Post photos of underage children on social media. AVG. Personal and household activity? Permission from legal representatives.<br />
Places<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
Ruling<br />
judgment<br />
COURT OF MONEY<br />
Team canton and commercial law<br />
Sitting Place Arnhem<br />
Case number / reel number: C/05/368427 / KG ZA 20-106<br />
Judgment in preliminary relief proceedings of 13 May 2020<br />
in the matter of<br />
[plaintiff]<br />
residing at [residence 1] ,<br />
plaintiff,<br />
attorney at law J.W.J. Hopmans in Groesbeek,<br />
by<br />
[defendant],<br />
residing at [residence 2] ,<br />
defendant,<br />
appeared in person.<br />
The parties will hereinafter be referred to as [plaintiff] and [defendant].<br />
1 The proceedings<br />
1.1.<br />
The course of the procedure is evidenced by<br />
-<br />
the indictment of 16 April 2020 with productions 1 to 6<br />
-<br />
the emails of 20 and 27 April 2020 of [defendant] with attachments<br />
-<br />
the email message of 29 April 2020 from [plaintiff] with a production<br />
-<br />
the [plaintiff's] pleadings submitted in connection with the Corona measures prior to the oral hearing<br />
-<br />
the oral hearing on the Corona measures held by telephone on 29 April 2020.<br />
1.2.<br />
Finally, a judgment has been rendered.<br />
2 The facts<br />
2.1.<br />
[plaintiff] is the daughter of [defendant]. Due to an argument, the parties have had no contact with each other for over a year now.<br />
2.2.<br />
plaintiff] has three now minor children: child 1] , born on [date of birth], [child 2] , born on [date of birth], and [child 3] , born on [date of birth].<br />
claimant] and her ex-partner [ex-partner] have joint parental authority over [child 1] . About [child 2] and [child 3] [plaintiff] has only parental authority.<br />
2.3.<br />
In the period from April 2012 to April 2019 [child 1] lived with his grandparents, [defendant] and her husband. After that he went to live with his father, [ex-partner], in [residence 3].<br />
2.4.<br />
defendant] has (in the past) placed pictures of the children of [plaintiff] on her Facebook page.<br />
2.5.<br />
By letter of February 29, 2020, [plaintiff] wrote to [defendant], among other things, the following:<br />
(...) You have been asked several times via the police to [place] , to remove the pictures on your social media concerning my minor children. Since you do not comply with this request and I, as authoritative party, do not want my minor children to be shown on social media, please inform yourself once again to remove the photographs by this means. If you do not do this, I will take further steps. In addition, my lawyer has already indicated that for each day that you exhibit photos of my minor children without permission from the authority, there will be a penalty payment.<br />
So you have until Thursday 5 March to remove the photos from all your social media platforms. If you do not do this you will soon hear from my attorney.<br />
2.6.<br />
In a letter dated 18 March 2020, [plaintiff's] lawyer has again summoned [defendant] to remove all posted pictures of the children of [plaintiff] and not to post any pictures of the children on social media in the future.<br />
2.7.<br />
On 24 March 2020, [plaintiff] informed her lawyer of the following, among other things:<br />
The letter that you sent does not matter to Ms. [remark of interlocutory judge: [defendant] ]. This is evidenced by the fact that on Sunday she already put a new profile photo of my children on fb.<br />
I want madam to be dealt with by the court now...<br />
2.8.<br />
Through What's App, [ex-partner] has confirmed to [plaintiff] that he too does not want pictures of [child 1] to be posted on Facebook.<br />
3 The dispute<br />
3.1.<br />
Plaintiff] claims that the Court in preliminary relief proceedings, enforceable provisionally, will prohibit [defendant] from posting, showing or otherwise distributing photographs of the minor children of [plaintiff] on social media, as well as order [defendant] to immediately remove all photographs of [plaintiff's] children already placed by her on social media, all this on forfeiture of a penalty of € 250.00 for each day or part of a day that [defendant] fails to do so as of service of the judgment to be given in this case, with an order that [defendant] pay the costs of the proceedings.<br />
3.2.<br />
plaintiff] bases her claims on the fact that [defendant] is acting unlawfully, or in violation of the Dutch Data Protection Act or the General Data Protection Ordinance (AVG), by placing photographs of the minor children of [plaintiff] on social media without her permission. Because of the privacy of the children and in order to protect them, [plaintiff] does not want pictures of the children to be posted on social media. Publishing photographs of the children on social media seriously infringes the privacy of her children, according to [plaintiff].<br />
3.3.<br />
[defendant] Respond. She acknowledges that in the past she posted photos of her grandchildren on her Facebook page. However, she argues that she respects the privacy of her grandchildren and that in the meantime she has removed all photos from Facebook, except for a photo of [child 1]. She asks the Court in preliminary relief proceedings whether she may only leave this photo on her Facebook page, now that she has a special relationship with [child 1] because she has taken care of him for a longer period of time.<br />
3.4.<br />
In so far as relevant, the arguments of the parties will be discussed in more detail below.<br />
4 The assessment<br />
4.1.<br />
The urgent interest in the requested provisions stems sufficiently from [plaintiff's] assertions.<br />
4.2.<br />
It follows from the statements of [defendant] , which are not at least insufficiently substantiated, that at this moment there is only a photo of [child 1] on [defendant's] Facebook page. During the oral hearing by telephone, however, it came up that [defendant] also has a photo of [plaintiff] and her children on Pinterest, of which [plaintiff] wishes it to be removed as well. Defendant] has remarked about the photo on Pinterest that there may still be a photo there, but that she has not used Pinterest for years.<br />
Therefore, the Court in preliminary relief proceedings considered it to be insufficiently disputed that at this moment only a photo of [child 1] is still on [defendant's] Facebook page and a photo of [plaintiff] and the children on [defendant's] account with Pinterest.<br />
4.3.<br />
The question is whether [defendant] is obliged to remove the pictures of the children of [plaintiff] from social media, including Facebook and Pinterest. The Court in preliminary relief proceedings considered the following.<br />
4.4.<br />
It has not been stated or proven that [plaintiff] or [defendant] is the maker of the photo of [child 1] on Facebook or the photo of [plaintiff] and her children on Pinterest. This means that in the scope of these interlocutory proceedings it must be assumed that the provisions of the Copyright Act do not apply to the present dispute.<br />
4.5.<br />
The General Data Protection Regulation (hereinafter: AVG) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. However, this Regulation does not apply to the processing of personal data by a natural person in the exercise of a purely personal or household activity. Although it cannot be excluded that the placing of a photo on a personal Facebook page falls under a purely personal or household activity, in the preliminary opinion of the Court in preliminary relief proceedings, it has not been sufficiently established how [defendant] set up or protected her Facebook account or her Pinterst account. It is also unclear whether the photographs can be found through a search engine such as Google. In addition, with Facebook it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties. In view of these circumstances it has not appeared in the scope of these preliminary relief proceedings that there is a purely personal or domestic activity of [defendant]. This means that the provisions of the General Data Protection Act (AVG) and the General Data Protection Implementation Act (hereinafter: UAVG) apply to the present dispute.<br />
4.6.<br />
The UAVG stipulates that the permission of their legal representative(s) is required for the posting of photographs of minors who have not yet reached the age of 16. It has been established that the minor children of [plaintiff] are under the age of 16 and that [plaintiff], as legal representative, has not given permission to [defendant] to post photographs of her children on social media. In the case of [child 1], his father did not give [defendant] permission either. In view of this the Court in preliminary relief proceedings will order [defendant] to remove the photo of [child 1] on Facebook and the photo of [plaintiff] and her children on Pinterest. In addition, [defendant] will be prohibited from posting pictures of the minor children of [plaintiff] on social media without permission (as referred to in the AVG and UAVG). The emotional importance of [defendant] to be allowed to place photographs on social media cannot lead to a different judgment in this respect.<br />
4.7.<br />
The amount of the periodic penalty payment claimed will be moderated and capped as stated below. For the term within which the already placed photographs on social media have to be removed, the Court in preliminary relief proceedings will take into account that [defendant] has declared not to use Pinterest anymore and that therefore more time may be needed to remove the photograph.<br />
4.8.<br />
In view of the family relationship between the parties, the litigation costs between the parties will be compensated, in the sense that each party will bear its own costs.<br />
5 The decision<br />
The judge in preliminary relief proceedings<br />
5.1.<br />
condemns [defendant] to remove (or have removed) the photo of [child 1] on her Facebook account and the photo of [plaintiff] and her children on her Pinterest account within ten days after service of this judgment,<br />
5.2.<br />
condemns [defendant] to pay to [plaintiff] a penalty payment of € 50.00 for each day she fails to comply with the main order given in 5.1, up to a maximum of € 1,000.00,<br />
5.3.<br />
prohibits [defendant] from posting, displaying or otherwise distributing photographs of [plaintiff's] minor children on social media,<br />
5.4.<br />
condemns [defendant] to pay to [plaintiff] a penalty of € 50.00 for each day she violates the prohibition mentioned under 5.3. after the service of this judgment, up to a maximum of € 1,000.00,<br />
5.5.<br />
declares this judgment provisionally enforceable,<br />
5.6.<br />
Compensates for the costs of these proceedings between the parties, in the sense that each party bears its own costs,<br />
5.7.<br />
Rejects the more or otherwise advanced.<br />
This judgment has been handed down by Mr. S.J. Peerdeman and publicly pronounced and signed by Mr. K. van Vlimmeren-van Ommen on 13 May 2020.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Rb._Gelderland_-_C/05/368427&diff=10282
Rb. Gelderland - C/05/368427
2020-05-23T16:04:55Z
<p>AK: /* Dispute */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Rb. Gelderland - C/05/368427<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:courtsNL.png|center|250px]]<br />
|-<br />
|Court:||[[:Category:Rb. Gelderland (Netherlands)|Rb. Gelderland (Netherlands)]]<br />
[[Category:Rb. Gelderland (Netherlands)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the Netherlands|Netherlands]]<br />
[[Category:Netherlands]]<br />
|-<br />
|Relevant Law:||[[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] <br />
[[Category:Article 2(2)(c) GDPR]]<br />
<br />
[[Article 8 GDPR#1|Article 8(1) GDPR]]<br />
[[Category:Article 8(1) GDPR]]<br />
|-<br />
|Decided:||13.5.2020<br />
[[Category:2020]]<br />
|-<br />
|Published:||13.5.2020<br />
|-<br />
|Parties:||n/a<br />
|-<br />
|National Case Number:||C/05/368427 / KG ZA 20-106<br />
|-<br />
|European Case Law Identifier:||<small>ECLI:NL:RBGEL:2020:2521</small><br />
|-<br />
|Appeal from:||n/a<br />
|-<br />
|Language:||Dutch<br />
[[Category:Dutch]]<br />
|-<br />
|Original Source:||[https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:2521&showbutton=true&keyword=AVG de Rechtspraak (in NL)]<br />
|}<br />
<br />
The Court of First Instance of Gelderland decided that the processing of personal data (photos) of the plaintiff’s minor children by their grandmother is unlawful and should be based on the legal representative’s consent. The Court has ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” of Article 2(2)(c) GDPR. <br />
<br />
==English Summary==<br />
===Facts===<br />
A mother of three underage children (plaintiff) filed a claim in the Court to cease the posting of her children’s photos by their grandmother (defendant) on social media. The plaintiff argued that the defendant had not obtained a consent from her or her ex-partner – the legal representatives of one of the children concerned.<br />
<br />
===Dispute===<br />
Despite several letters requesting the defendant to remove photos from her Facebook page, the defendant did not comply with the request.<br />
The defendant’s child (child 1), whom the current proceedings concern, is under 16 years old. The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires their legal representative(s)’ consent.<br />
The plaintiff, as a legal representative, had not given permission to post photos of her children on social media. In the case of child 1, his father also had not granted permission to the defendant.<br />
<br />
===Holding===<br />
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires the permission of their legal representative(s).<br />
<br />
The Court has ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” Article 2(2)(c) GDPR. Therefore, such processing of plaintiff’s photos falls within the scope of the GDPR.<br />
<br />
Given the lack of consent, the Court decided to commend the defendant to remove the photo of child 1 from her Facebook page as well as to remove the photo of the plaintiff from the Pinterest account. In addition, the defendant will be prohibited from posting without permission photos of plaintiff’s minor children on social media. <br />
<br />
==Comment==<br />
''Share your comment here!''<br />
<br />
==Further Resources==<br />
* [https://blog.iusmentis.com/2020/05/19/oma-moet-van-rechter-fotos-kleinkinderen-van-social-media-verwijderen/ Oma moet van rechter foto’s kleinkinderen van social media verwijderen] where Arnoud Engelfriet explains that the court is wrong stating that [https://wetten.overheid.nl/BWBR0040940/2020-01-01/#Hoofdstuk1_Artikel5 Article 5 UAVG] stipulates that for publishing pictures of minors, permission of their legal representative(s) is required. Instead it stipulates when permission is required, their legal representative(s) have to give the permission. So if a different legal basis from [[Article 6 GDPR]] is used, no permission is necessary.<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RBGEL:2020:2521<br />
<br />
Authority<br />
Court of Gelderland<br />
Date of pronunciation<br />
13-05-2020<br />
Date of publication<br />
Case number<br />
C/05/368427<br />
Jurisdictions<br />
Civil Justice<br />
Special features<br />
First instance - single<br />
Interim injunction<br />
By contradiction<br />
Content indication<br />
Post photos of underage children on social media. AVG. Personal and household activity? Permission from legal representatives.<br />
Places<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
Ruling<br />
judgment<br />
COURT OF MONEY<br />
Team canton and commercial law<br />
Sitting Place Arnhem<br />
Case number / reel number: C/05/368427 / KG ZA 20-106<br />
Judgment in preliminary relief proceedings of 13 May 2020<br />
in the matter of<br />
[plaintiff]<br />
residing at [residence 1] ,<br />
plaintiff,<br />
attorney at law J.W.J. Hopmans in Groesbeek,<br />
by<br />
[defendant],<br />
residing at [residence 2] ,<br />
defendant,<br />
appeared in person.<br />
The parties will hereinafter be referred to as [plaintiff] and [defendant].<br />
1 The proceedings<br />
1.1.<br />
The course of the procedure is evidenced by<br />
-<br />
the indictment of 16 April 2020 with productions 1 to 6<br />
-<br />
the emails of 20 and 27 April 2020 of [defendant] with attachments<br />
-<br />
the email message of 29 April 2020 from [plaintiff] with a production<br />
-<br />
the [plaintiff's] pleadings submitted in connection with the Corona measures prior to the oral hearing<br />
-<br />
the oral hearing on the Corona measures held by telephone on 29 April 2020.<br />
1.2.<br />
Finally, a judgment has been rendered.<br />
2 The facts<br />
2.1.<br />
[plaintiff] is the daughter of [defendant]. Due to an argument, the parties have had no contact with each other for over a year now.<br />
2.2.<br />
plaintiff] has three now minor children: child 1] , born on [date of birth], [child 2] , born on [date of birth], and [child 3] , born on [date of birth].<br />
claimant] and her ex-partner [ex-partner] have joint parental authority over [child 1] . About [child 2] and [child 3] [plaintiff] has only parental authority.<br />
2.3.<br />
In the period from April 2012 to April 2019 [child 1] lived with his grandparents, [defendant] and her husband. After that he went to live with his father, [ex-partner], in [residence 3].<br />
2.4.<br />
defendant] has (in the past) placed pictures of the children of [plaintiff] on her Facebook page.<br />
2.5.<br />
By letter of February 29, 2020, [plaintiff] wrote to [defendant], among other things, the following:<br />
(...) You have been asked several times via the police to [place] , to remove the pictures on your social media concerning my minor children. Since you do not comply with this request and I, as authoritative party, do not want my minor children to be shown on social media, please inform yourself once again to remove the photographs by this means. If you do not do this, I will take further steps. In addition, my lawyer has already indicated that for each day that you exhibit photos of my minor children without permission from the authority, there will be a penalty payment.<br />
So you have until Thursday 5 March to remove the photos from all your social media platforms. If you do not do this you will soon hear from my attorney.<br />
2.6.<br />
In a letter dated 18 March 2020, [plaintiff's] lawyer has again summoned [defendant] to remove all posted pictures of the children of [plaintiff] and not to post any pictures of the children on social media in the future.<br />
2.7.<br />
On 24 March 2020, [plaintiff] informed her lawyer of the following, among other things:<br />
The letter that you sent does not matter to Ms. [remark of interlocutory judge: [defendant] ]. This is evidenced by the fact that on Sunday she already put a new profile photo of my children on fb.<br />
I want madam to be dealt with by the court now...<br />
2.8.<br />
Through What's App, [ex-partner] has confirmed to [plaintiff] that he too does not want pictures of [child 1] to be posted on Facebook.<br />
3 The dispute<br />
3.1.<br />
Plaintiff] claims that the Court in preliminary relief proceedings, enforceable provisionally, will prohibit [defendant] from posting, showing or otherwise distributing photographs of the minor children of [plaintiff] on social media, as well as order [defendant] to immediately remove all photographs of [plaintiff's] children already placed by her on social media, all this on forfeiture of a penalty of € 250.00 for each day or part of a day that [defendant] fails to do so as of service of the judgment to be given in this case, with an order that [defendant] pay the costs of the proceedings.<br />
3.2.<br />
plaintiff] bases her claims on the fact that [defendant] is acting unlawfully, or in violation of the Dutch Data Protection Act or the General Data Protection Ordinance (AVG), by placing photographs of the minor children of [plaintiff] on social media without her permission. Because of the privacy of the children and in order to protect them, [plaintiff] does not want pictures of the children to be posted on social media. Publishing photographs of the children on social media seriously infringes the privacy of her children, according to [plaintiff].<br />
3.3.<br />
[defendant] Respond. She acknowledges that in the past she posted photos of her grandchildren on her Facebook page. However, she argues that she respects the privacy of her grandchildren and that in the meantime she has removed all photos from Facebook, except for a photo of [child 1]. She asks the Court in preliminary relief proceedings whether she may only leave this photo on her Facebook page, now that she has a special relationship with [child 1] because she has taken care of him for a longer period of time.<br />
3.4.<br />
In so far as relevant, the arguments of the parties will be discussed in more detail below.<br />
4 The assessment<br />
4.1.<br />
The urgent interest in the requested provisions stems sufficiently from [plaintiff's] assertions.<br />
4.2.<br />
It follows from the statements of [defendant] , which are not at least insufficiently substantiated, that at this moment there is only a photo of [child 1] on [defendant's] Facebook page. During the oral hearing by telephone, however, it came up that [defendant] also has a photo of [plaintiff] and her children on Pinterest, of which [plaintiff] wishes it to be removed as well. Defendant] has remarked about the photo on Pinterest that there may still be a photo there, but that she has not used Pinterest for years.<br />
Therefore, the Court in preliminary relief proceedings considered it to be insufficiently disputed that at this moment only a photo of [child 1] is still on [defendant's] Facebook page and a photo of [plaintiff] and the children on [defendant's] account with Pinterest.<br />
4.3.<br />
The question is whether [defendant] is obliged to remove the pictures of the children of [plaintiff] from social media, including Facebook and Pinterest. The Court in preliminary relief proceedings considered the following.<br />
4.4.<br />
It has not been stated or proven that [plaintiff] or [defendant] is the maker of the photo of [child 1] on Facebook or the photo of [plaintiff] and her children on Pinterest. This means that in the scope of these interlocutory proceedings it must be assumed that the provisions of the Copyright Act do not apply to the present dispute.<br />
4.5.<br />
The General Data Protection Regulation (hereinafter: AVG) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. However, this Regulation does not apply to the processing of personal data by a natural person in the exercise of a purely personal or household activity. Although it cannot be excluded that the placing of a photo on a personal Facebook page falls under a purely personal or household activity, in the preliminary opinion of the Court in preliminary relief proceedings, it has not been sufficiently established how [defendant] set up or protected her Facebook account or her Pinterst account. It is also unclear whether the photographs can be found through a search engine such as Google. In addition, with Facebook it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties. In view of these circumstances it has not appeared in the scope of these preliminary relief proceedings that there is a purely personal or domestic activity of [defendant]. This means that the provisions of the General Data Protection Act (AVG) and the General Data Protection Implementation Act (hereinafter: UAVG) apply to the present dispute.<br />
4.6.<br />
The UAVG stipulates that the permission of their legal representative(s) is required for the posting of photographs of minors who have not yet reached the age of 16. It has been established that the minor children of [plaintiff] are under the age of 16 and that [plaintiff], as legal representative, has not given permission to [defendant] to post photographs of her children on social media. In the case of [child 1], his father did not give [defendant] permission either. In view of this the Court in preliminary relief proceedings will order [defendant] to remove the photo of [child 1] on Facebook and the photo of [plaintiff] and her children on Pinterest. In addition, [defendant] will be prohibited from posting pictures of the minor children of [plaintiff] on social media without permission (as referred to in the AVG and UAVG). The emotional importance of [defendant] to be allowed to place photographs on social media cannot lead to a different judgment in this respect.<br />
4.7.<br />
The amount of the periodic penalty payment claimed will be moderated and capped as stated below. For the term within which the already placed photographs on social media have to be removed, the Court in preliminary relief proceedings will take into account that [defendant] has declared not to use Pinterest anymore and that therefore more time may be needed to remove the photograph.<br />
4.8.<br />
In view of the family relationship between the parties, the litigation costs between the parties will be compensated, in the sense that each party will bear its own costs.<br />
5 The decision<br />
The judge in preliminary relief proceedings<br />
5.1.<br />
condemns [defendant] to remove (or have removed) the photo of [child 1] on her Facebook account and the photo of [plaintiff] and her children on her Pinterest account within ten days after service of this judgment,<br />
5.2.<br />
condemns [defendant] to pay to [plaintiff] a penalty payment of € 50.00 for each day she fails to comply with the main order given in 5.1, up to a maximum of € 1,000.00,<br />
5.3.<br />
prohibits [defendant] from posting, displaying or otherwise distributing photographs of [plaintiff's] minor children on social media,<br />
5.4.<br />
condemns [defendant] to pay to [plaintiff] a penalty of € 50.00 for each day she violates the prohibition mentioned under 5.3. after the service of this judgment, up to a maximum of € 1,000.00,<br />
5.5.<br />
declares this judgment provisionally enforceable,<br />
5.6.<br />
Compensates for the costs of these proceedings between the parties, in the sense that each party bears its own costs,<br />
5.7.<br />
Rejects the more or otherwise advanced.<br />
This judgment has been handed down by Mr. S.J. Peerdeman and publicly pronounced and signed by Mr. K. van Vlimmeren-van Ommen on 13 May 2020.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=Rb._Gelderland_-_C/05/368427&diff=10281
Rb. Gelderland - C/05/368427
2020-05-23T16:02:30Z
<p>AK: /* Facts */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Rb. Gelderland - C/05/368427<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:courtsNL.png|center|250px]]<br />
|-<br />
|Court:||[[:Category:Rb. Gelderland (Netherlands)|Rb. Gelderland (Netherlands)]]<br />
[[Category:Rb. Gelderland (Netherlands)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in the Netherlands|Netherlands]]<br />
[[Category:Netherlands]]<br />
|-<br />
|Relevant Law:||[[Article 2 GDPR#2c|Article 2(2)(c) GDPR]] <br />
[[Category:Article 2(2)(c) GDPR]]<br />
<br />
[[Article 8 GDPR#1|Article 8(1) GDPR]]<br />
[[Category:Article 8(1) GDPR]]<br />
|-<br />
|Decided:||13.5.2020<br />
[[Category:2020]]<br />
|-<br />
|Published:||13.5.2020<br />
|-<br />
|Parties:||n/a<br />
|-<br />
|National Case Number:||C/05/368427 / KG ZA 20-106<br />
|-<br />
|European Case Law Identifier:||<small>ECLI:NL:RBGEL:2020:2521</small><br />
|-<br />
|Appeal from:||n/a<br />
|-<br />
|Language:||Dutch<br />
[[Category:Dutch]]<br />
|-<br />
|Original Source:||[https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBGEL:2020:2521&showbutton=true&keyword=AVG de Rechtspraak (in NL)]<br />
|}<br />
<br />
The Court of First Instance of Gelderland decided that the processing of personal data (photos) of the plaintiff’s minor children by their grandmother is unlawful and should be based on the legal representative’s consent. The Court has ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” of Article 2(2)(c) GDPR. <br />
<br />
==English Summary==<br />
===Facts===<br />
A mother of three underage children (plaintiff) filed a claim in the Court to cease the posting of her children’s photos by their grandmother (defendant) on social media. The plaintiff argued that the defendant had not obtained a consent from her or her ex-partner – the legal representatives of one of the children concerned.<br />
<br />
===Dispute===<br />
Despite several letters requesting the defendant to remove photos from her Facebook page, the defendant did not comply with the request.<br />
The defendant’s child (child 1), whom the current proceedings concern, is under 16 years old. The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires their legal representative(s)’ consent.<br />
The plaintiff, as a legal representative has not given permission to post photos of her children on social media. In the case of child 1, his father also did not grant permission to the defendant.<br />
<br />
===Holding===<br />
The Dutch GDPR Implementation Act (Uitvoeringswet Algemene Verordening gegevensbescherming) (“UAVG”) stipulates that the posting of photos of minors who have not yet reached the age of 16 requires the permission of their legal representative(s).<br />
<br />
The Court has ruled that it was impossible to establish with certainty that the posting of photos on social media fell under the “household exemption” Article 2(2)(c) GDPR. Therefore, such processing of plaintiff’s photos falls within the scope of the GDPR.<br />
<br />
Given the lack of consent, the Court decided to commend the defendant to remove the photo of child 1 from her Facebook page as well as to remove the photo of the plaintiff from the Pinterest account. In addition, the defendant will be prohibited from posting without permission photos of plaintiff’s minor children on social media. <br />
<br />
==Comment==<br />
''Share your comment here!''<br />
<br />
==Further Resources==<br />
* [https://blog.iusmentis.com/2020/05/19/oma-moet-van-rechter-fotos-kleinkinderen-van-social-media-verwijderen/ Oma moet van rechter foto’s kleinkinderen van social media verwijderen] where Arnoud Engelfriet explains that the court is wrong stating that [https://wetten.overheid.nl/BWBR0040940/2020-01-01/#Hoofdstuk1_Artikel5 Article 5 UAVG] stipulates that for publishing pictures of minors, permission of their legal representative(s) is required. Instead it stipulates when permission is required, their legal representative(s) have to give the permission. So if a different legal basis from [[Article 6 GDPR]] is used, no permission is necessary.<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.<br />
<br />
<pre><br />
ECLI:NL:RBGEL:2020:2521<br />
<br />
Authority<br />
Court of Gelderland<br />
Date of pronunciation<br />
13-05-2020<br />
Date of publication<br />
Case number<br />
C/05/368427<br />
Jurisdictions<br />
Civil Justice<br />
Special features<br />
First instance - single<br />
Interim injunction<br />
By contradiction<br />
Content indication<br />
Post photos of underage children on social media. AVG. Personal and household activity? Permission from legal representatives.<br />
Places<br />
Rechtspraak.nl<br />
Enriched pronunciation <br />
Ruling<br />
judgment<br />
COURT OF MONEY<br />
Team canton and commercial law<br />
Sitting Place Arnhem<br />
Case number / reel number: C/05/368427 / KG ZA 20-106<br />
Judgment in preliminary relief proceedings of 13 May 2020<br />
in the matter of<br />
[plaintiff]<br />
residing at [residence 1] ,<br />
plaintiff,<br />
attorney at law J.W.J. Hopmans in Groesbeek,<br />
by<br />
[defendant],<br />
residing at [residence 2] ,<br />
defendant,<br />
appeared in person.<br />
The parties will hereinafter be referred to as [plaintiff] and [defendant].<br />
1 The proceedings<br />
1.1.<br />
The course of the procedure is evidenced by<br />
-<br />
the indictment of 16 April 2020 with productions 1 to 6<br />
-<br />
the emails of 20 and 27 April 2020 of [defendant] with attachments<br />
-<br />
the email message of 29 April 2020 from [plaintiff] with a production<br />
-<br />
the [plaintiff's] pleadings submitted in connection with the Corona measures prior to the oral hearing<br />
-<br />
the oral hearing on the Corona measures held by telephone on 29 April 2020.<br />
1.2.<br />
Finally, a judgment has been rendered.<br />
2 The facts<br />
2.1.<br />
[plaintiff] is the daughter of [defendant]. Due to an argument, the parties have had no contact with each other for over a year now.<br />
2.2.<br />
plaintiff] has three now minor children: child 1] , born on [date of birth], [child 2] , born on [date of birth], and [child 3] , born on [date of birth].<br />
claimant] and her ex-partner [ex-partner] have joint parental authority over [child 1] . About [child 2] and [child 3] [plaintiff] has only parental authority.<br />
2.3.<br />
In the period from April 2012 to April 2019 [child 1] lived with his grandparents, [defendant] and her husband. After that he went to live with his father, [ex-partner], in [residence 3].<br />
2.4.<br />
defendant] has (in the past) placed pictures of the children of [plaintiff] on her Facebook page.<br />
2.5.<br />
By letter of February 29, 2020, [plaintiff] wrote to [defendant], among other things, the following:<br />
(...) You have been asked several times via the police to [place] , to remove the pictures on your social media concerning my minor children. Since you do not comply with this request and I, as authoritative party, do not want my minor children to be shown on social media, please inform yourself once again to remove the photographs by this means. If you do not do this, I will take further steps. In addition, my lawyer has already indicated that for each day that you exhibit photos of my minor children without permission from the authority, there will be a penalty payment.<br />
So you have until Thursday 5 March to remove the photos from all your social media platforms. If you do not do this you will soon hear from my attorney.<br />
2.6.<br />
In a letter dated 18 March 2020, [plaintiff's] lawyer has again summoned [defendant] to remove all posted pictures of the children of [plaintiff] and not to post any pictures of the children on social media in the future.<br />
2.7.<br />
On 24 March 2020, [plaintiff] informed her lawyer of the following, among other things:<br />
The letter that you sent does not matter to Ms. [remark of interlocutory judge: [defendant] ]. This is evidenced by the fact that on Sunday she already put a new profile photo of my children on fb.<br />
I want madam to be dealt with by the court now...<br />
2.8.<br />
Through What's App, [ex-partner] has confirmed to [plaintiff] that he too does not want pictures of [child 1] to be posted on Facebook.<br />
3 The dispute<br />
3.1.<br />
Plaintiff] claims that the Court in preliminary relief proceedings, enforceable provisionally, will prohibit [defendant] from posting, showing or otherwise distributing photographs of the minor children of [plaintiff] on social media, as well as order [defendant] to immediately remove all photographs of [plaintiff's] children already placed by her on social media, all this on forfeiture of a penalty of € 250.00 for each day or part of a day that [defendant] fails to do so as of service of the judgment to be given in this case, with an order that [defendant] pay the costs of the proceedings.<br />
3.2.<br />
plaintiff] bases her claims on the fact that [defendant] is acting unlawfully, or in violation of the Dutch Data Protection Act or the General Data Protection Ordinance (AVG), by placing photographs of the minor children of [plaintiff] on social media without her permission. Because of the privacy of the children and in order to protect them, [plaintiff] does not want pictures of the children to be posted on social media. Publishing photographs of the children on social media seriously infringes the privacy of her children, according to [plaintiff].<br />
3.3.<br />
[defendant] Respond. She acknowledges that in the past she posted photos of her grandchildren on her Facebook page. However, she argues that she respects the privacy of her grandchildren and that in the meantime she has removed all photos from Facebook, except for a photo of [child 1]. She asks the Court in preliminary relief proceedings whether she may only leave this photo on her Facebook page, now that she has a special relationship with [child 1] because she has taken care of him for a longer period of time.<br />
3.4.<br />
In so far as relevant, the arguments of the parties will be discussed in more detail below.<br />
4 The assessment<br />
4.1.<br />
The urgent interest in the requested provisions stems sufficiently from [plaintiff's] assertions.<br />
4.2.<br />
It follows from the statements of [defendant] , which are not at least insufficiently substantiated, that at this moment there is only a photo of [child 1] on [defendant's] Facebook page. During the oral hearing by telephone, however, it came up that [defendant] also has a photo of [plaintiff] and her children on Pinterest, of which [plaintiff] wishes it to be removed as well. Defendant] has remarked about the photo on Pinterest that there may still be a photo there, but that she has not used Pinterest for years.<br />
Therefore, the Court in preliminary relief proceedings considered it to be insufficiently disputed that at this moment only a photo of [child 1] is still on [defendant's] Facebook page and a photo of [plaintiff] and the children on [defendant's] account with Pinterest.<br />
4.3.<br />
The question is whether [defendant] is obliged to remove the pictures of the children of [plaintiff] from social media, including Facebook and Pinterest. The Court in preliminary relief proceedings considered the following.<br />
4.4.<br />
It has not been stated or proven that [plaintiff] or [defendant] is the maker of the photo of [child 1] on Facebook or the photo of [plaintiff] and her children on Pinterest. This means that in the scope of these interlocutory proceedings it must be assumed that the provisions of the Copyright Act do not apply to the present dispute.<br />
4.5.<br />
The General Data Protection Regulation (hereinafter: AVG) protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. However, this Regulation does not apply to the processing of personal data by a natural person in the exercise of a purely personal or household activity. Although it cannot be excluded that the placing of a photo on a personal Facebook page falls under a purely personal or household activity, in the preliminary opinion of the Court in preliminary relief proceedings, it has not been sufficiently established how [defendant] set up or protected her Facebook account or her Pinterst account. It is also unclear whether the photographs can be found through a search engine such as Google. In addition, with Facebook it cannot be ruled out that placed photos may be distributed and may end up in the hands of third parties. In view of these circumstances it has not appeared in the scope of these preliminary relief proceedings that there is a purely personal or domestic activity of [defendant]. This means that the provisions of the General Data Protection Act (AVG) and the General Data Protection Implementation Act (hereinafter: UAVG) apply to the present dispute.<br />
4.6.<br />
The UAVG stipulates that the permission of their legal representative(s) is required for the posting of photographs of minors who have not yet reached the age of 16. It has been established that the minor children of [plaintiff] are under the age of 16 and that [plaintiff], as legal representative, has not given permission to [defendant] to post photographs of her children on social media. In the case of [child 1], his father did not give [defendant] permission either. In view of this the Court in preliminary relief proceedings will order [defendant] to remove the photo of [child 1] on Facebook and the photo of [plaintiff] and her children on Pinterest. In addition, [defendant] will be prohibited from posting pictures of the minor children of [plaintiff] on social media without permission (as referred to in the AVG and UAVG). The emotional importance of [defendant] to be allowed to place photographs on social media cannot lead to a different judgment in this respect.<br />
4.7.<br />
The amount of the periodic penalty payment claimed will be moderated and capped as stated below. For the term within which the already placed photographs on social media have to be removed, the Court in preliminary relief proceedings will take into account that [defendant] has declared not to use Pinterest anymore and that therefore more time may be needed to remove the photograph.<br />
4.8.<br />
In view of the family relationship between the parties, the litigation costs between the parties will be compensated, in the sense that each party will bear its own costs.<br />
5 The decision<br />
The judge in preliminary relief proceedings<br />
5.1.<br />
condemns [defendant] to remove (or have removed) the photo of [child 1] on her Facebook account and the photo of [plaintiff] and her children on her Pinterest account within ten days after service of this judgment,<br />
5.2.<br />
condemns [defendant] to pay to [plaintiff] a penalty payment of € 50.00 for each day she fails to comply with the main order given in 5.1, up to a maximum of € 1,000.00,<br />
5.3.<br />
prohibits [defendant] from posting, displaying or otherwise distributing photographs of [plaintiff's] minor children on social media,<br />
5.4.<br />
condemns [defendant] to pay to [plaintiff] a penalty of € 50.00 for each day she violates the prohibition mentioned under 5.3. after the service of this judgment, up to a maximum of € 1,000.00,<br />
5.5.<br />
declares this judgment provisionally enforceable,<br />
5.6.<br />
Compensates for the costs of these proceedings between the parties, in the sense that each party bears its own costs,<br />
5.7.<br />
Rejects the more or otherwise advanced.<br />
This judgment has been handed down by Mr. S.J. Peerdeman and publicly pronounced and signed by Mr. K. van Vlimmeren-van Ommen on 13 May 2020.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DS.523.1470.2020&diff=10083
UODO (Poland) - DS.523.1470.2020
2020-04-30T10:51:50Z
<p>AK: </p>
<hr />
<div>[[Category:Article 4(1) GDPR]]<br />
[[Category:2019]]<br />
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |UODO - DS.523.1470.2020<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:UODO.jpg|alt=|center|180x180px]]<br />
|-<br />
|Authority:||[[UODO (Poland)]]<br />
[[Category:UODO (Poland)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in Poland|Poland]]<br />
[[Category: Poland]]<br />
|-<br />
|Relevant Law:||[[Article 6(1)(c) GDPR|Article 6(1)(c)]] <br />
[[Category:Article 14 GDPR]]<br />
[[Article 6(1)(c) GDPR|GDPR]]<br />
<br />
|-<br />
|Type:||n/a<br />
|-<br />
|Outcome:||Discontinuance of proceedings<br />
|-<br />
|Decided:||6.4.2020<br />
|-<br />
|Published:||15.4.2020<br />
|-<br />
|Fine:||n/a<br />
|-<br />
|Parties:||Ombudsman<br />
|-<br />
|National Case Number:||DS.523.1470.2020<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||Polish<br />
[[Category:Polish]]<br />
|-<br />
|Original Source:||[https://uodo.gov.pl/pl/138/1493 UODO (PL)]<br />
|}<br />
<br />
The President of the Personal Data Protection Office in Poland (PUODO) decided to discontinue proceedings concerning the processing of data in connection with the requirement for Polish judges and prosecutors to submit declarations about their membership in associations. The PUODO clarified that the obligation to submit the above mentioned statements clearly results from the provisions of the national law and thus falls under one of the legal grounds in [[Article 6(1)(c) GDPR]]. The President of the Personal Data Protection Office (UODO) stated that he cannot make a decision regarding the constitutionality of such an obligation providing that this is a competence of the Constitutional Tribunal. The Ombudsman has the right to submit motions on the compliance of acts with the Polish Constitution to the Constitutional Tribunal.<br />
<br />
==English Summary==<br />
===Facts===<br />
The UODO clarified that the obligation for judges and prosecutors to submit declarations about their membership in associations, and to publish them in the Bulletin of Public Information is unequivocally stipulated by law. Therefore, the processing of personal data of the above mentioned persons does not violate the law on personal data protection. <br />
<br />
The proceedings were initiated ''ex officio'' after the Ombudsman submitted a letter to the President of the UODO on 9 March 2020. The Ombudsman indicated, that a requirement to publish such statements in the Bulletin of Public Information impose a limitation on the privacy of judges and prosecutors.<br />
<br />
===Dispute===<br />
When examining the case of processing of data that judges and prosecutors submit concerning their membership in associations, the President of UODO took into account the current jurisprudence of the Voivodeship Administrative Court, according to which if the processing of personal data is based on the national law, it is in compliance with the provisions on personal data protection and there are no grounds for the President of UODO to exercise the corrective powers provided for in Article 58(2) GDPR. <br />
<br />
The proceedings revealed that the obligation to submit statements by judges and prosecutors results from the amendment of the Law on the Common Court System, the Act on the Supreme Court and certain other legal acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) GDPR, according to which the processing of personal data is allowed if it is necessary to fulfill a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the UODO did not find any grounds to declare a breach of the provisions on personal data protection. <br />
<br />
===Holding===<br />
<br />
In the context of the above, the President of the UODO did not identify any grounds to order the restriction of processing pursuant to Article 70(1) of the Polish Act on the Protection of Personal Data. As it has been pointed out, the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Bulletin of Public Information clearly results from the provisions of national law. Thus, it is difficult to state that further processing of such data may cause serious effects if it is carried out in compliance with generally applicable law. <br />
<br />
The President of UODO, in his justification of the decision, also referred to the Ombudsman's argument that challenged the unconstitutionality of the provision which obliges judges and prosecutors to disclose information which may reveal their world views, religious beliefs, or sexuality. The President of UODO has proclaimed himself to be incompetent to resolve this issue. He pointed out that the Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the Ombudsman has the right to refer a matter. The Ombudsman has the right to submit motions on the compliance of acts with the Constitution to the Constitutional Tribunal. It should be stressed that unlike the Ombudsman, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.<br />
<br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
<br />
Full decision in Polish is available [https://uodo.gov.pl/pl/file/2833 here]. <br />
<br />
==English Translation of the Decision==<br />
<br />
Below you can find the English translation of the decision (see PDF for Original) <br />
<br />
<pre><br />
The obligation for judges and prosecutors to submit declarations of membership in the association, including in the association, and to publish them in the Public Information Bulletin is unequivocally stipulated by law. Therefore, processing of personal data of the above mentioned persons does not violate the regulations on personal data protection.<br />
<br />
The President of the Office for the Protection of Personal Data has discontinued the proceedings concerning data processing in connection with the requirement for judges and prosecutors to submit declarations on membership in the association, including in the association. This proceeding was initiated ex officio after the Ombudsman applied for it in a letter to the President of the Office for the Protection of Personal Data of 9 March 2020. The ROP indicated, that such a requirement and the publication of these statements in the Public Information Bulletin limit the privacy of judges and prosecutors.<br />
<br />
The proceedings showed, that the obligation to submit statements by judges and prosecutors results from the amendment of the Acts - the Law on the Common Court System, the Act on the Supreme Court and certain other acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) of the GCU, according to which the processing of personal data is allowed if it is necessary to fulfil a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the PPA did not have any grounds to declare a breach of the provisions on personal data protection.<br />
<br />
When examining the case of processing the data of judges and prosecutors submitting declarations of membership in the Association, including the Association, the President of PDPO also took into account the current jurisprudence of the WSA, according to which if the processing of personal data is based on the national law, it is thus in compliance with the provisions on personal data protection and there are no grounds for the President of PDPO to exercise the corrective powers provided for in Art. 58 par. 2 of the GDC.<br />
<br />
In the context of the above, there were also no grounds to issue a security decision pursuant to Article 70, paragraph 1 of the Act on the protection of personal data, as - as it has been pointed out - the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Public Information Bulletin clearly results from the provisions of law. Thus, it is difficult to say, that further processing of such data may cause serious and difficult to remove effects, if it is carried out in compliance with generally applicable provisions of law.<br />
<br />
The President of UODO, in his justification of the decision, also referred to the accusation of unconstitutionality of the ROP, which he challenged, obliging judges and prosecutors to make statements. The President of UODO is not competent to resolve this issue. The Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the RPO has the right to refer the matter. The RPO has the right to submit motions to the Constitutional Tribunal on the compliance of acts with the Constitution. It should be stressed that contrary to the ROP, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DS.523.1470.2020&diff=10047
UODO (Poland) - DS.523.1470.2020
2020-04-28T16:26:24Z
<p>AK: /* English Translation of the Decision */</p>
<hr />
<div>[[Category:Article 4(1) GDPR]]<br />
[[Category:2019]]<br />
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |UODO - DS.523.1470.2020<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:UODO.jpg|alt=|center|180x180px]]<br />
|-<br />
|Authority:||[[UODO (Poland)]]<br />
[[Category:UODO (Poland)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in Poland|Poland]]<br />
[[Category: Poland]]<br />
|-<br />
|Relevant Law:||[[Article 6(1)(c) GDPR|Article 6(1)(c)]] <br />
[[Category:Article 14 GDPR]]<br />
[[Article 6(1)(c) GDPR|GDPR]]<br />
<br />
|-<br />
|Type:||n/a<br />
|-<br />
|Outcome:||Discontinuance of proceedings<br />
|-<br />
|Decided:||6.4.2020<br />
|-<br />
|Published:||15.4.2020<br />
|-<br />
|Fine:||n/a<br />
|-<br />
|Parties:||Ombudsman<br />
|-<br />
|National Case Number:||DS.523.1470.2020<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||Polish<br />
[[Category:Polish]]<br />
|-<br />
|Original Source:||[https://uodo.gov.pl/pl/138/1493 UODO (PL)]<br />
|}<br />
<br />
The President of the Personal Data Protection Office in Poland (UODO) decided to discontinue the proceedings concerning the processing of data in connection with the requirement for Polish judges and prosecutors to submit declarations about their membership in associations. He clarified that the obligation to submit the above mentioned statements clearly results from the provisions of the national law and thus falls under one of the legal grounds in [[Article 6(1)(c) GDPR]]. The President of the UODO stated that he cannot make a decision regarding the constitutionality of such an obligation providing that this is a competence of the Constitutional Tribunal. The Ombudsman has the right to submit motions on the compliance of acts with the Polish Constitution to the Constitutional Tribunal.<br />
<br />
==English Summary==<br />
===Facts===<br />
The UODO clarified that the obligation for judges and prosecutors to submit declarations about their membership in associations, and to publish them in the Bulletin of Public Information is unequivocally stipulated by law. Therefore, the processing of personal data of the above mentioned persons does not violate the law on personal data protection. <br />
<br />
The proceedings were initiated ''ex officio'' after the Ombudsman submitted a letter to the President of the UODO on 9 March 2020. The Ombudsman indicated, that a requirement to publish such statements in the Bulletin of Public Information impose a limitation on the privacy of judges and prosecutors.<br />
<br />
===Dispute===<br />
When examining the case of processing of data that judges and prosecutors submit concerning their membership in associations, the President of UODO took into account the current jurisprudence of the Voivodeship Administrative Court, according to which if the processing of personal data is based on the national law, it is in compliance with the provisions on personal data protection and there are no grounds for the President of UODO to exercise the corrective powers provided for in Article 58(2) GDPR. <br />
<br />
The proceedings revealed that the obligation to submit statements by judges and prosecutors results from the amendment of the Law on the Common Court System, the Act on the Supreme Court and certain other legal acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) GDPR, according to which the processing of personal data is allowed if it is necessary to fulfill a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the UODO did not find any grounds to declare a breach of the provisions on personal data protection. <br />
<br />
===Holding===<br />
<br />
In the context of the above, the President of the UODO did not identify any grounds to order the restriction of processing pursuant to Article 70(1) of the Polish Act on the Protection of Personal Data. As it has been pointed out, the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Bulletin of Public Information clearly results from the provisions of national law. Thus, it is difficult to state that further processing of such data may cause serious effects if it is carried out in compliance with generally applicable law. <br />
<br />
The President of UODO, in his justification of the decision, also referred to the Ombudsman's argument that challenged the unconstitutionality of the provision which obliges judges and prosecutors to disclose information which may reveal their world views, religious beliefs, or sexuality. The President of UODO has proclaimed himself to be incompetent to resolve this issue. He pointed out that the Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the Ombudsman has the right to refer a matter. The Ombudsman has the right to submit motions on the compliance of acts with the Constitution to the Constitutional Tribunal. It should be stressed that unlike the Ombudsman, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.<br />
<br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
<br />
Full decision in Polish is available [https://uodo.gov.pl/pl/file/2833 here]. <br />
<br />
==English Translation of the Decision==<br />
<br />
Below you can find the English translation of the decision (see PDF for Original) <br />
<br />
<pre><br />
The obligation for judges and prosecutors to submit declarations of membership in the association, including in the association, and to publish them in the Public Information Bulletin is unequivocally stipulated by law. Therefore, processing of personal data of the above mentioned persons does not violate the regulations on personal data protection.<br />
<br />
The President of the Office for the Protection of Personal Data has discontinued the proceedings concerning data processing in connection with the requirement for judges and prosecutors to submit declarations on membership in the association, including in the association. This proceeding was initiated ex officio after the Ombudsman applied for it in a letter to the President of the Office for the Protection of Personal Data of 9 March 2020. The ROP indicated, that such a requirement and the publication of these statements in the Public Information Bulletin limit the privacy of judges and prosecutors.<br />
<br />
The proceedings showed, that the obligation to submit statements by judges and prosecutors results from the amendment of the Acts - the Law on the Common Court System, the Act on the Supreme Court and certain other acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) of the GCU, according to which the processing of personal data is allowed if it is necessary to fulfil a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the PPA did not have any grounds to declare a breach of the provisions on personal data protection.<br />
<br />
When examining the case of processing the data of judges and prosecutors submitting declarations of membership in the Association, including the Association, the President of PDPO also took into account the current jurisprudence of the WSA, according to which if the processing of personal data is based on the national law, it is thus in compliance with the provisions on personal data protection and there are no grounds for the President of PDPO to exercise the corrective powers provided for in Art. 58 par. 2 of the GDC.<br />
<br />
In the context of the above, there were also no grounds to issue a security decision pursuant to Article 70, paragraph 1 of the Act on the protection of personal data, as - as it has been pointed out - the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Public Information Bulletin clearly results from the provisions of law. Thus, it is difficult to say, that further processing of such data may cause serious and difficult to remove effects, if it is carried out in compliance with generally applicable provisions of law.<br />
<br />
The President of UODO, in his justification of the decision, also referred to the accusation of unconstitutionality of the ROP, which he challenged, obliging judges and prosecutors to make statements. The President of UODO is not competent to resolve this issue. The Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the RPO has the right to refer the matter. The RPO has the right to submit motions to the Constitutional Tribunal on the compliance of acts with the Constitution. It should be stressed that contrary to the ROP, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DS.523.1470.2020&diff=10046
UODO (Poland) - DS.523.1470.2020
2020-04-28T16:24:37Z
<p>AK: </p>
<hr />
<div>[[Category:Article 4(1) GDPR]]<br />
[[Category:2019]]<br />
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |UODO - DS.523.1470.2020<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:UODO.jpg|alt=|center|180x180px]]<br />
|-<br />
|Authority:||[[UODO (Poland)]]<br />
[[Category:UODO (Poland)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in Poland|Poland]]<br />
[[Category: Poland]]<br />
|-<br />
|Relevant Law:||[[Article 6(1)(c) GDPR|Article 6(1)(c)]] <br />
[[Category:Article 14 GDPR]]<br />
[[Article 6(1)(c) GDPR|GDPR]]<br />
<br />
|-<br />
|Type:||n/a<br />
|-<br />
|Outcome:||Discontinuance of proceedings <br />
|-<br />
|Decided:||6.4.2020<br />
|-<br />
|Published:||15.4.2020<br />
|-<br />
|Fine:||n/a<br />
|-<br />
|Parties:||Ombudsman<br />
|-<br />
|National Case Number:||DS.523.1470.2020<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||Polish<br />
[[Category:Polish]]<br />
|-<br />
|Original Source:||[https://uodo.gov.pl/pl/138/1493 UODO (PL)]<br />
|}<br />
<br />
The President of the Personal Data Protection Office in Poland (UODO) decided to discontinue the proceedings concerning the processing of data in connection with the requirement for Polish judges and prosecutors to submit declarations about their membership in associations. He clarified that the obligation to submit the above mentioned statements clearly results from the provisions of the national law and thus falls under one of the legal grounds in [[Article 6(1)(c) GDPR]]. The President of the UODO stated that he cannot make a decision regarding the constitutionality of such an obligation providing that this is a competence of the Constitutional Tribunal. The Ombudsman has the right to submit motions on the compliance of acts with the Polish Constitution to the Constitutional Tribunal.<br />
<br />
==English Summary==<br />
===Facts===<br />
The UODO clarified that the obligation for judges and prosecutors to submit declarations about their membership in associations, and to publish them in the Bulletin of Public Information is unequivocally stipulated by law. Therefore, the processing of personal data of the above mentioned persons does not violate the law on personal data protection. <br />
<br />
The proceedings were initiated ''ex officio'' after the Ombudsman submitted a letter to the President of the UODO on 9 March 2020. The Ombudsman indicated, that a requirement to publish such statements in the Bulletin of Public Information impose a limitation on the privacy of judges and prosecutors.<br />
<br />
===Dispute===<br />
When examining the case of processing of data that judges and prosecutors submit concerning their membership in associations, the President of UODO took into account the current jurisprudence of the Voivodeship Administrative Court, according to which if the processing of personal data is based on the national law, it is in compliance with the provisions on personal data protection and there are no grounds for the President of UODO to exercise the corrective powers provided for in Article 58(2) GDPR. <br />
<br />
The proceedings revealed that the obligation to submit statements by judges and prosecutors results from the amendment of the Law on the Common Court System, the Act on the Supreme Court and certain other legal acts. Processing of personal data of judges and prosecutors is therefore the result of the above mentioned persons fulfilling the obligation clearly defined in the law. The processing is thus based on Article 6(1)(c) GDPR, according to which the processing of personal data is allowed if it is necessary to fulfill a legal obligation imposed on the controller. Therefore, in the present proceedings, the President of the UODO did not find any grounds to declare a breach of the provisions on personal data protection. <br />
<br />
===Holding===<br />
<br />
In the context of the above, the President of the UODO did not identify any grounds to order the restriction of processing pursuant to Article 70(1) of the Polish Act on the Protection of Personal Data. As it has been pointed out, the obligation to submit the above mentioned statements by judges and prosecutors and to make them public in the Bulletin of Public Information clearly results from the provisions of national law. Thus, it is difficult to state that further processing of such data may cause serious effects if it is carried out in compliance with generally applicable law. <br />
<br />
The President of UODO, in his justification of the decision, also referred to the Ombudsman's argument that challenged the unconstitutionality of the provision which obliges judges and prosecutors to disclose information which may reveal their world views, religious beliefs, or sexuality. The President of UODO has proclaimed himself to be incompetent to resolve this issue. He pointed out that the Constitutional Tribunal is competent to assess the constitutionality of the provisions, to which the Ombudsman has the right to refer a matter. The Ombudsman has the right to submit motions on the compliance of acts with the Constitution to the Constitutional Tribunal. It should be stressed that unlike the Ombudsman, the President of UODO does not have the competence to submit the above mentioned motions to the Constitutional Tribunal.<br />
<br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
<br />
UODO's press release [https://uodo.gov.pl/en/553/1119 here] (in EN). <br />
<br />
''Share blogs or news articles here!''<br />
<br />
==English Translation of the Decision==<br />
<br />
Below you can find the English translation of the decision (see PDF for Original) <br />
<br />
<pre><br />
DECISION<br />
CP.421.19.2019<br />
<br />
Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) and (f) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended), following an ex officio procedure initiated in the case of Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, 29 lok. 9, the President of the Office for Personal Data Protection, stating that Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, infringed the provisions of Article 31 and Article 58(1)(e) and (f) of the General Data Protection Regulation by not providing access to personal data and other information and premises, resulting in preventing the President of the Office for Personal Data Protection from carrying out control activities necessary for the performance of his tasks,<br />
<br />
imposes on Vis Consulting Sp. z o.o. in liquidation, seated in Katowice at 29 Zygmunta Krasińskiego Street 9, a fine of PLN 20,000 (say: twenty thousand zlotys), which is equivalent to EUR 4,673,56, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as at 28 January 2020.<br />
Justification <br />
<br />
Based on Article 58(1)(b), (e) and (f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2011, p. 1). 2016, p. 1 and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter referred to as the Regulation 2016/679, the President of the Office of Personal Data Protection has planned to carry out in Vis Consulting Sp. z o.o. with its registered office in Katowice at Zygmunta Krasińskiego 29 lok. 9 (hereinafter also referred to as the "Company") an inspection of compliance of data processing with the regulations on personal data protection. The audit was to be conducted from 29 July 2019 to 2 August 2019.<br />
<br />
By letter of [...] July 2019. (mark: [...]) Urząd Ochrony Danych Osobowych via Poczta Polska notified the Company of the date and scope of the planned inspection. The letter was delivered on [...] July 2019 to the registered office of Vis Consulting Sp. z o.o. (Katowice, ul. Zygmunta Krasińskiego 29, 9), indicated in the National Court Register. <br />
<br />
On [...] July 2019, in order to carry out control activities (ZSPR.421.19.2019), the controlling persons went to the place indicated in the National Court Register as the address of the Company, but the persons representing the Company were not there. It turned out that this address is the Office of [...] (hereinafter referred to as the "Office") run by [...]. As agreed, the Company sub-leases the commercial premises located in Katowice at 29 Zygmunta Krasińskiego Street, 9, for the so-called 'virtual office'. Only an employee of the Office was found in the premises in question. After presenting this person with the purpose of the arrival of the controlling persons, an employee of the Office, after checking the content of the electronic mail, in order to determine whether any message was received from the Company in this respect, informed that a letter dated [...] July 2019 was received from the Company signed by Mr. Paweł Kępka - President of the Board. From the content of the letter, it resulted that the Company terminates the lease agreement for premises no. 9 located in Katowice at 29 Zygmunta Krasińskiego Street and that as of [...] July 2019, this entity will not operate at the above mentioned address. A copy of the aforementioned letter was forwarded to the inspectors.<br />
<br />
Moreover, an employee of the Office informed the inspectors that after receiving the letter of [...] July 2019 from the Office of Personal Data Protection, regarding the notification of the planned control in the Company, the content of the letter in question in the form of a scan was transferred to the Company. In order to document the above mentioned findings, on [...] July 2019, the inspectors made an official note.<br />
<br />
In connection with the situation, the inspectors asked the employee of the Office to contact the Company in order to determine whether the inspection activities could be carried out. However, it was not possible to establish contact with the Company. Therefore, the inspector asked for a telephone number to the Company. An employee of the Office stated that it is only upon written request of the President of the Office for Personal Data Protection that he can provide information on this entity (including the telephone number). The Controllers left the telephone number to contact. On the same day, at approximately 2:00 p.m., a man who introduced himself as an "attorney [...]" called the Controller and said he was contacting on behalf of the Company, but did not know if the control could be carried out. In the course of the conversation, the above mentioned person has agreed that he will try to determine whether the inspection can take place by [...] July 2019.<br />
<br />
At the same time, on July [...], 2019, the President of the Office for Personal Data Protection sent a request to the e-mail address of the Office to provide a copy of the lease agreement for the premises in question and to provide contact information to the Company.<br />
<br />
On [...] July 2019 the Controllers went again to the Company's address, but also on that day the persons representing the Company were not present. Therefore, no control activities took place. An employee of the Office provided the inspectors with a copy of the sublease agreement for the premises in question. At 11.00 a.m., a person representing himself as "advocate [...]" called the inspectors and informed them that the inspection would not take place.<br />
<br />
In this connection, by letter dated [...] August 2019, the mark: [...] The President of the Office for the Protection of Personal Data initiated ex officio administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's compliance with the provisions on personal data protection. The above mentioned correspondence was returned with the note "out of date address".<br />
<br />
Based on the financial statements for the period from 1 January 2018 to 31 December 2018. (available on the website of the Ministry of Justice with the address: ekrs.ms.gov.pl), it was established that in the aforementioned period, the Company's net revenue from sales and equalised with them amounted to PLN 426 261.14.<br />
<br />
After reviewing all the evidence gathered in the case the President of the Office for Personal Data Protection weighed the following:<br />
<br />
According to the information contained in the National Court Register, on July 30, 2019, a resolution was passed to dissolve the Company and put it into liquidation. On 23 August 2019, the District Court in Katowice - Wschód, 8th Commercial Division made an entry in the National Court Register on placing the Company in liquidation. Since then, the Company has been operating under the name of Vis Consulting Sp. z o.o. in liquidation.<br />
<br />
Pursuant to Article 57(1)(a) of Regulation 2016/679, each supervisory authority on its territory shall monitor and enforce the application of Regulation 2016/679. In addition, pursuant to Article 58(1)(e) and (f) of Regulation 2016/679, the supervisory authority shall be entitled to access all the premises of the controller and the processor, including the equipment and means of data processing, in accordance with the procedures laid down in EU or Member State law. It should be noted that in accordance with Article 58(6) of Regulation 2016/679, each Member State may provide in its legislation that its supervisory authority has, in addition to the powers laid down in Union or Member State law, the following powers<br />
in paragraphs 1, 2 and 3, also other powers. As provided for in Article 31 of Regulation 2016/679, the controller and processor and, where applicable, their representatives, shall cooperate with the supervisory authority upon request in the performance of its tasks.<br />
<br />
Pursuant to Article 78 paragraph 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "the Act", the President of the Office for the Protection of Personal Data shall carry out the control of compliance with the provisions on personal data protection. Pursuant to Art. 79 sec. 1 point 1 of the Act, the control is carried out by an employee of the Office authorised by the President of the Office.<br />
<br />
As stipulated in Art. 84 sec. 1 of the Act, the inspector has the right to: a) enter the land and buildings, premises or other premises between 600 and 2200 hours; b) inspect documents and information directly related to the subject matter of the inspection; c) inspect places, objects, devices, carriers and IT or ICT systems used for data processing; d) demand written or oral explanations and question a person as a witness to the extent necessary to establish the facts; e) have expert opinions and opinions drawn up.<br />
<br />
The fact that the President of the Office for Personal Data Protection has planned to carry out an inspection in the Company in connection with the findings made during the inspection carried out in V is of significant importance in this case. Sp. z o.o. sp. k. with its registered office in [...]. In the course of the audit conducted in the above mentioned entity, it was established that it conducts telemarketing activities. In connection with this activity it processes personal data (landline and mobile phone numbers) by means of an ICT system provided by the Company. The system in question is used on the basis of a cooperation agreement on the outsourcing of telemarketing services. The agreement was concluded with the Company [...] February 2017. An important issue is that V. Sp. z o.o. sp. k. does not have its own database, and all telephone connections are generated only by the IT system made available by the Company.<br />
<br />
The content of the aforementioned agreement shows, among other things, that the Company has a technical solution - an ICT system in the form of a computer program, the use of which allows for making telephone calls to fixed and mobile phone numbers according to the location criterion. Moreover, in this agreement it is also indicated that the functionality of the system in question prevents V. Sp. z o.o. sp. k. from accessing any information, including the dialed telephone number. Moreover, in this agreement, the Company declares that in case of using any personal data for the purpose of performing the above-mentioned agreement, it will administer "the above-mentioned data in accordance with the applicable provisions of Polish law". In § 3 point 2 of the aforementioned agreement there is a provision with the following content: "VIS declares that in case of any claims by third parties against V. [...] related to the functionality of the SYSTEM [...], releases V. from this liability to the extent permitted by the applicable law and undertakes to cover all costs related to the protection of V. against such claims".<br />
<br />
Due to the fact that V. Sp. z o.o. sp. k. does not have access to personal data processed in this system (i.e. to information about telephone numbers dialled), the President of the Office for Personal Data Protection considered it necessary to carry out control activities also in the Company (i.e. in the entity which, on the basis of the established agreement, is considered to be the data controller). The aim of the inspection was to examine the legality of personal data processing using the system in question.<br />
<br />
The fact that it was impossible to carry out the inspection in the Company made it significantly more difficult for the President of the Office for Personal Data Protection to examine the process of personal data processing by V. Sp. z o.o. sp. k.<br />
<br />
The evidence gathered in the case indicates that the actions taken by the persons representing the Company definitely prove the lack of cooperation with the President of the Office for Personal Data Protection.<br />
<br />
To confirm the above position, the following circumstances should be recalled:<br />
<br />
1) after receiving information about the planned control of the President of the Office for Personal Data Protection (letter of [...] July 2019), on [...] July 2019. (two days before the commencement of the planned control), the Company sent a motion to the lessor to terminate the lease agreement for the premises located in Katowice at 29 Zygmunta Krasińskiego Street (address of the Company indicated in the National Court Register);<br />
<br />
2) both [...] July 2019 and [...] July 2019. The Company has thwarted the control activities as no person authorised to represent the Company in the course of the control has been found at the Company's address;<br />
<br />
3) On 30 July 2019, a resolution was adopted on dissolution of the Company and commencement of liquidation proceedings (this information is contained in the National Court Register).<br />
<br />
To sum up, it should be stated that the Company's activities referred to above undoubtedly prove that it does not fulfil its obligations related to the processing of personal data or at least intentionally avoids submitting to the control of the supervisory authority which is the President of the Office for Personal Data Protection. Thus, it should be considered that by preventing the President of the Office for the Protection of Personal Data from carrying out the inspection, the Company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679. It should be pointed out that in accordance with Article 31 of Regulation 2016/679, the controller and the processor and, where applicable, their representatives shall cooperate with the supervisory authority upon request in the performance of its tasks. The obligation to cooperate includes ensuring that the supervisory authority is able to obtain from the controller (and the processor) access to all personal data and all information necessary for the performance of its tasks (Article 58(1)(e) of Regulation 2016/679), to obtain access to any premises of the controller and the processor, including the processing equipment and means in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f) of Regulation 2016/679). This obligation for the controller to cooperate is in fact correlated with the tasks of the supervisory authority as formulated in Article 57 of Regulation 2016/679 and the powers stemming from Article 58 of Regulation 2016/679.<br />
<br />
The President of the Office for the Protection of Personal Data, acting on the basis of Article 108 par. 1 of the Act on the Protection of Personal Data, notified the District Prosecutor's Office in [...] of a suspicion of committing an offence consisting in thwarting control activities by the Company. On [...] January 2020, the Office for Personal Data Protection received a notification (file ref. [...]) from the District Prosecutor's Office [...] [...] of sending a bill of indictment against [...] [...] [...], accused of committing an offence under Article 108 of the Act on Personal Data Protection.<br />
<br />
Moreover, in view of the above findings, the President of the Office for the Protection of Personal Data, exercising his powers under Article 83 of the Regulation 2016/679, states that in the case under consideration, there are prerequisites for imposing an administrative fine on the Company.<br />
<br />
Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case.<br />
<br />
In accordance with Article 83 of Regulation 2016/679 - laying down general conditions for the imposition of administrative fines - each supervisory authority shall ensure that the administrative fines referred to in paragraphs 4, 5 and 6 of this Article are effective, proportionate and dissuasive in each individual case (paragraph 1). In accordance with Article 83(2)(b) of Regulation 2016/679, the authority shall pay due attention to the intentional or unintentional nature of the breach in each individual case when deciding whether to impose an administrative pecuniary sanction and when setting the amount of the administrative sanction.<br />
<br />
Pursuant to Article 83(2)(k) of Regulation 2016/679, the authority shall, in determining whether to impose an administrative penalty payment and in fixing the amount of the administrative penalty payment, pay due attention in each individual case to any other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided, whether directly or indirectly related to the infringement.<br />
<br />
The President of the Office for the Protection of Personal Data has taken into account the following aggravating circumstances when deciding on the administrative fine to be imposed on the Company and when determining its amount, in accordance with 83(2)(a-k) of Regulation 2016/679:<br />
<br />
(1) The infringement found in this case is of considerable gravity and seriousness, as the Company's lack of cooperation with the President of the Office for the Protection of Personal Data has made it impossible for that body to carry out checks on the Company's compliance with the provisions on personal data protection. The Company's action is reprehensible. By its failure to do so, the Company prevented the President of the Office for the Protection of Personal Data from making very important findings (concerning the legality of personal data processing), the results of which would undoubtedly have a significant impact on the assessment of the evidence collected in the course of another inspection, which was carried out by the President of the Office for the Protection of Personal Data in V. Sp. z o.o. sp. k. (nature, seriousness and time of the infringement).<br />
<br />
The Company deliberately thwarted the inspection, and thus prevented the President of the Office for Personal Data Protection from performing the statutory tasks under Article 58(1)(e) and (f) of Regulation 2016/679. This situation gives rise to a suspicion that the Company's thwarting of the inspection was aimed at preventing the President of the Office for Personal Data Protection from collecting evidence that the processing of personal data by the Company is unlawful (intentional or unintentional nature of the infringement).<br />
<br />
The other prerequisites for the administrative fine indicated in Art. 83 par. 2 letter c - k, due to the subject matter of the proceedings shall not apply in these proceedings. Consequently, they did not affect the assessment of the infringement and the level of the administrative penalty imposed.<br />
<br />
In determining the amount of the administrative penalty payment, the President of the Office for the Protection of Personal Data did not see any mitigating circumstance affecting the final penalty.<br />
<br />
The fixing of the amount of the financial penalty imposed also required the definition of the objectives which that penalty would achieve. It should be pointed out that the financial penalty imposed on the Company in connection with the lack of cooperation with the President of the Office for the Protection of Personal Data is of repressive nature (it is to cause the Company to incur a financial penalty for the avoidance of control) and preventive (it is to prevent future violations of law by the Company, but also by other entities). In addition, the financial penalty imposed on the Company is also of a deterrent nature and is related to the prevention of violations. The penalty is designed to deter both the Company and others from recidivism.<br />
<br />
In addition, the President of the Office for the Protection of Personal Data can undoubtedly not accept situations in which entities by thwarting control activities prevent the implementation of his statutory tasks.<br />
<br />
Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date.<br />
<br />
In the opinion of the President of the Office for the Protection of Personal Data, the penalty payment applied meets, in the established circumstances of this case, the conditions referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the established breach resulting from Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679, which is undoubtedly a lack of cooperation with the supervisory authority in the exercise of its statutory powers, including the prevention of control activities.<br />
<br />
Under those provisions, an infringement of the obligation of the controller referred to in Article 31 of Regulation 2016/679 is subject to an administrative fine of up to EUR 10 000 000 and, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable.<br />
<br />
An infringement of the obligations of the controller referred to in points (e) and (f) of Article 58(1) of Regulation 2016/679 shall be punishable by an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being that which the President of the Office for the Protection of Personal Data pursuant to Article 83(3) of Regulation 2016/679 considers to be the most serious infringement and the amount of the fine imposed by this Decision shall not exceed that amount.<br />
<br />
In view of the above, the President of the Office for Personal Data Protection has decided as set out in the operative part of this Decision. <br />
<br />
The Decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for the Protection of Personal Data (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.<br />
<br />
Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the case of postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for the Protection of Personal Data shall calculate interest on the unpaid amount on an annual basis, using the reduced rate of interest for delay, announced on the basis of art. 56d of the Act of August 29th, 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.<br />
<br />
Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to the administrative court shall suspend the execution of the decision on the administrative fine.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DS.523.1470.2020&diff=10045
UODO (Poland) - DS.523.1470.2020
2020-04-28T15:47:36Z
<p>AK: Created page with "Category:Article 4(1) GDPR Category:2019 {| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |UODO - ZSPR.421.19.2019 |- | colspan="..."</p>
<hr />
<div>[[Category:Article 4(1) GDPR]]<br />
[[Category:2019]]<br />
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |UODO - ZSPR.421.19.2019<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:UODO.jpg|alt=|center|180x180px]]<br />
|-<br />
|Authority:||[[UODO (Poland)]]<br />
[[Category:UODO (Poland)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in Poland|Poland]]<br />
[[Category: Poland]]<br />
|-<br />
|Relevant Law:||[[Article 31 GDPR]]<br />
[[Category:Article 14 GDPR]]<br />
|-<br />
|Type:||Investigations<br />
|-<br />
|Outcome:||Fine<br />
|-<br />
|Decided:||9. 3. 2020<br />
|-<br />
|Published:||26.3.2020<br />
|-<br />
|Fine:||4673 EUR<br />
|-<br />
|Parties:||Vis Consulting Sp. z o.o. in liquidation<br />
|-<br />
|National Case Number:||ZSPR.421.19.2019<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||Polish<br />
[[Category:Polish]]<br />
|-<br />
|Original Source:||[https://uodo.gov.pl/decyzje/ZSPR.421.19.2019 UODO (PL)]<br />
|}<br />
<br />
The President of the Personal Data Protection Office in Poland (UODO) imposed a fine of approx. 4600 EUR (PLN 20 000) on a telemarketing company for a violation of the controller's obligation to cooperate with the supervisory authority under Article 31 GDPR.<br />
<br />
==English Summary==<br />
===Facts===<br />
The President of the UODO decided to conduct inspection activities at a company Vis Consulting Sp. z o.o. which provides telemarketing services to other companies - one of which was a subject of a decision issued earlier by the UODO. The supervisory authority found it necessary to conduct inspection activities at the entity which actually operated the telephone calls and processed the data. <br />
<br />
When arrived at the company's registered address, the UODO’s inspectors did not find any representatives of the Vis Consulting Sp. z o.o. After the back-and-forth communication between the UODO representatives and the company's proxy, the latter informed the UODO on the phone that the inspection cannot take place. <br />
<br />
===Dispute===<br />
On two consecutive days of the planned inspection activities, the company made it impossible to carry out the inspection twice. Furthermore, on the date on which the inspectors attempted to conduct inspection at Vis Consulting Sp. z o.o., its authorities decided to liquidate that entity. <br />
<br />
The President of the UODO had to make a decision about the company's compliance with Article 31 GDPR.<br />
<br />
===Holding===<br />
<br />
The President of the UODO decided that Vis Consulting Sp. z o.o. in no way wished to cooperate with the supervisory authority. <br />
<br />
The UODO concluded that the company deliberately thwarted the inspection and thus prevented the President of the UODO from performing statutory tasks under Article 58(1)(e) and (f) GDPR. The situation gives rise to the suspicion that the Company's thwarting of the inspection was aimed at preventing the UODO from collecting evidence of unlawful processing of personal data by the company.<br />
<br />
Thus the company infringed the provisions of the GDPR referring to cooperation with the supervisory authority and enabling it access to all personal data and any information.<br />
<br />
Hence, the President of the UODO concluded that the conditions for imposing a fine on the company were satisfied. <br />
<br />
In connection with suspicion of commission of an offence under Article 108 (1) of the Act on the Protection of Personal Data by the President of the Company, the supervisory authority notified the District Public Prosecutor’s Office in Katowice thereof. According to that provision, the prevention or hindering of conducting inspection of compliance with the personal data protection provisions shall be subject to a fine, restriction of personal liberty or imprisonment for up to two years. <br />
<br />
The Public Prosecutor’s Office has lodged an indictment against the President of the Company to the court.<br />
<br />
==Comment==<br />
<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
<br />
UODO's press release [https://uodo.gov.pl/en/553/1119 here] (in EN). <br />
<br />
''Share blogs or news articles here!''<br />
<br />
==English Translation of the Decision==<br />
<br />
Below you can find the English translation of the decision (see PDF for Original) <br />
<br />
<pre><br />
DECISION<br />
CP.421.19.2019<br />
<br />
Pursuant to Article 104 § 1 of the Act of 14 June 1960 - the Code of Administrative Procedure (Journal of Laws of 2020, item 256) and Article 7(1) and (2), Article 60, Article 101, Article 103 of the Act on the Protection of Personal Data of 10 May 2018. (Journal of Laws of 2019, item 1781) in connection with Article 31, Article 58(1)(e) and (f) in connection with Article 83(1-3) and Article 83(5)(e) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 04.05.2016, p. 1, as amended), following an ex officio procedure initiated in the case of Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, 29 lok. 9, the President of the Office for Personal Data Protection, stating that Vis Consulting Sp. z o.o. in liquidation with its registered office in Katowice at 29 Zygmunta Krasińskiego Street, infringed the provisions of Article 31 and Article 58(1)(e) and (f) of the General Data Protection Regulation by not providing access to personal data and other information and premises, resulting in preventing the President of the Office for Personal Data Protection from carrying out control activities necessary for the performance of his tasks,<br />
<br />
imposes on Vis Consulting Sp. z o.o. in liquidation, seated in Katowice at 29 Zygmunta Krasińskiego Street 9, a fine of PLN 20,000 (say: twenty thousand zlotys), which is equivalent to EUR 4,673,56, according to the average EUR exchange rate announced by the National Bank of Poland in the table of exchange rates as at 28 January 2020.<br />
Justification <br />
<br />
Based on Article 58(1)(b), (e) and (f) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2011, p. 1). 2016, p. 1 and EU Official Journal L 127 of 23.05.2018, p. 2), hereinafter referred to as the Regulation 2016/679, the President of the Office of Personal Data Protection has planned to carry out in Vis Consulting Sp. z o.o. with its registered office in Katowice at Zygmunta Krasińskiego 29 lok. 9 (hereinafter also referred to as the "Company") an inspection of compliance of data processing with the regulations on personal data protection. The audit was to be conducted from 29 July 2019 to 2 August 2019.<br />
<br />
By letter of [...] July 2019. (mark: [...]) Urząd Ochrony Danych Osobowych via Poczta Polska notified the Company of the date and scope of the planned inspection. The letter was delivered on [...] July 2019 to the registered office of Vis Consulting Sp. z o.o. (Katowice, ul. Zygmunta Krasińskiego 29, 9), indicated in the National Court Register. <br />
<br />
On [...] July 2019, in order to carry out control activities (ZSPR.421.19.2019), the controlling persons went to the place indicated in the National Court Register as the address of the Company, but the persons representing the Company were not there. It turned out that this address is the Office of [...] (hereinafter referred to as the "Office") run by [...]. As agreed, the Company sub-leases the commercial premises located in Katowice at 29 Zygmunta Krasińskiego Street, 9, for the so-called 'virtual office'. Only an employee of the Office was found in the premises in question. After presenting this person with the purpose of the arrival of the controlling persons, an employee of the Office, after checking the content of the electronic mail, in order to determine whether any message was received from the Company in this respect, informed that a letter dated [...] July 2019 was received from the Company signed by Mr. Paweł Kępka - President of the Board. From the content of the letter, it resulted that the Company terminates the lease agreement for premises no. 9 located in Katowice at 29 Zygmunta Krasińskiego Street and that as of [...] July 2019, this entity will not operate at the above mentioned address. A copy of the aforementioned letter was forwarded to the inspectors.<br />
<br />
Moreover, an employee of the Office informed the inspectors that after receiving the letter of [...] July 2019 from the Office of Personal Data Protection, regarding the notification of the planned control in the Company, the content of the letter in question in the form of a scan was transferred to the Company. In order to document the above mentioned findings, on [...] July 2019, the inspectors made an official note.<br />
<br />
In connection with the situation, the inspectors asked the employee of the Office to contact the Company in order to determine whether the inspection activities could be carried out. However, it was not possible to establish contact with the Company. Therefore, the inspector asked for a telephone number to the Company. An employee of the Office stated that it is only upon written request of the President of the Office for Personal Data Protection that he can provide information on this entity (including the telephone number). The Controllers left the telephone number to contact. On the same day, at approximately 2:00 p.m., a man who introduced himself as an "attorney [...]" called the Controller and said he was contacting on behalf of the Company, but did not know if the control could be carried out. In the course of the conversation, the above mentioned person has agreed that he will try to determine whether the inspection can take place by [...] July 2019.<br />
<br />
At the same time, on July [...], 2019, the President of the Office for Personal Data Protection sent a request to the e-mail address of the Office to provide a copy of the lease agreement for the premises in question and to provide contact information to the Company.<br />
<br />
On [...] July 2019 the Controllers went again to the Company's address, but also on that day the persons representing the Company were not present. Therefore, no control activities took place. An employee of the Office provided the inspectors with a copy of the sublease agreement for the premises in question. At 11.00 a.m., a person representing himself as "advocate [...]" called the inspectors and informed them that the inspection would not take place.<br />
<br />
In this connection, by letter dated [...] August 2019, the mark: [...] The President of the Office for the Protection of Personal Data initiated ex officio administrative proceedings to impose an administrative fine in connection with the impossibility of carrying out an inspection in the scope of the Company's compliance with the provisions on personal data protection. The above mentioned correspondence was returned with the note "out of date address".<br />
<br />
Based on the financial statements for the period from 1 January 2018 to 31 December 2018. (available on the website of the Ministry of Justice with the address: ekrs.ms.gov.pl), it was established that in the aforementioned period, the Company's net revenue from sales and equalised with them amounted to PLN 426 261.14.<br />
<br />
After reviewing all the evidence gathered in the case the President of the Office for Personal Data Protection weighed the following:<br />
<br />
According to the information contained in the National Court Register, on July 30, 2019, a resolution was passed to dissolve the Company and put it into liquidation. On 23 August 2019, the District Court in Katowice - Wschód, 8th Commercial Division made an entry in the National Court Register on placing the Company in liquidation. Since then, the Company has been operating under the name of Vis Consulting Sp. z o.o. in liquidation.<br />
<br />
Pursuant to Article 57(1)(a) of Regulation 2016/679, each supervisory authority on its territory shall monitor and enforce the application of Regulation 2016/679. In addition, pursuant to Article 58(1)(e) and (f) of Regulation 2016/679, the supervisory authority shall be entitled to access all the premises of the controller and the processor, including the equipment and means of data processing, in accordance with the procedures laid down in EU or Member State law. It should be noted that in accordance with Article 58(6) of Regulation 2016/679, each Member State may provide in its legislation that its supervisory authority has, in addition to the powers laid down in Union or Member State law, the following powers<br />
in paragraphs 1, 2 and 3, also other powers. As provided for in Article 31 of Regulation 2016/679, the controller and processor and, where applicable, their representatives, shall cooperate with the supervisory authority upon request in the performance of its tasks.<br />
<br />
Pursuant to Article 78 paragraph 1 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), hereinafter referred to as "the Act", the President of the Office for the Protection of Personal Data shall carry out the control of compliance with the provisions on personal data protection. Pursuant to Art. 79 sec. 1 point 1 of the Act, the control is carried out by an employee of the Office authorised by the President of the Office.<br />
<br />
As stipulated in Art. 84 sec. 1 of the Act, the inspector has the right to: a) enter the land and buildings, premises or other premises between 600 and 2200 hours; b) inspect documents and information directly related to the subject matter of the inspection; c) inspect places, objects, devices, carriers and IT or ICT systems used for data processing; d) demand written or oral explanations and question a person as a witness to the extent necessary to establish the facts; e) have expert opinions and opinions drawn up.<br />
<br />
The fact that the President of the Office for Personal Data Protection has planned to carry out an inspection in the Company in connection with the findings made during the inspection carried out in V is of significant importance in this case. Sp. z o.o. sp. k. with its registered office in [...]. In the course of the audit conducted in the above mentioned entity, it was established that it conducts telemarketing activities. In connection with this activity it processes personal data (landline and mobile phone numbers) by means of an ICT system provided by the Company. The system in question is used on the basis of a cooperation agreement on the outsourcing of telemarketing services. The agreement was concluded with the Company [...] February 2017. An important issue is that V. Sp. z o.o. sp. k. does not have its own database, and all telephone connections are generated only by the IT system made available by the Company.<br />
<br />
The content of the aforementioned agreement shows, among other things, that the Company has a technical solution - an ICT system in the form of a computer program, the use of which allows for making telephone calls to fixed and mobile phone numbers according to the location criterion. Moreover, in this agreement it is also indicated that the functionality of the system in question prevents V. Sp. z o.o. sp. k. from accessing any information, including the dialed telephone number. Moreover, in this agreement, the Company declares that in case of using any personal data for the purpose of performing the above-mentioned agreement, it will administer "the above-mentioned data in accordance with the applicable provisions of Polish law". In § 3 point 2 of the aforementioned agreement there is a provision with the following content: "VIS declares that in case of any claims by third parties against V. [...] related to the functionality of the SYSTEM [...], releases V. from this liability to the extent permitted by the applicable law and undertakes to cover all costs related to the protection of V. against such claims".<br />
<br />
Due to the fact that V. Sp. z o.o. sp. k. does not have access to personal data processed in this system (i.e. to information about telephone numbers dialled), the President of the Office for Personal Data Protection considered it necessary to carry out control activities also in the Company (i.e. in the entity which, on the basis of the established agreement, is considered to be the data controller). The aim of the inspection was to examine the legality of personal data processing using the system in question.<br />
<br />
The fact that it was impossible to carry out the inspection in the Company made it significantly more difficult for the President of the Office for Personal Data Protection to examine the process of personal data processing by V. Sp. z o.o. sp. k.<br />
<br />
The evidence gathered in the case indicates that the actions taken by the persons representing the Company definitely prove the lack of cooperation with the President of the Office for Personal Data Protection.<br />
<br />
To confirm the above position, the following circumstances should be recalled:<br />
<br />
1) after receiving information about the planned control of the President of the Office for Personal Data Protection (letter of [...] July 2019), on [...] July 2019. (two days before the commencement of the planned control), the Company sent a motion to the lessor to terminate the lease agreement for the premises located in Katowice at 29 Zygmunta Krasińskiego Street (address of the Company indicated in the National Court Register);<br />
<br />
2) both [...] July 2019 and [...] July 2019. The Company has thwarted the control activities as no person authorised to represent the Company in the course of the control has been found at the Company's address;<br />
<br />
3) On 30 July 2019, a resolution was adopted on dissolution of the Company and commencement of liquidation proceedings (this information is contained in the National Court Register).<br />
<br />
To sum up, it should be stated that the Company's activities referred to above undoubtedly prove that it does not fulfil its obligations related to the processing of personal data or at least intentionally avoids submitting to the control of the supervisory authority which is the President of the Office for Personal Data Protection. Thus, it should be considered that by preventing the President of the Office for the Protection of Personal Data from carrying out the inspection, the Company has violated Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679. It should be pointed out that in accordance with Article 31 of Regulation 2016/679, the controller and the processor and, where applicable, their representatives shall cooperate with the supervisory authority upon request in the performance of its tasks. The obligation to cooperate includes ensuring that the supervisory authority is able to obtain from the controller (and the processor) access to all personal data and all information necessary for the performance of its tasks (Article 58(1)(e) of Regulation 2016/679), to obtain access to any premises of the controller and the processor, including the processing equipment and means in accordance with the procedures laid down in Union or Member State law (Article 58(1)(f) of Regulation 2016/679). This obligation for the controller to cooperate is in fact correlated with the tasks of the supervisory authority as formulated in Article 57 of Regulation 2016/679 and the powers stemming from Article 58 of Regulation 2016/679.<br />
<br />
The President of the Office for the Protection of Personal Data, acting on the basis of Article 108 par. 1 of the Act on the Protection of Personal Data, notified the District Prosecutor's Office in [...] of a suspicion of committing an offence consisting in thwarting control activities by the Company. On [...] January 2020, the Office for Personal Data Protection received a notification (file ref. [...]) from the District Prosecutor's Office [...] [...] of sending a bill of indictment against [...] [...] [...], accused of committing an offence under Article 108 of the Act on Personal Data Protection.<br />
<br />
Moreover, in view of the above findings, the President of the Office for the Protection of Personal Data, exercising his powers under Article 83 of the Regulation 2016/679, states that in the case under consideration, there are prerequisites for imposing an administrative fine on the Company.<br />
<br />
Pursuant to Article 83(2) of Regulation 2016/679, administrative fines are imposed depending on the circumstances of each individual case.<br />
<br />
In accordance with Article 83 of Regulation 2016/679 - laying down general conditions for the imposition of administrative fines - each supervisory authority shall ensure that the administrative fines referred to in paragraphs 4, 5 and 6 of this Article are effective, proportionate and dissuasive in each individual case (paragraph 1). In accordance with Article 83(2)(b) of Regulation 2016/679, the authority shall pay due attention to the intentional or unintentional nature of the breach in each individual case when deciding whether to impose an administrative pecuniary sanction and when setting the amount of the administrative sanction.<br />
<br />
Pursuant to Article 83(2)(k) of Regulation 2016/679, the authority shall, in determining whether to impose an administrative penalty payment and in fixing the amount of the administrative penalty payment, pay due attention in each individual case to any other aggravating or mitigating factors relevant to the circumstances of the case, such as the financial gain or loss avoided, whether directly or indirectly related to the infringement.<br />
<br />
The President of the Office for the Protection of Personal Data has taken into account the following aggravating circumstances when deciding on the administrative fine to be imposed on the Company and when determining its amount, in accordance with 83(2)(a-k) of Regulation 2016/679:<br />
<br />
(1) The infringement found in this case is of considerable gravity and seriousness, as the Company's lack of cooperation with the President of the Office for the Protection of Personal Data has made it impossible for that body to carry out checks on the Company's compliance with the provisions on personal data protection. The Company's action is reprehensible. By its failure to do so, the Company prevented the President of the Office for the Protection of Personal Data from making very important findings (concerning the legality of personal data processing), the results of which would undoubtedly have a significant impact on the assessment of the evidence collected in the course of another inspection, which was carried out by the President of the Office for the Protection of Personal Data in V. Sp. z o.o. sp. k. (nature, seriousness and time of the infringement).<br />
<br />
The Company deliberately thwarted the inspection, and thus prevented the President of the Office for Personal Data Protection from performing the statutory tasks under Article 58(1)(e) and (f) of Regulation 2016/679. This situation gives rise to a suspicion that the Company's thwarting of the inspection was aimed at preventing the President of the Office for Personal Data Protection from collecting evidence that the processing of personal data by the Company is unlawful (intentional or unintentional nature of the infringement).<br />
<br />
The other prerequisites for the administrative fine indicated in Art. 83 par. 2 letter c - k, due to the subject matter of the proceedings shall not apply in these proceedings. Consequently, they did not affect the assessment of the infringement and the level of the administrative penalty imposed.<br />
<br />
In determining the amount of the administrative penalty payment, the President of the Office for the Protection of Personal Data did not see any mitigating circumstance affecting the final penalty.<br />
<br />
The fixing of the amount of the financial penalty imposed also required the definition of the objectives which that penalty would achieve. It should be pointed out that the financial penalty imposed on the Company in connection with the lack of cooperation with the President of the Office for the Protection of Personal Data is of repressive nature (it is to cause the Company to incur a financial penalty for the avoidance of control) and preventive (it is to prevent future violations of law by the Company, but also by other entities). In addition, the financial penalty imposed on the Company is also of a deterrent nature and is related to the prevention of violations. The penalty is designed to deter both the Company and others from recidivism.<br />
<br />
In addition, the President of the Office for the Protection of Personal Data can undoubtedly not accept situations in which entities by thwarting control activities prevent the implementation of his statutory tasks.<br />
<br />
Pursuant to Article 103 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the equivalent of the amounts expressed in euro referred to in Article 83 of Regulation 2016/679 shall be calculated in PLN according to the average exchange rate of the euro announced by the National Bank of Poland in the table of exchange rates as of 28 January each year, and if in a given year the National Bank of Poland does not announce the average exchange rate of the euro on 28 January - according to the average exchange rate of the euro announced in the table of exchange rates of the National Bank of Poland closest after that date.<br />
<br />
In the opinion of the President of the Office for the Protection of Personal Data, the penalty payment applied meets, in the established circumstances of this case, the conditions referred to in Article 83(1) of Regulation 2016/679, due to the seriousness of the established breach resulting from Article 31 in conjunction with Article 58(1)(e) and (f) of Regulation 2016/679, which is undoubtedly a lack of cooperation with the supervisory authority in the exercise of its statutory powers, including the prevention of control activities.<br />
<br />
Under those provisions, an infringement of the obligation of the controller referred to in Article 31 of Regulation 2016/679 is subject to an administrative fine of up to EUR 10 000 000 and, in the case of an undertaking, of up to 2 % of its total annual worldwide turnover in the preceding financial year, the higher amount being applicable.<br />
<br />
An infringement of the obligations of the controller referred to in points (e) and (f) of Article 58(1) of Regulation 2016/679 shall be punishable by an administrative fine of up to EUR 20 000 000 and, in the case of an undertaking, of up to 4 % of its total annual worldwide turnover in the preceding business year, the higher amount being that which the President of the Office for the Protection of Personal Data pursuant to Article 83(3) of Regulation 2016/679 considers to be the most serious infringement and the amount of the fine imposed by this Decision shall not exceed that amount.<br />
<br />
In view of the above, the President of the Office for Personal Data Protection has decided as set out in the operative part of this Decision. <br />
<br />
The Decision is final. The party has the right to lodge a complaint against the decision with the Provincial Administrative Court in Warsaw, within 30 days from the date of its delivery, through the President of the Office for the Protection of Personal Data (address: ul. Stawki 2, 00 - 193 Warsaw). A relative entry must be made against the complaint in accordance with Article 231 in conjunction with Article 233 of the Act of 30 August 2002. Law on proceedings before administrative courts (Journal of Laws of 2018, item 1302, as amended). A party has the right to apply for the right of assistance, which includes exemption from court costs and appointment of an advocate, legal adviser, tax adviser or patent attorney. The right of assistance may be granted at the request of a Party made before or during the proceedings. The application shall be free of court fees.<br />
<br />
Pursuant to Article 105(1) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), an administrative fine shall be paid within 14 days from the date of expiry of the deadline for filing a complaint with the Provincial Administrative Court, or from the date on which the decision of the administrative court becomes final, to the bank account of the Office for the Protection of Personal Data in the National Bank of Poland No. 28 1010 1010 0028 8622 3100 0000. Moreover, pursuant to Article 105 paragraph 2 of the aforementioned Act, the President of the Office for the Protection of Personal Data may, upon a justified request of the penalised entity, postpone the date of payment of the administrative fine or spread it over instalments. In the case of postponement of the date of payment of the administrative fine or its distribution in instalments, the President of the Office for the Protection of Personal Data shall calculate interest on the unpaid amount on an annual basis, using the reduced rate of interest for delay, announced on the basis of art. 56d of the Act of August 29th, 1997. - Tax Ordinance (Journal of Laws of 2019, item 900, as amended), from the day following the date of submission of the application.<br />
<br />
Pursuant to Article 74 of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781), the lodging of a complaint by a party to the administrative court shall suspend the execution of the decision on the administrative fine.<br />
</pre></div>
AK
https://gdprhub.eu/index.php?title=IP_-_07121-1/2020/527&diff=10043
IP - 07121-1/2020/527
2020-04-28T15:29:46Z
<p>AK: </p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |IP - 07121-1/2020/527<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoSI.png|center|250px]]<br />
|-<br />
|Authority:||[[IP (Slovenia)]]<br />
[[Category:IP (Slovenia)]]<br />
|-<br />
|Jurisdiction:||[[Data Protection in Slovenia|Slovenia]]<br />
[[Category: Slovenia]]<br />
|-<br />
|Relevant Law:||[[Article 58 GDPR#3|Article 58(3) GDPR]]<br />
[[Category:Article 58(3) GDPR]]<br />
[[Article 4(1) GDPR]]<br />
<br />
[[Article 6(1) GDPR]]<br />
<br />
Article 49(1)(g) ZVOP <br />
<br />
Article 2 ZInfP<br />
|-<br />
|Type:||Advisory opinion<br />
|-<br />
|Outcome:||n/a<br />
|-<br />
|Decided:||7.4.2020<br />
<br />
|-<br />
|Published:||n/a<br />
|-<br />
|Fine:||none<br />
|-<br />
|Parties:||anonymous<br />
|-<br />
|National Case Number:||07121-1/2020/527<br />
|-<br />
|European Case Law Identifier:||n/a<br />
|-<br />
|Appeal:||n/a<br />
|-<br />
|Original Language:||[[Category:Slovenian]]<br />
Slovenian<br />
|-<br />
|Original Source:||[https://www.ip-rs.si/vop/?tx_jzgdprdecisions_pi1%5BshowUid%5D=1480 Informacijski Pooblaščenec (SI)]<br />
|}<br />
<br />
The Slovenian DPA (IP) issued a non-binding opinion under [[Article 58 GDPR#3|Article 58(3) GDPR]] regarding the lawfulness of processing of a photograph. The IP clarified that a photograph can be considered personal data, especially when a photo depicts an individual clearly and unambiguously allowing for their identification. Such processing must be based on a consent under [[Article 6(1)(a) GDPR]] collected in advance of such processing. <br />
<br />
==English Summary==<br />
<br />
===Facts and questions arising===<br />
The Information Commissioner (hereinafter referred to as IP) received a request for an opinion. The applicant provided that stranger took a photo of their employee in the office despite that employee's objection to a request for a photograph. The photo was then published in an article. The applicant wanted to clarify whether such a processing constitutes a violation of the data protection law. <br />
<br />
===Holding===<br />
The IP reminded the applicant that it can make a specific assessment of whether the case describing is a violation of personal data protection rules only through an inspection process. <br />
<br />
The IP then explained what constitutes personal data in accordance with Article 4(1) GDPR. In light of the definition contained therein, photographs may be considered personal data protected under the GDPR if they determine or enable the determination of an individual, especially when the individual is clearly and unambiguously visible on the photograph and could thus be identified, or when other personal information about the individual is processed together with the photo (eg, first and last name, birth year, etc.). Therefore, if a photograph can be considered as personal data, most likely, its collection, storage as well as all subsequent processing operations, e.g. by posting can qualify as processing personal data.<br />
<br />
Any processing of personal data must rely on a legitimate and appropriate legal basis. These are set out in Article 6(1) GDPR. The controller is responsible for choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing.<br />
<br />
According to previous opinions issued by the IP, the operators shall obtain in advance a consent from an individual in accordance with Article 6(1)(a) GDPR for the processing of photographs in a way that can easily identify the depicted individual.<br />
<br />
==Comment==<br />
''Share your comments here!''<br />
<br />
==Further Resources==<br />
''Share blogs or news articles here!''<br />
<br />
==English Machine Translation of the Decision==<br />
<br />
The decision below is a machine translation of the original. Please refer to the Slovenian original for more details.<br />
<br />
<pre><br />
Search engine according to GDPR<br />
+<br />
-<br />
Date: 04/07/2020<br />
Title: Posting a photo without consent<br />
Number: 07121-1 / 2020/527<br />
Subject matter: Legal bases, Commercial activity<br />
Legal act: Opinion<br />
The Information Commissioner (hereinafter referred to as IP) has received your request for an opinion. You state that an unknown gentleman took a picture of a worker in your office despite rejecting his request for a photograph. Her photo was then published in an article. You are convinced that this is a violation of your personal data protection. You are curious about the application process.<br />
<br />
On the basis of the information you have provided to us, in accordance with Article 58 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Directive 95/46 / EC (General Data Protection Regulation, hereinafter referred to as the General Regulation), point 7 of the first paragraph of Article 49 of the Personal Data Protection Act (Official Gazette RS, No. 94/07-UPB1, hereinafter ZVOP-1 ) and Article 2 of the Information Commissioner Act (Official Gazette of the Republic of Slovenia, No. 113/05, hereinafter ZInfP) provide our non-binding opinion regarding your question.<br />
<br />
First of all, we emphasize that IP can make a specific assessment of whether the case you are describing is a violation of personal data protection rules only through an inspection process. Therefore, we provide you with general explanations and legal background and conditions for the legitimate processing of personal data, and explain how to submit your application.<br />
<br />
We would like to point out that IP is only responsible for the part of the right to privacy that relates to the protection of personal data and is regulated by Article 38 of the Constitution of the Republic of Slovenia (Official Gazette RS, No. 33/1991 with amendments and supplements, hereinafter Of the RS Constitution). In the case you describe (publication of a photograph of an individual in the media), it may also be an interference with the right to privacy in the broad sense referred to in Article 35 of the Constitution of the Republic of Slovenia, which falls within the jurisdiction of the courts and is protected by institutes of civil and criminal justice. It should be stressed that none of these constitutional rights is absolute. This means that the right to privacy and the right to data protection must also be understood in the context of their relationship to the right to freedom of expression, which is guaranteed in Article 39 of the Constitution of the RS.<br />
<br />
In accordance with Article 4 (1) of the General Regulation, personal data is any information relating to an identified or identifiable individual; an identifiable individual is one that can be determined, directly or indirectly, in particular by specifying an identifier such as name, identification number, location data, web identifier, or by indicating one or more factors specific to the physical, physiological, genetic , the mental, economic, cultural or social identity of that individual.<br />
<br />
In the light of the above, photographs are protected data under the General Regulation if they determine or enable the determinability of an individual, especially when the individual is clearly and unambiguously visible in the photograph and could thus be identified, identified and determined, or when processed with the photograph also other personal information about the individual (eg, his first and last name, his birth year, etc.). Therefore, if a photograph of a particular individual can be considered as protected personal data, it is most likely a collection of personal data that is processed only by its storage as well as by all subsequent processing operations, e.g. by posting.<br />
<br />
Any processing of personal data, including for the collection, storage, use, disclosure, disclosure, dissemination or otherwise of access, of a person must have a legitimate and appropriate legal basis. These are set out in Article 6 (1) of the General Regulation and are for the private sector as follows:<br />
<br />
- consent (point (a)),<br />
<br />
- the conclusion or performance of the contract (point (b)),<br />
<br />
- law or performance of public tasks (point (c) and (e) respectively),<br />
<br />
- legitimate interests that outweigh the interests of the individual (point (f)).<br />
<br />
Choosing the right legal basis for the processing of personal data, taking into account the specific circumstances and purpose of the processing, is the responsibility of the controller. For legal basics in the private sector, you can also view the infographics published on the IP website: https://www.ip-rs.si/fileadmin/user_upload/png/infografike/pravne_podlage_zasebni_sektor_s_pogoji_privolitve.pdf.<br />
<br />
IP has previously answered questions about posting photos, so we recommend that you familiarize yourself with the content of the optional reviews you find through a search engine at https://www.ip-rs.si/vop/ ( "Photos as OP" or "Media" category). From the IP Opinions issued, the recommendation is that, in order to use the photographs in a way that can easily identify the depicted individual, the operators obtain in advance the personal consent of that individual in accordance with Article 6 (1) (a) of the General Regulation.You can read more about the conditions for valid consent on the IP website https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/kljucna-podrocja-uredbe/privolitev/.<br />
<br />
Anyone who believes that anyone is in breach of the General Regulation or ZVOP-1 (in the section still applicable) can file a complaint with the IP. The IP then execute the appropriate inspection procedures ex officio. However, the application can be made by the worker herself or you as her employer. Reporting a violation of personal data protection has only the nature of an initiative to initiate an inspection procedure under the Inspection Act (Official Gazette of the Republic of Slovenia, No. 43/07 - Official Consolidated Text and 40/14). The applicant is therefore not a party to any inspection procedure. You can also read more about filing an application at the IP website https://www.ip-rs.si/varstvo-osebnih-podatkov/pravice-posameznika/vlozitev-prijave/.<br />
<br />
It is recommended that the application be submitted on the "ZIN APPLICATION FORM" form, which can be accessed at https://www.ip-rs.si/obrazci/varstvo-osebnih-podatkov/. The application can be sent by e-mail to gp.ip@ip-rs.si; or by regular mail to Dunajska cesta 22, 1000 Ljubljana.<br />
</pre></div>
AK