UOOU (Czech Republic) - UOOU-01025/20-121: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Czech Republic |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCZ.jpg |DPA_Abbrevation=UOOU |DPA_With_Country=UOOU (Czech Republic) |Case_Number_Name=UOOU-01025/20-121 |ECLI= |Original_Source_Name_1=UOOU |Original_Source_Link_1=https://uoou.gov.cz/media/rozhodnuti/rozhodnuti-predsedy/2024/cj-uoou-0102520-121.pdf |Original_Source_Language_1=Czech |Original_Source_Language__Code_1=CS |Original_Source_Name_2= |Original_Source_Link_2= |...") |
mNo edit summary |
||
Line 105: | Line 105: | ||
=== Holding === | === Holding === | ||
On the question of legal basis, the Appellate Body stated that even in the case of processing personal data for statistical purposes, disproportionate interference with the right of data subject is prohibited. The DPA agreed with the controller that an average user | On the question of legal basis, the Appellate Body stated that even in the case of processing personal data for statistical purposes, disproportionate interference with the right of data subject is prohibited. The DPA agreed with the controller that an average user was aware that data controller used the data collected for statistical purposes. However, these expectations are directed towards statistics related to the controller’s business. Therefore, the average user did not expect that the accused, as a provider of data protection products, would conduct trend analysis on their data unrelated to the provided services and transfer/sell this data to third parties for their commercial interests. | ||
Additionally, the DPA considered that the information provided to data subject was contradictory and opaque as the users would have to read the Privacy Policy in detail to be aware of transmission of anonymous information. Further, the data subjects were not informed of the purpose of the processing nor the legal basis of such processing. As a result, the DPA found a violation of [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | Additionally, the DPA considered that the information provided to data subject was contradictory and opaque as the users would have to read the Privacy Policy in detail to be aware of transmission of anonymous information. Further, the data subjects were not informed of the purpose of the processing nor the legal basis of such processing. As a result, the DPA found a violation of [[Article 13 GDPR#1c|Article 13(1)(c) GDPR]]. | ||
The Appellate Body identified that the internal | The Appellate Body identified that the internal identifiers of users were also processed for the purpose of trend analysis as stated in the Product Privacy Policy of the controller. Although the controller transmitted data to Jumpshot, INC. from which it removed some identifiers (but not the internal identifier), the transmitted data cannot be considered completely anonymous. Consequently, the recipients on this data had the possibility to re-identify the data subjects. On this point, the DPA concluded that the controller merely repeated that the data was anonymized without demonstrating that anonymization carried out resulted in anonymous data. | ||
Moreover, the DPA stated that the controller did not carry out the balancing test properly, namely the assessment whether the processing is necessary and whether the legitimate interest of the controller overrides the legitimate interest of the data subjects. Since the internet browser users can be re-identified, their privacy can be significantly infringed. More importantly, the DPA stressed that it was not clearly specified for what purpose and with whom was data shared. | Moreover, the DPA stated that the controller did not carry out the balancing test properly, namely the assessment whether the processing is necessary and whether the legitimate interest of the controller overrides the legitimate interest of the data subjects. Since the internet browser users can be re-identified, their privacy can be significantly infringed. More importantly, the DPA stressed that it was not clearly specified for what purpose and with whom was data shared. The users purchased the antivirus software to protect their data and, therefore, did not expect the processing might affect their privacy. | ||
The DPA considered the controller’s argument on the content of the contract expedient. The controller was obliged to specify the subject matter of the processing regardless of the fact that in reality the controller considered anonymous data in the broader sense. | The DPA considered the controller’s argument on the content of the contract expedient. The controller was obliged to specify the subject matter of the processing regardless of the fact that in reality the controller considered anonymous data in the broader sense. | ||
The Appellate Body can hardly conclude that the accused did not know what they were suspected of. If that were the case, the DPA stated that | The Appellate Body can hardly conclude that the accused did not know what they were suspected of. If that were the case, the DPA stated that the controller could have raised this objection immediately after the proceedings were initiated or at any time during the proceedings before the DPA of first instance. | ||
Regarding the violation of procedural rights in the international procedure, the Appellate Body argued that neither the Czech legal order nor GDPR provide for a procedural right of the party to the proceedings to comment on the draft decision before it is issued within the meaning of [[Article 60 GDPR#7|Article 60(7) GDPR]], nor for the right to otherwise participate in this deliberation of the supervisory authorities. Otherwise, there could be an irresolvable procedural | Regarding the violation of procedural rights in the international procedure, the Appellate Body argued that neither the Czech legal order nor GDPR provide for a procedural right of the party to the proceedings to comment on the draft decision before it is issued within the meaning of [[Article 60 GDPR#7|Article 60(7) GDPR]], nor for the right to otherwise participate in this deliberation of the supervisory authorities. Otherwise, there could be an irresolvable procedural deadlocks. | ||
The Appellate Body explained that the principle of ne bis in idem cannot be invoked as the previous decision focused on the compliance of the controller with the obligations under Article 5(2) and 24(1) GDPR. This decision does not prevent the continuation of offense proceedings initiated separately. | The Appellate Body explained that the principle of ''ne bis in idem'' cannot be invoked as the previous decision focused on the compliance of the controller with the obligations under [[Article 5 GDPR#2|Article 5(2)]] and [[Article 24 GDPR#1|24(1) GDPR]]. This decision does not prevent the continuation of offense proceedings initiated separately. | ||
Users were thus misinformed by Avast about the transmission of anonymous data for the purpose of trend analysis. | Users were thus misinformed by Avast about the transmission of anonymous data for the purpose of trend analysis. It was shown in the proceedings that the data transmitted from individual antivirus software installations was not anonymised, as the transmitted data could re-identify at least some of the data subjects. | ||
The Czech DPA, therefore, imposed a fine of CZK 351 million (€13, | Regarding the fine imposed, the Appellate Body said that the DPA has not dealt with similar processing of personal data in the past. The case is unprecedented in the way of data processing, its scope, number of data subjects and possible impact on their rights. | ||
The Czech DPA, therefore, imposed a fine of CZK 351 million (€13,9 milion) for a failure to sufficiently inform the data subjects about the purpose of the treatment for which they were intended as per [[Article 13 GDPR]]. The controller was also found in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]] for a lack of legal basis of the treatment in question. | |||
== Comment == | == Comment == |
Revision as of 13:26, 23 April 2024
UOOU - UOOU-01025/20-121 | |
---|---|
Authority: | UOOU (Czech Republic) |
Jurisdiction: | Czech Republic |
Relevant Law: | Article 5 GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 13(1)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.04.2022 |
Decided: | 10.04.2024 |
Published: | |
Fine: | 351000000 CZK |
Parties: | Avast Software, s.r.o. |
National Case Number/Name: | UOOU-01025/20-121 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Czech |
Original Source: | UOOU (in CS) |
Initial Contributor: | im |
Cybersecurity and antivirus company Avast Software s.r.o. received historically highest fine ever imposed by the CZ DPA in the amount of €13,7 mil. The company was selling browsing data for advertising of more than 100 users.
English Summary
Facts
On a basis of an anonymous complaint submitted on 22 February 2020 and a major media case, the DPA started an investigation of Avast Software s.r.o. (‘the controller’ or ‘Avast’), a company providing antivirus software services and browser extensions (‘add-ons’).
For at least two months in 2019, Avast allegedly collected and sold a portion of their users’ browsing data with a company called Jumpshot, INC. Specifically, they shared pseudonymised browsing history linked to a unique identifier of approximately 100 million users through the add-ons. Jumpshot, INC. claimed to provide this data to marketers, offering insights into consumer online behavior and ‘atomic-level’ user journey tracking.
The decision-making process consisted of 2 parts – first instance ruling by the DPA and second instance ruling by the Appellant Body within the same DPA.
Due to the cross-border nature of the processing, the DPA authority of first instance submitted a draft decision with other supervisory authorities concerned in the framework of One Stop Shop mechanism. None of the supervisory authorities raised a relevant and reasoned objection to the draft decision.
On 14 March 2022 the DPA found the controller was guilty for committing the abovementioned offence without legal basis under Article 6(1) GDPR and lack of transparent consent under Article 5(1)(a) and 13 GDPR. The controller filed an appeal arguing that - they used robust anonymization techniques for processing - the average user was sufficiently aware that information processed had statistical value - the purpose of the transfer of the data to was compatible with the primary purpose of the processing pursuant to recital 50 and Article 5(1)(b) GDPR
The controller explained that the anonymization process followed methods patented in the US which removed all identifiers, information that indirectly identifies the user (e.g. user ID) as well as information from which identification could potentially be inferred (e.g. unique combination of certain parameters contained in the URL).
The controller also commented on the contract concluded with Jumpshot, INC. that the provision referring to anonymization as the removal of direct identifiers in reality meant much broader process of anonymization. They argued that the re-identification of data subject could not be reasonably foreseen as it was contractually prohibited.
The DPA authority of first instance did not dispute that the accused had legal authority to collect personal data, but claims that it had no legal basis for transmitting it to Jumpshot, INC. The controller admitted that this was commercial activity, however, statistical activity pursuing commercial interests also meets the definition of statistical activity under the GDPR.
Moreover, the controller considered that the DPA of first stance wrongly classified data transmitted as personal data on the basis that that (theoretically) two data sets could be merged and thus the data subjects could be identified. In controller’s view this would imply that data subject can be identified anytime two data sets including general information are merged together. The controller claimed that certain information can be personal data for one person without being personal data for another person. Moreover, the controller argued that, in line with the CJEU precedents, assessing a data subject's identifiability requires considering means reasonably accessible to controllers or third parties. They contend it's unreasonable to expect third parties to use illegal means.
Furthermore, the defendant argues that pseudonymized or anonymized data processing for statistical analysis is common in digital companies. Regarding the transfer to Jumpshot, INC., they assert that the controller's legitimate interest outweighed data subjects' concerns since there was minimal risk, opt-out options, and benefits in commercial and product improvement pursuits.
The controller complained that the Office did not inform her in detail throughout the proceedings of what she was charged with, thereby violating Article 6(3)(a) ECHR, according to which 'everyone, who is charged with a criminal offence" has the right "to be informed promptly and in a language which he understands in detail of the nature and cause of the charge against him". The controller also considered that his procedural rights were violated by the the denial of access to cooperation mechanism records, coupled with the controller's non-participation in the international procedure.
Next procedural defect identified by the controller was a violation of their legitimate expectations as the case was already dealt with by the DPA on 2 July 2018 in the case no. UOOU-07166/18. The controller disagrees with the argument of the DPA of first instance that the case from 2018 concerned only the development of an antivirus programme and not its add-ons.
The controller finally argued the fine imposed by the DPA of first instance is more than 5.000 higher than the sum of all fines imposed by the DPA in the three years and 50.000 times higher than the highest fine imposed by the DPA. The controller disagrees that a mere two-month-long violation without any real impact on data subjects could be so much more serious than all other breaches of the GDPR.
Holding
On the question of legal basis, the Appellate Body stated that even in the case of processing personal data for statistical purposes, disproportionate interference with the right of data subject is prohibited. The DPA agreed with the controller that an average user was aware that data controller used the data collected for statistical purposes. However, these expectations are directed towards statistics related to the controller’s business. Therefore, the average user did not expect that the accused, as a provider of data protection products, would conduct trend analysis on their data unrelated to the provided services and transfer/sell this data to third parties for their commercial interests.
Additionally, the DPA considered that the information provided to data subject was contradictory and opaque as the users would have to read the Privacy Policy in detail to be aware of transmission of anonymous information. Further, the data subjects were not informed of the purpose of the processing nor the legal basis of such processing. As a result, the DPA found a violation of Article 13(1)(c) GDPR.
The Appellate Body identified that the internal identifiers of users were also processed for the purpose of trend analysis as stated in the Product Privacy Policy of the controller. Although the controller transmitted data to Jumpshot, INC. from which it removed some identifiers (but not the internal identifier), the transmitted data cannot be considered completely anonymous. Consequently, the recipients on this data had the possibility to re-identify the data subjects. On this point, the DPA concluded that the controller merely repeated that the data was anonymized without demonstrating that anonymization carried out resulted in anonymous data.
Moreover, the DPA stated that the controller did not carry out the balancing test properly, namely the assessment whether the processing is necessary and whether the legitimate interest of the controller overrides the legitimate interest of the data subjects. Since the internet browser users can be re-identified, their privacy can be significantly infringed. More importantly, the DPA stressed that it was not clearly specified for what purpose and with whom was data shared. The users purchased the antivirus software to protect their data and, therefore, did not expect the processing might affect their privacy.
The DPA considered the controller’s argument on the content of the contract expedient. The controller was obliged to specify the subject matter of the processing regardless of the fact that in reality the controller considered anonymous data in the broader sense.
The Appellate Body can hardly conclude that the accused did not know what they were suspected of. If that were the case, the DPA stated that the controller could have raised this objection immediately after the proceedings were initiated or at any time during the proceedings before the DPA of first instance.
Regarding the violation of procedural rights in the international procedure, the Appellate Body argued that neither the Czech legal order nor GDPR provide for a procedural right of the party to the proceedings to comment on the draft decision before it is issued within the meaning of Article 60(7) GDPR, nor for the right to otherwise participate in this deliberation of the supervisory authorities. Otherwise, there could be an irresolvable procedural deadlocks.
The Appellate Body explained that the principle of ne bis in idem cannot be invoked as the previous decision focused on the compliance of the controller with the obligations under Article 5(2) and 24(1) GDPR. This decision does not prevent the continuation of offense proceedings initiated separately.
Users were thus misinformed by Avast about the transmission of anonymous data for the purpose of trend analysis. It was shown in the proceedings that the data transmitted from individual antivirus software installations was not anonymised, as the transmitted data could re-identify at least some of the data subjects.
Regarding the fine imposed, the Appellate Body said that the DPA has not dealt with similar processing of personal data in the past. The case is unprecedented in the way of data processing, its scope, number of data subjects and possible impact on their rights.
The Czech DPA, therefore, imposed a fine of CZK 351 million (€13,9 milion) for a failure to sufficiently inform the data subjects about the purpose of the treatment for which they were intended as per Article 13 GDPR. The controller was also found in violation of Article 6(1) GDPR for a lack of legal basis of the treatment in question.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.
OFFICE FOR THE PROTECTION OF PERSONAL DATA Lt. Col. Sochora 27, 170 00 Prague 7 *UOOUX00GT7J2* tel.: 234 665 111 posta@uoou.gov.cz, uoou.gov.cz Ref/ UOOU-01025/20-121 DECISION The Chairman of the Office for the Protection of Personal Data as an appellate body competent under provisions of § 152 paragraph 2 of Act No. 500/2004 Coll., Administrative Code, decided according to the provisions of § 152 paragraph 6 letter b) of Act No. 500/2004 Coll., Administrative Code, as follows. Dissolution of the accused, company against the decision of the Office for Personal Data Protection ref/ UOOU- 01025/20-94 of March 14, 2022, is rejected and the contested decision is specified in in the sense that in the statement I/the contested decision the title "expansion of Internet browsers" adds the text "(in the scope of pseudonymised data relating to browsing history of the Internet, corresponding to approximately 100,000,000 users)", in the rest the attacked confirms the decision. Justification I. Definition of the matter [1] Proceedings for suspicion of committing an offense according to § 62 paragraph 1 letter b) and c) of the Act No. 110/2019 Coll., on the processing of personal data, in connection with the transfer of personal data about users of the anti-virus program or its extension of internet browsers (hereinafter also referred to as "antivirus program, especially data on user behavior during use personal computer and the Internet, to another administrator according to Article 4 point 7 of the European Regulation of the Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and the free movement of such data and cancellation Directive 95/46/EC (hereinafter referred to as "Regulation (EU) 2016/679" or "GDPR") without legal title and in connection with the violation of the information obligation according to Article 13 paragraph 1 of Regulation (EU) 2016/679, was initiated by the notification of the Office for the Protection of Personal Data (hereinafter referred to as the "Office"), which was accused, the company (hereinafter referred to as "the accused"), delivered on February 27, 2020. The basis for the initiation of proceedings was file material collected by the Office on the basis of an initiative delivered 1/57 of the Office on February 22, 2020 and further the documents collected as part of the inspection of the UOOU- 07166/18 conducted by the inspector of the Office of the Judge JUDr/ Jiřina Rippelová with the accused on July 2, 2018 to March 19, 2019, terminated by the handling of objections by the Chairperson of the Office ref/ UOOU-07166/18-53 of June 4, 2019, and file no./ stamp/ UOOU-01733/19, within which was dealt with outside the administrative procedure by the acceptance of corrective measures by the accused. [2] By decision no./ UOOU-01025/20-94 of 14/ March 2022 (hereinafter referred to as "challenged decision"), the accused was found guilty of committing offenses under Section 62, paragraph 1 letters a) and b) of Act No. 110/2019 Coll., which she should have committed by being the administrator of personal data transmitted personal data of users of the antivirus program and its extensions the company's internet browsers , for the purpose of creating a statistical analysis of trends, although it is not for this processing did not prove a legal title in the sense of Article 6 paragraph 1 of Regulation (EU) 2016/679, at least from an unspecified day in April 2019 to an unspecified day in July 2019, i.e. at least after for a period of two full calendar months, and further by the fact that in connection with the transfer of personal of the company's data as the controller of personal data at the time of obtaining the personal data insufficiently informed the data subjects about the processing purposes for which the personal data are intended, and the legal basis for processing, also for at least the entire period two calendar months. She was fined for the said criminal act 351,000/000 CZK and also the obligation to pay costs of proceedings in the amount of 1/000 CZK. [3] The contested decision was delivered to the accused on March 24, 2022 and on April 5 2022, the accused, through her legal representative, filed a blank declaration, which on 11/ May 2022 she added. [4] The appellate authority, by letter no. UOOU-01025/20-113 dated November 13, 2023, gave accused in the sense of § 36 paragraph 3 of Act No. 500/2004 Coll. decision on dissolution/ At the same time, he informed the accused of his preliminary findings in the proceedings on dissolution (hereinafter referred to as "Preliminary Findings") and invited her to express her opinion on the proceedings in pursuant to § 36 paragraph 2 of Act No. 500/2004 Coll. To comment, the accused were called by resolution no./UOOU- 01025/20-114 of November 13, 2023 set deadline until December 4, 2023/ Appellate body at the same time, he invited the accused to submit any justified objections within the same period biases of members of the decomposition committee/ [5] On December 4, 2023, the Office received the opinion of the accused regarding the documents for issuance of a decision on dissolution/ Within this opinion, the accused reserved the right to supplement her statements and proposed evidence later/ Subsequently, on 21/ December 2023, the accused sent the Office her supplementary opinion/ In both mentioned opinions, the accused stated that she "reserves the right to file an objection of bias against any of the members of the dissolution committee after it has been appointed by the Chairman of the Office and the company will be properly informed about it"/ [6] The Appellate Body submitted on March 8, 2024, in accordance with international cooperation with Article 60 paragraph 3 of Regulation (EU) 2016/679 draft decision on dissolution to other concerned to the supervisory authorities to comment on it/ However, none of the supervisory authorities raised a complaint a relevant and justified objection to the submitted draft decision in the sense of Article 60 paragraph 4 of Regulation (EU) 2016/679 and in accordance with Article 60 paragraph 6 of Regulation (EU) 2016/679 should therefore for agreeing with the draft decision/ 2/57 II. Content of the breakdown and assessment by the second-level authority [7] For clarity and to ensure the consistency of the decision, the appellate body dealt with it by individual objections according to the division chosen by the accused and this concept to a large extent will retain even within the framework of their settlement/ [8] Regarding the change in the statement of the decision, the appellate body states that (in accordance with the jurisprudence; cf. e.g. the judgment of the Regional Court in Brno No. 30 !f 42/2014-71 of 20 June 2016, approved by the Supreme Administrative Court by judgment no. 5 !s 173/2016-24 of April 3 2017 and by resolution of the Constitutional Court no. stamp/ III/ ÚS 1796/17 of 20/ June 2017) only specified the description of the act committed by the accused/ This is only a formal change, because it is still the same act, the description of which has been concretized, not actually changed or expanded/ IIa. Procedural procedure in the matter A. Nature and Grounds of Charge [9] In the analysis, the accused primarily objects to the procedural defects of the proceedings/ The accused stated that the Office during the entire trial, he did not explain in detail what he blames on her, thereby violating Article 6, paragraph 3 letter a) of the Convention, according to which "everyone accused of a criminal offense" has the right "to be immediately and in a language they understand, familiarize themselves in detail with the nature and grounds of the accusation against them to him"/ As a result of this misconduct, the accused allegedly could not properly exercise her rights defence, i.e. she could not comment on the matter in a qualified manner, propose evidence to prove her innocence or denial of statements and others/ The accused refers to the judgment of the Municipal Court in Prague čj/ 10 !f 38/2017-50 of November 14, 2019, according to which "Only vague and informal awareness of the existence of the accusation is not sufficient (see the judgment of 12/10/1992 in the case of T/ v. Italy, complaint no. 14104/88, § 28)/ The reason for the accusation is then understood to be the act that was committed by the accused and on which the charge is based. The nature of the accusation is a legal qualification of this act (see the judgment of 25/7/2000 in the case of Mattoccia v. Italy, complaint No. 23969/94, § 59)"/ Furthermore, the accused stated that the Notice of Commencement of Proceedings dated 27/ February 2020 i Memorandum on clarification of the legal qualification of the deed dated January 3, 2022 with reasons and the nature of the accusation is only addressed in part of one sentence/ More information about the accusation is about the accused did not receive even at the oral hearing on 28/ May 2020/ Only from the contested decision the accused found out that she was processing personal data, that the subject of the proceedings was a specific case alleged transfer of personal data to the company in the period between April and July 2019, why the Office believes that the secondary purpose of processing was not compatible with the primary purpose why, according to the Office, the data was not transferred to the company for the purpose of the statistical activity, why the Office believes that the accused did not have a legal title legitimate interest and what criteria the Office will take into account when imposing a sentence/ In addition the accused further stated that the Office defined the subject of the proceedings so broadly and vaguely that she was not able prepare your defense and assess which documents are in its favor or against it, whereas, according to the accused, this procedural defect had an effect on the legality of the contested decision/ [10] Administrative body of the first instance in the Notice of initiation of proceedings on February 27, 2020 (hereinafter only "Notice of initiation of proceedings") notified the accused of the initiation of proceedings on the offense "of suspicion 1 Communication No. 209/1992 Coll. of the Federal Ministry of Foreign Affairs on the negotiation of the Convention on the Protection of Human Rights and fundamental freedoms and the Protocols following this Convention (hereinafter referred to as the "Convention")/ 3/57 from the commission of an offense pursuant to § 62 paragraph 1 letter b) of Act No. 110/2019 Coll. in connection with by collecting and transmitting data about the users of the antivirus program, respectively extension of internet browsers (add-ons), especially data on their behavior during use personal computer and the Internet, to third parties for the purpose of profit, although it was not intended for this conduct transparently granted consent from the data subjects, thereby breaching the obligation established in Article 5 paragraph 1 letter a) of Regulation (EU) 2016/679, also for suspicion of committing offense according to § 62 paragraph 1 letter c) of Act No. 110/2019 Coll. in connection with non-compliance information obligations towards users who have installed an anti-virus on their device program or Internet browser extensions (add-ons), which should be infringed obligation set out in Article 13 of Regulation (EU) 2016/679"/ [11] Furthermore, the administrative body of the first instance informed the accused in the Notice of the initiation of proceedings that "[p\pending the initiation of this procedure is expert information and assessment from the public available sources and statements of the company, which are part of the file of the material of this proceeding"/ At the same time, the administrative body of the first instance invited the accused "to submit cooperation agreements and transfer of data concluded between companies and , respectively/ to submit the wording of consents to by processing personal data provided to share data obtained from the device with an installed anti-virus program valid in the months of April 2019 and December 2019, both for the free version and for the paid version of the program, including the method of obtaining it- to submit the wording of information on the processing of personal data according to Article 13 of Regulation (EU) 2016/679, for the months of April 2019 and December 2019 2019- to communicate information about numerical designations of Internet browser extensions (plug-ins) in 2019 and the dates of their release- to communicate the content of the information that the expansion of the Internet of browsers (add-ons) in the month of April 2019 and in December 2019 sent outside the sphere of devices user"/From the above, it is clear that the administrative body of the first degree of reasons and nature he devoted more than just "part of one sentence" to the allegations in the Notice of Initiation, as he states accused. According to the appeal body, the information contained in the Notice of Initiation of Proceedings is necessary perceived as a whole and with regard to the wider context of the whole thing. [12] In addition, the appellate authority states that the administrative proceedings against the accused were initiated on the basis of initiative received by the Office on 22 February 2020 and information published in the media (official record no./ UOOU-01025/20-3 dated 27/ February 2020)/ Administrative of the file were inserted between February 10 and February 20, 2020 (official record dated February 27, 2020) information from publicly available sources regarding the transfer of data to the accused company As can be seen from the administrative file, accused several times during the administrative proceedings used her right to view the letter/On the specific day 2/March 2020 (viewing record dosupučj/UOOU-01025/20-6) with the contents of the administrative file reported by the protection officer personal data of the accused, to whom copies were issued in accordance with § 38 paragraph 4 of the Administrative Code in writing from the file material, namely an anonymous complaint dated February 22, 2020 (ref. UOOU- 2 4/5701025/20-1) containing information on "the company's case and two official records from February 27, 2020 (ref. UOOU-01025/20-2 and ref. UOOU-01025/20-3). [13] It follows from the protocol of the oral hearing No. UOOU-01025/20-22 dated May 28, 2020, that the reason for the accused's request for an oral hearing with the administrative body was mainly clarification procedural pages matters in relation to the inspection that the Office carried out on the accused in 2019, i.e. not clarification of the subject of the proceedings/ Furthermore, it follows from the protocol of the oral hearing that the accused commented on the content of media articles (She considers information from media articles to be speculation and is convinced that the processing of personal data by the accused company was carried out on on the basis of a sufficient legal title, and the data transferred to third parties has already been anonymized without the possibility of identifying the data subjects/" and, for example, the fact that she was asked to document the reasons for the termination of the company's activities. From the subsequent statement of the accused dated June 29, 2020, also from her other statements (in particular, opinion No. UOOU-01025/20-11 dated April 14, 2020, protocol on the oral hearing and inspection of the file ref/ UOOU-01025/20-22 of May 28, 2020, opinion No. UOOU-01025/20-25 of June 29, 2020, submission ref/ UOOU-01025/20-63 dated April 29, 2021, statement ref/ UOOU-01025/20-72 dated May 31, 2021, statement No. UOOU-01025/20-93 dated February 23, 2022) according to the appeal authority, one can hardly come to the conclusion that the accused does not know what she is suspected of/ [14] If the accused in the breakdown (point 29) states that during the administrative proceedings on the offense conducted by the administrative body of the first instance "she did not know what deed the proceedings here were about", could raise this objection immediately after the start of the proceedings or at any time during the proceedings before administrative body of the first instance/ However, the accused did not do that, on the contrary in her opinion dated April 14, 2020 stated that "[p\osure the Office would come to the conclusion that the company has committed the offenses of which it is accused, the company emphasizes that it has stopped processing data for the purposes of statistical trend analysis even before the initiation of this procedure, with immediate effect effective from 30/ January 2020"/ [15] Based on the above, the appellate authority has no doubt that the accused knew for what act (reason for accusation) the administrative proceedings are being conducted/ The administrative proceedings in question were initiated following a major media scandal (which took place at the turn of 2019 and 2020), in which a number of media reported (cf. official record no. UOOU-01025/20-3 dated 27/ February 2020) on the transfer of data to the accused company, while this information they are part of the administrative file with which the accused has repeatedly familiarized himself/within the Notification on the initiation of the proceedings, she was accused of being called upon to submit a contract of cooperation and handover date of closing with the company All communications from April 14, 2020 by accused She informed the Office that there had been "the dissolution of the company and the termination of its activity"/ Appeals the body thus came to the conclusion that it is not possible to accept the accused's argument that only from the attacked decision learned that the subject of the proceedings is a specific case of transfer of personal data On the contrary, according to the appeal body, the accused was informed in detail with the nature of the charges against her, the act itself would not be detailed in the Notice of Commencement proceedings/According to the appellate body, the accused was the subject of the proceedings sufficiently known for his defence she could properly prepare/ !rgumentation of the accused, taken ad absurdum, would in her as a result meant that the outcome of the administrative procedure should be clear already at the beginning, with which the accused should be introduced/ However, the right to a defense cannot and is not interpreted in such a broad way so conceived. The appellate authority adds that the accused is a large multinational the company, which was represented by a lawyer during the entire administrative procedure, is therefore not possible infer that she would not know how to exercise her procedural rights/ 5/57 [16] Regarding the defendant's objection that she learned about the time limit only from the contested decision deed, the appellate authority states that in the Notice of Initiation of Proceedings the accused was called out other to present the wording of consent to share data obtained from the device with the installed by the defendant's anti-virus program, valid for the months of April 2019 and December 2019, to submit the wording of information on the processing of personal data according to Article 13 of Regulation (EU) 2016/679 for the months of April 2019 and December 2019, and to communicate the content of the information which extension of Internet browsers (add-ons) in the month of April 2019 and in December 2019 sent outside the sphere the user's device/ According to the appellate authority, it is clear from the Notice of Initiation of Proceedings that the suspicion of committing offenses related to the period from April to December 2019/ Based on the information found during the administrative proceedings, this period was shortened and the accused was found guilty of committing offenses in the period from from an unknown day in April 2019 to an unknown day in July 2019/Time limitation of the deed in the statement of the contested decision could not, according to the appellate body, be for the accused surprising (even though the period was different from that resulting from the Notice of Initiation of Proceedings abbreviated) and according to the appellate authority, this procedure did not interfere with the right of the accused in her defense/The accused, according to the appellate body, was informed of the reasons for the accusation, i.e. by the act that the accused was allowed to commit/ the first instance was a so-called "investigative fishing expedition", the appeals body considers on the basis of the above as unfounded/ [17] Likewise, according to the appellate body, the accused was informed of the nature of the accusation, they are not in the Notice of Initiation of Proceedings, the accused was informed that she is suspected of having committed a crime offenses according to Section 62 paragraph 1 letter b) and Section 62 paragraph 1 letter c) of Act No. 110/2019 Coll., which the administrator or processor commits by violating any of the basic principles for processing of personal data according to Articles 5 to 7 or 9, or violates some of the subject's rights of data according to Articles 12 to 22 of Regulation (EU) 2016/679, as it should have violated the established obligations in Article 5 paragraph 1 letter a) and in Article 13 of Regulation (EU) 2016/679/ In the Memorandum on Clarification of Legal qualification of the act dated January 3, 2022, the accused was informed that she was suspected of committing offenses according to Section 62 paragraph 1 letter b) and Section 62 paragraph 1 letter c) of Act No. 110/2019 Coll., since should have violated the obligations set out in Article 6 paragraph 1 and Article 13 paragraph 1 letter c) of Regulation (EU) 2016/679. [18] To another argument of the accused, that “insufficient communication of the accusation then the company harmed also by limiting her right to respect the prohibition against self-incrimination", the appellate body, in addition to the above, states that the legal principle nemo tenetur se ipsum accusare (no one is bound to accuse himself) should be seen as a prohibition coercion to self-incrimination/ However, the accused does not claim that she was in any way self-incriminating forced. [19] Regarding the principle of prohibition of self-incrimination, the appellate authority already in the call for submissions document addressed to the accused (ref. UOOU-01025/20-105 dated January 9, 2023) referred to judgment of the Supreme Administrative Court of August 11, 2015, No. j/ 6 !s 159/2014 – 52, in which the court stated the following. “The Limits of the Prohibition of Self-Incrimination in Relation to the Provision of Information legal entities in administrative offense proceedings, the Tribunal (formerly the Court of first instance) and the Court of Justice of the European Union (formerly the European Court of Justice)/ Referenced jurisprudence and concerns the protection of economic competition, however, conclusions and applications of the stated principles are possible can also be used for the broader legal area of administrative punishment/ With a certain degree of generalization, it follows from the relevant jurisprudence, in particular the judgment of the Court of Justice of 18/10/1989, Orkem v. Commission (374/87, 6/57 Recueil) and the judgment of the General Court of 20/2/2001, Mannesmannröhren-Werke AG v Commission (T112/98), that the authority seeks and under the threat of sanctions is authorized to oblige the participant in the proceedings who, to provide all the necessary information relating to the factual situation that is available to him known, and to hand over to him any relevant documents that he has at his disposal, even when they can serve to prove wrongdoing against himself or against another Granting the absolute right to remain silent would exceed the limits of what is necessary to preserve the right of defence, and would represent an unjustified obstacle to performance supervisory powers. In relation to self-incrimination, the Tribunal formulated an important conclusion. "Obligation to answer purely factual questions posed by the Commission and comply with its requests on the submission of pre-existing documents cannot lead to a violation of the principle of compliance defense rights or due process rights/ For nothing prevents the addressee from in the further course of the administrative proceedings or during the proceedings before the Community Court he proved, thus exercising his right of defense that the facts described in his answers or the submitted documents have a different meaning than the one attributed to them by the Commission/" Mere summons of the administrative the cooperation body cannot be considered a victim of self-incrimination/Similarly according to the appellant the authority cannot consider a violation of the aforementioned principle if the party to the proceedings voluntarily presents evidence that will eventually be used against him/ [20] The Constitutional Court also commented on the violation of the ban on self-incrimination, which in its resolution sp. stamp II. ÚS 4117/19 of April 28, 2020 stated that "by simply requesting the necessary information relating to the reviewed facts could not have been violated of the prohibition against self-incrimination, or it was only a matter of presenting the records that the complainant was required by law to register/ The prohibition against self-incrimination cannot be interpreted in such a way that it is factual prevented from exercising the supervisory authority of the capital market regulator, which is with regard to the sophistication and amount of ongoing transactions on the capital market justified by strong public interest"/ In this context, the appellate body recalls that respect for privacy and the right to personal data protection is guaranteed by the Charter of Fundamental Rights of the European Union (Articles 7 and 8), which explicitly raises the level of this protection to the level of a fundamental right in European law union. [21] Pursuant to § 68 paragraph 3 of the Administrative Code, the reasons for the statement shall be stated in the justification of the decision or statements of the decision, the basis for its issuance, considerations by which the administrative body was guided by their evaluation and in the interpretation of legal regulations, and information on how the administrative body dealt with the proposals and objections of the participants and their comments on the basis of the decision/ Assessment of whether personal data was processed, the purpose of the processing or whether the accused processed personal data on the basis of a valid legal title, is an immanent part decision/ According to the appellate body, the administrative body of the first instance was not bound by the accused inform in advance how he intends to decide on the matter and how he will assess the matter, are they not these considerations and legal assessments are part of the decision, not the notification of the initiation of administrative proceedings proceedings/The accused thus confuses the necessity of identification of the act and its preliminary legal qualification with the justification of the decision/ The Appellate Body therefore states that the accused was in compliance with the jurisprudence to which she refers, acquainted with the nature and reason of the accusation against her and could i.e. fully exercise their procedural rights/ [22] Regarding another argument of the accused, that she only learned from the contested decision what kind criteria will be taken into account by the Office when imposing the penalty, the appellate authority states that the Office is obliged when imposing administrative penalties, proceed in accordance with the legal order, in the case under consideration i.e. in particular in accordance with Regulation (EU) 2016/679 and Act No. 250/2016 Coll., 7/57 on responsibility for misdemeanors and their proceedings/ However, the administrative authority is not obliged to the accused before by issuing a decision on the matter, communicate how the individual criteria will be assessed/ [23] The accused further stated in her statement that the Office's misconduct (failure to familiarize herself with the nature and the reason for the accusation) was not a mere procedural oversight, not the Office in the resolution No. UOOU-01025/20-43 of January 22, 2021 stated that it is "undesirable that the company knew the factual and legal considerations of the Authority already before issuing the decision, if they were to ensure a stronger argumentative position within the proceedings itself"/ [24] The Authority stated in the above resolution. The administrative body further adds that the opinions of the supervisory authorities in question clearly do not have the character of a binding opinion within the meaning of § 149 par. 1 of the Administrative Code/ At the same time, it is not even a "statement that is the basis of the administrative decision authority", or it occurs only subsequently, after the draft decision itself has been processed (by the preparation of the decision can only be started when all the documents have been collected)/ Hereby the interpretation also ensures the equality of the participants in the individual proceedings/ It would be contrary to this principle, if the parties to the proceedings, in which the procedure is carried out according to Article 60 of Regulation (EU) 2016/679, had privileged access to the factual and legal considerations of the administrative body of the first instance and the supervisory authorities concerned and (through them or directly) to the wording of the draft decision/ That would them provided a significantly stronger argumentative position even before the decision was issued compared to the participants common/ The cross-border aspect of the case does not justify the fundamentally different position of the parties to the proceedings in relation to the information about the proposal". The accused concluded this conclusion, according to the appellate body, entirely on purpose takes it out of context, since so many international relations were mentioned in the resolution in question procedure according to Article 60 of Regulation (EU) 2016/679, certainly not in relation to the entire procedure, which it is clear from the resolution in question/ The accused was not allowed to familiarize himself with the proposal a decision that has been submitted to other supervisory authorities, however, in cases where The Office makes decisions without this international procedure, draft decisions to the participants in the proceedings they are also not presented by default (such an obligation from any legal regulation does not follow)/ If the Office were to submit draft decisions only to the parties to the proceedings in which it is processed according to Article 60 of Regulation (EU) 2016/679, i.e. in cases of cross-border processing carried out by the administrator, for which the draft decision is presented to the other parties concerned to the supervisory authorities for comment, next to the paradoxical situation: in cases that are typical more serious (they affect data subjects from different member states of the European Union), would be the situation of the parties to the proceedings is significantly stronger than in proceedings in which the procedure is based only on the national legislation/ As an obiter dictum, the appellate authority states that it is currently on the European level, a proposal for a regulation of the European Parliament and the Council, which establishes another, is being discussed procedural rules relating to the enforcement of Regulation (EU) 2016/679 - the said proposal is dedicated to/ and on the question of access to the administrative register, and to Chapter IV., in which it is specifically stated in Article 19 Paragraph 3: "The right of access to the administrative file does not extend to correspondence and exchange of views between by the leading supervisory authority and the concerned supervisory authorities/ Information exchanged between supervisory authorities for the purpose of investigating individual cases are internal documents and are not accessible to the investigated parties or the complainant." 3 European Commission document COM(2023) 348 final, 11657/23. 8/57 B. Participation in administrative proceedings/international procedure [25] The accused considers another procedural defect to be the fact that the sheep "were decided in a proceeding whose she could not participate". She added that only within the framework of the pre-administrative body of the first instance in fact, there were two parallel proceedings, namely proceedings before the Office and proceedings within the framework international cooperation, which lasted for a considerably longer period of time and actually in it according to the accused the case was decided/Proceedings within the framework of international cooperation and the accused could not participate, she did not have access to the documents, her statement was not submitted in this proceeding and that was the point decided in her absence/ The accused further stated that there is no applicable legal regulation does not allow the division of the proceedings, therefore it considers such a procedural procedure inadmissible/ Procedure according to Article 60 of Regulation (EU) 2016/679, according to the accused, it is still part of the national proceedings and procedurally, with the exception of issues specifically regulated by the mentioned regulation, it is governed by the national one procedural law/ Only when the situation foreseen in Article 65 of Regulation (EU) 2016/679 occurs, is according to the accused, further proceedings were initiated before the European Board for the Protection of Personal Data (hereinafter also "Board" or "EDPB")/ However, even in proceedings before the Board, the accused would have standing participant and would have full rights of defense/ [26] The accused further stated in the deposition that the Office unlawfully denied her access to the key part of the administrative file when he did not allow her to view documents from international cooperation, which he justified by the fact that the statements of other supervisory authorities do not constitute binding opinions, and therefore the accused should not have access to them/ Documents from international cooperation are related to the matter, while the administrative file consists of all documents relating to the same matter/Opinions of outsiders supervisory authorities, according to the accused, had a fundamental influence on the contested decision, or the process international cooperation lasted longer than the procedure itself and was reworked in the course of it of the draft decision/ The accused does not agree with the Office's conclusions stated in the decision on dissolution ref/ UOOU-01025/20-82 of 30/ August 2021 against the resolution of the Office, which was not complied with the accused's request for access to the part of the file related to the cooperation mechanism pursuant to Article 60 Regulation (EU) 2016/679, since, according to the accused, it cannot be inferred from the Instructions of the Board No. 3/2021 that she should have had the right to inspect the file only after the proceedings before the Board have started/ The accused also you do not agree that the procedure within the framework of international cooperation should be the procedure of the European Union administrative board, since the procedure according to Article 60 of Regulation (EU) 2016/679 is part of the national procedure, only after the case is referred to the Board in accordance with Article 65 of Regulation (EU) 2016/679, is it started new proceedings/ In this context, the accused refers to the Board's Instructions 2/2022, in which stated that "where EU law does not provide specific procedural rules, national ones apply procedural law/In these cases, the principle of national procedural autonomy usually applies, which by the general principle of EU law"/According to the defendants themselves, the Authority recognizes that the document is international cooperation relate to the matter under consideration and that he took them into account when extraditing the accused decision, therefore, the accused should have been made available, so as not to interfere with her rights to 4 The appellate body at this point considers it necessary to emphasize that the procedure according to Article 60 of Regulation (EU) 2016/679 is not a procedure, but a procedure of international cooperation between supervisory authorities/ 5 Instructions 03/2021 for the application of Article 65(1)(a)GDPR (version 2.0) adopted on 24/May 2023, available in English version at: https://edpb.europa.eu/system/files/2023-06/edpb_guidelines_202103_article65-1-a_v2_en.pdf. 6 Instructions 02/2022 for the application of Article 60 GDPR adopted on March 14, 2022, Czech version available at https://edpb.europa.eu/system/files/2022- 10/guidelines_202202_on_the_application_of_article_60_gdpr_en.pdf 9/57 defense. Furthermore, the accused objected to inconsistency in the Office's procedure, or in the control procedure documents from international cooperation were made available to her/ [27] The accused considers the Office's decision on the matter to be another violation of her procedural rights in proceedings within the framework of international cooperation, in which it could not participate, while this procedure is contrary to Article 38 paragraph 2 of the Charter of Fundamental Rights and Freedoms (Act No. 2/1993 Coll., hereinafter "Charter"), according to which everyone has "the right to have his case heard in public, without unnecessary delays and in his presence and to be able to comment on everything being done to the evidence"/ According to the accused, the aforementioned article of the Charter is also used in administrative proceedings, and thus rather in administrative proceedings of a punitive nature/ According to the accused, the Office must ensure that even in the case proceedings according to Article 60 of Regulation (EU) 2016/679, all rights of the accused to defend themselves remained preserved/ According to the accused, the Office had (beyond the scope of the inspection of the file described above) convey her statement and argumentation to foreign supervisory authorities, and allow her to express herself to the opinions of other supervisory authorities/ The accused explicitly requested the Office (e.g./ in her statement on 31/May 2021) to share its statement with other supervisory authorities, however The office did not inform her about this procedure, therefore the accused believes that it did not do so/ Likewise the Office should have allowed the accused to comment on the objections of other supervisory authorities, which is administrative the first-instance authority refused in the contested decision, stating that there would be an "unresolvable procedural loop", which, however, according to the accused, cannot occur/Moreover, there is no possibility to react the objections of the supervisory authorities are, according to the accused, explicitly stated in the Instructions of the Corps No. 2/2022 to the application of Article 60 of the GDPR (hereinafter referred to as "Instructions No. 2/2022"). [28] To deny access to records from the cooperation mechanism pursuant to Article 60 of the Regulation (EU)2016/679, the appeals body states that the Office has already made a final decision on this by resolution ref. UOOU-01025/20-61 of April 23, 2021, and subsequently by decision No. UOOU-01025/20-82 dated August 30, 2021, by which the appeal against the aforementioned resolution was rejected; on both the said decisions and their justification are hereby referred to by the Appellate Body/ Appellate Body emphasizes that the Office, in accordance with Article 60 paragraph 3 of Regulation (EU) 2016/679, submitted to others draft decision to the supervisory authorities concerned, so that they can comment on it, while this draft the decision was drawn up by the administrative body of the first instance only after they had been collected all documents of the decision with which the accused was informed and could comment on them/ From the procedure itself according to Article 60 of Regulation (EU) 2016/679 and according to the appeal body no new documents were created (and could not be created from possible objections or comments). for issuing a decision, since all the documents were collected before the formulation of the proposal decision/ Cooperation of supervisory authorities according to Article 60 of Regulation (EU) 2016/679 does not have in the Czech similar to the legal order/ It can best be compared to deliberation (in the sense of consideration directed to reach a consensus), within which the other supervisory authorities concerned have the opportunity to comment to the submitted proposal/ Other supervisory authorities, however, are not in the position of so-called affected parties bodies (universal §136 of the Legislature/ 500/2004 Coll.) defending their own interests (ev/particular public interest), whose opinion the decision-making body (in this case the Office) would consider among proceedings documents/ In other words, the other supervisory authorities are not the ones who would defend their interests competing with the interests of the party to the proceedings/ National supervisory authorities protect the public interest, which is in particular the protection of personal data, therefore it is impossible to talk about competition with the interests of the party to the proceedings/ Neither the Czech legal code nor Regulation (EU) 2016/679 recognize the procedural right of a party to the proceedings to express to the draft decision before this decision is issued in the sense of Article 60 paragraph 7 of the Regulation (EU) 2016/679, nor the right to otherwise participate in this deliberation of the supervisory authorities/ If, however, the lead supervisory authority and the supervisory authorities concerned within the said international procedure did not reach a unified opinion, Article 65 of Regulation (EU) 2016/679 regulates the procedure when it is disputed 10/57 question referred to the Board/In this proceeding, the participant in the proceedings before the Board has the right to be heard and comment on the documents of the proceedings/Procedure according to Article/65 of Regulation (EU) 2016/679 (to which in this if it did not happen) however, according to the appeal body, it is necessary to differ from the procedure according to Article 60 of this ordinance/ [29] In the event that, during the procedure according to Article 60 of Regulation (EU) 2016/679, shortcomings of the administrative procedure carried out by the leading supervisory authority (e.g. it would be additional proof is required, or the deed should be qualified differently), manager the supervisory authority would continue with the proceedings (in this case, according to Legislative Decree/500/2004 Sb/, or of Act No. 250/2016 Coll.), when the space for the implementation of his the right to be heard and comment on the basis of the decision/ !nor on this procedural development, however it did not happen after the deliberation/ The decision of the administrative body of the first instance was so issued on the basis of documents collected as part of the administrative proceedings with which the accused had the opportunity to get to know and comment on them/ Her procedural rights thus according to the appellate body was not affected in any way/ [30] For completeness, the appellate body adds that the procedure according to Article 60 of Regulation (EU) 2016/679 was initiated for the first time as part of the administrative procedure in question already on August 31, 2020, however have not been completed in the manner envisaged by the said regulation, they are not on the side of the first-level administrative body itself, doubts arose as to whether it was before drafting of the draft decision, the accused was given sufficient space to comment on the basis of the decision in the sense of § 36 paragraph 3 of Act No. 500/2004 Coll. Administrative body of the first instance therefore in this did not continue with the procedure, so it could not have any legal effects, provided for in Article 60 paragraph 6 sentence of the last Regulation (EU) 2016/679, towards the administrative body, the less the effects towards accused/ Only after the procedure according to Act No. 250/2016 Coll., respectively No. 500/2004 Coll., in the framework of which the accused was given room for the standard application of all procedural rights, on October 31, 2021, the procedure was initiated according to Article 60, paragraph 3 of Regulation (EU) 2016/679, by submitting a draft decision to the supervisory authorities concerned/ This procedure it ended consensually, that is, no question arose from it that was between the leader by the supervisory authority and the supervisory authorities concerned is questionable and should be referred to the decision of the Board pursuant to Article 65 paragraph 1 letter a) of Regulation (EU) 2016/679. The administrative body of the first degree therefore continued the proceedings by issuing a decision in accordance with § 67 of Act No. 500/2004 Coll. [31] For clarification, the appellate authority adds to the above that prematurely initiated the procedure according to Article 60 paragraph 3 of Regulation (EU) 2016/679, which was terminated without legal relevant result, cannot establish a procedural defect or the illegality of a decision that arose up to from the next stage of the given administrative procedure, all the more so since even then the accused was given space to exercise her procedural rights, and that subsequently the draft decision (drafted on the basis of documents with which the accused had the opportunity to get acquainted and comment on them) according to the procedure Article 60 paragraph 3 of Regulation (EU) 2016/679 resubmitted to the supervisory authorities concerned for deliberation. [32] In addition to the above, the appellate authority states that during the inspection conducted by an independent although some documents from international cooperation were accused by the inspector of the Office made available, however, this occurred in a situation where Regulation (EU) 2016/679 was only effective briefly and the practice of the Supervisory Authorities regarding the procedure according to Article 60 of this Regulation was not even on not yet clarified at the level of the Corps/ Due to procedural caution, the controlling accused therefore allowed themselves familiarize with the contents of the documents/ For several reasons, this was a redundant procedure, above all the control protocol is not, by definition, a draft decision in the sense of Article 60 paragraph 3 of the Regulation (EU) 11/572016/679, and at the same time it is clear that the mentioned procedure chronologically and legally preceded to the administrative procedure in question, and thus could not have an influence on its legality/ [33] Regarding the accused's objection that the Office denied her the right to have the matter discussed in her presence, the appeal body states that the accused clearly perceives the procedure according to Article 60 of the Regulation (EU) 2016/679 as a form of administrative procedure/ As already mentioned above, deliberation the head of the supervisory authority and other relevant supervisory authorities is not an application of the provisions Act No. 500/2004 Coll., respectively, does not have the character of administrative proceedings and takes place only after they have already procedural rights of the participants in the proceedings implemented/Zákónač/500/2004Sb/, Act No/250/2016Sb/ nor do Regulation (EU) 2016/679 confer any additional procedural rights on the parties to the proceedings, especially since the elementary logic of a directly applicable general regulation such the form of participation in the deliberation does not functionally assume or/does not allow/Within the procedure in accordance with Article 60 of Regulation (EU) 2016/679, the supervisory authorities will familiarize themselves with the draft decision and in its within the same framework as the previous domestic procedure, they assess this/ The Appellate Body emphasizes, however, that this happens only at the moment when all the procedural steps in the given administrative procedure have already been carried out actions before the actual issuance of the decision and its delivery to the parties to the proceedings/ [34] Therefore, if the accused demands "procedural participation" in the deliberation, then in essence, she demands that the Office prepare a draft decision for her in various stages procedures according to Article 60 of Regulation (EU) 2016/679 submitted for further comments/ Czech legal however, neither the regulation of the administrative process nor Regulation (EU) 2016/679 guarantee such a right. [35] In the decision No. UOOU-01025/20-82 of August 30, 2021, the Office stated that in the case allowing the accused to comment on the objections of other supervisory authorities could occur to an "unresolvable procedural cycle"/ In the event that based on the comments of the accused there was a change in the draft decision, this draft would have to be resubmitted to the others supervisory authorities/ This procedure could be repeated, taken ad absurdum, to infinity. In Instructions No. 2/2022 (point 168) it is stated "This does not affect the efforts made to reaching consensus and the possible obligation of the head of the supervisory authority according to the national rights to provide the right to be heard again in light of anticipated changes in the revised draft of the decision, which will have a new impact on the controller or processor"/ The Corps at this point speaks of "possible obligations" under national law, and above all relates this eventuality only to the "revised draft decision", and that in context of any novelties that the administrator could not comment on, or were not based on existing ones proceedings documents/Czech legal code, however, the obligation to inform the party of the proceedings with the proposal the decision does not stipulate, or does not foresee at all that between developing a concept decision and by completing it procedurally and formally in the form provided for by law (signature by an authorized official) there was a time space for (at an opportune moment) inspection to the file, familiarization with the just established concept of the decision, and for further comments of the party to the proceedings/ This may appear as a certain externality of the remote written procedure according to Article 60 of Regulation (EU) 2016/679, according to which a time period of weeks is created, but only for the reason of communication between authorities that are not physically present in one place in one moment. In the case of the procedure proposed by the accused, the process cycle is complete undoubtedly it actually happened, or the accused does not respect that they have the "last word" in the matter supervisory authorities to the submitted draft decision, not the accused to these opinions supervisory authorities/ 12/57 C. Legitimate Expectations [36] As another procedural defect, the accused objects to the fact that the Office violated her legitimate expectations, the same act has already been dealt with by the Office once/ The accused states that together with now in the ongoing administrative proceedings, the Office conducted an inspection (started on July 2, 2018, file no. UOOU-07166/18), which concerned, among other things, the transfer of data to the company, which should be obvious, for example/from the accused's statement of August 1, 2018/According to the accused, the matters overlapped also in terms of time, since following the inspection the Office decided on 18 September 2020 (official record ref/ UOOU-01733/19-31) that they will not initiate administrative proceedings, whereas the administrative proceedings currently being conducted were already started on 27/ February 2020/ The accused further stated that she does not agree with the argument of the administrative authority of first instance, that the aforementioned official record only related to the development of antivirus program. [37] In addition, the appeal body states that the inspection (sp/ zn/ UOOU-07166/18) was started on 2/ July 2018 based on an initiative forwarded by the Dutch supervisory authority (complaint about not being able to disable preset privacy options in free version of antivirus software for !pple Mac)/ Its subject was compliance established by Regulation (EU) 2016/679 in connection with the processing of personal data of users antivirus software controlled, focusing on the level of protection of user privacy free versions of antivirus software compared to paying customers/ Review report ref/ UOOU-07166/18-46 dated 19/ March 2019 transfer of data to the company or it does not mention the statistical analysis of trends at all, which shows that the control was not focused to transfer data to the company [38] As the administrative authority of the first instance already stated in its decision (p. 5 of the contested decision), the control of the accused was focused on fulfilling the duty of the administrator according to Article 5 paragraph 2 Regulation (EU) 2016/679, i.e. the obligation to document compliance with the administrator's procedures the basic principles of personal data processing, as well as the fulfillment of obligations pursuant to Article 24 paragraph 1 Regulation (EU) 2016/679, i.e. the administrator's obligations to adopt appropriate technical and organizational measures measures to ensure and be able to document that the processing is in accordance with the said regulation/ The very fulfillment of the basic principles of personal data processing resulting from Article 5 paragraph 1 Regulation (EU) 2016/679 was not directly addressed by the control/ This conclusion was stated by the way and the chairperson of the Office in handling objections to inspection findings reference number/ UOOU-07166/18-53 of 4/ June 2019/ [39] It is clear from the official record of September 18, 2020 (ref. UOOU-01733/19-31) that the conclusion on the non-initiation of remedial measures proceedings is based on the documents listed therein, which inspected in the meantime submitted/ For example, the Personal Data Processing Policy, updated in February 2020 (appendix/6 statement of the accused from February 26, 2020, ref/ UOOU- 01733/19-20), or other updated documents, information on data processing for the purpose they no longer contain trend analyzes or information about the transfer of data to the company/ In the mentioned Principles of personal data processing, it is stated "On the basis of legitimate interests we will use your personal data for the purpose of./0/third-party analytics, for evaluation and improvement the performance and quality of our products, services and websites and to understand their trends use- and for evaluating conversions and success of campaigns"/ From the statement of the accused of the day August 1, 2018 (no. UOOU-07166/18-12, under letter C) it follows that the accused uses analytical third party tools provided by the Company 13/57 At the time of issuing the official record documents presented accused analysis of trends did not contain and the company according to the communication the accused terminated her activity, if the third-party analysis was mentioned in the official record parties, was not meant to be an analysis of trends, but an analysis of third parties in the sense cited above Personal data processing policy. [40] In the call of the Inspector of the Office No. UOOU-01733/19-5 dated June 12, 2019, it is explicitly stated that by voluntarily carrying out corrections by inspection of identified deficiencies [inspection a violation of Article 24(1) of Regulation (EU) 2016/679 was established\can be prevented by administrative proceedings in the matter of the imposition of measures to correct these deficiencies/ Official record ref/ UOOU-01733/19-31 then it contains a conclusion on the non-initiation of proceedings to impose measures to eliminate the identified deficiencies (i.e., measures to prevent the recurrence of detected errors in the future)/ Appellate body in this context, he completely agrees with the considerations of the administrative body of the first instance regarding the different the nature and function of the control procedure, and its possible follow-up administrative procedure of imposition remedial measures to verify and/or ensure compliance of actions of controlled persons with by law (cf. p. 4 of the contested decision), and misdemeanor proceedings, the purpose of which is to determine whether the act actually happened, whether it is a misdemeanor, who committed it and what kind of punishment it is possible to impose/ According to the appeal body, the Office could not create a legitimate expectation accused that if he voluntarily takes remedial action, the offense can be prevented procedure/ Similarly, the fact that the inspector of the Office decided in September 2020 that on the basis of of the updated documents submitted by the accused will not initiate the procedure for the imposition of measures to eliminate the deficiencies found in the inspection, does not mean that the Office cannot continue now conducted by misdemeanor proceedings (started in February 2020), which refers to the act committed in 2019. In addition, the appellate authority states that the official record of the Office inspector regarding the non-initiation of proceedings does not have the nature of an administrative decision, i.e. it does not create an obstacle to the matter decided/ The accused cannot thus invoke the principle of ne bis in idem/ IIb. Substantive assessment [41] In the statement, the accused stated that she did not hand over personal data to the company, as it has anonymized all transmitted data so that it can be used for trend analysis, but at the same time so that the data subjects are not identifiable/ For this purpose, they were removed from the data direct and indirect identifiers as well as so-called/derivative information that could help to re-identify specific data subjects/ The accused believes that the administrative authority of the first degree mistakenly considers the transferred data to be personal data on the basis that (theoretically) two data sets could be combined and thus the data subjects could be identifiable/ According to the accused, it cannot be argued that every time a data subject can be identified by combining two data sets, both original data sets will be considered personal data, not certain information can be personal data for one person, and at the same time one person will be personal data for another person. If it should apply that personal data represents any information that in connection with the information available to any other person may lead to the identification of the data subject, meant would that any information that arose from the processing of originally personal data and which contains some combination of general properties (although it is anonymized in such a way that that it no longer concerns a specific person), would practically always constitute personal data/ The accused is of the opinion that according to the jurisprudence of the Court of Justice, when assessing identifiability of the data subject, it is necessary to take into account the means that could be used by a third party, however they must be funds that can reasonably be assumed to be from the administrator or third parties will use/ According to the accused, it cannot reasonably be assumed that third parties will use the funds legally 14/57 not allowed/ According to the accused, the administrative body of the first instance should have examined not only whether two the data sets in question exist, but above all whether it was actually reasonably possible assume that this connection will occur/ [42] The accused subsequently described the anonymization process used in the breakdown in such a way that before by submitting any data to the Company has removed all identifiers by use algorithms and methods described in a patent registered in the US! under No. This the automated process removed, according to the accused, both information directly identifying the data person (e.g. user name), as well as information identifying the user indirectly (e.g. ID user), but also information from which identification could potentially be derived (eg/ a unique combination of certain parameters contained in the URL)/ The accused emphasized that thus, it was not only a matter of removing direct identifiers, but of overall anonymization of the data file in question/ Likewise, the complete browsing history was not transmitted website, as the result of the anonymization process was only a certain fragment of the total file URL/ The accused further stated that the administrative authority of the first instance se he did not discuss the anonymization process in detail, and it is therefore not clear how he came to the conclusion that they were personal data transferred to the company/ [43] Identification of data subjects, or any reverse engineering (among other things, the combination of two data sets), according to the accused, were in the contractual documents concluded with the company prohibited, therefore it could not reasonably be assumed/ Likewise such a one would the activity was in violation of legal regulations, specifically with Regulation (EU) 2016/679/ To this the accused adds that the administrative body of the first instance did not claim or prove that it would ever reverse engineering by combining the data set of the accused and the company occurred/ The defendant and the company were separate management companies that had to to manage concluded contracts/ Within the concern, the company was not a managing person and therefore could not order the accused to hand over the data needed to re-identify the subjects data, while the company had no means of re-identification data subjects to reach, and it is difficult to conclude that it was possible to re-identify the subjects reasonably assume/ [44] The accused also commented on the contents of the contracts concluded with the company , which regulate, among other things, the procedure of the parties in the event of the transfer of personal data occurred/ The accused repeated that she only provided anonymous data to the company, and just for the sake of due diligence, the contracting parties had processes in place even in case that the transfer of personal data would occur inadvertently and contrary to the subject of the contract/ Pursuant to the accused administrative authority of the first instance points out in the contested decision that the contracts in question referred to anonymization as the removal of direct identifiers/Although the contracting parties have chosen this name (elimination of direct identifiers), in fact by anonymization, according to the accused, they understood a significantly broader process of anonymization, as described above/ According to the accused, the administrative body of the first instance should not have been satisfied with the party's process called in the contract, but he should have investigated how this process actually looked/ [45] Regarding the transferred data, the accused further stated that she was transferring browsing history data of the Internet, which anonymized/only statistical information was transmitted informative value, i.e. it was possible to determine general trends and consumer preferences from them etc. However, according to the accused, the company could not identify specific persons in any way, and not even with regard to their social identity, as stated by the administrative body of the first instance in the contested decision/ Likewise, the accused did not hand over the complete browsing history 15/57 of the Internet, because the history has been anonymized and some URLs have not been included for technical reasons (e.g. pages with !jax technology), certain websites were not supported statistical analysis of trends relevant, therefore they were not part of the data sets in question/ At the same time transmitted data was collected only from browsers with the extension installed and enabled Online Security and from Mobile Security mobile applications and on the !ndroid platform, whereas, according to the accused, it is a generally known fact that users often use more than one browser/ [46] Furthermore, the accused said that in misdemeanor proceedings it is necessary to establish the facts so that there were no doubts about the matter, while the conclusions of the administrative body must be legally substantiated relevant evidence, making unsubstantiated speculation arising from newspaper articles in none in the case they do not meet/ The Office never demonstrated what data the company provided to other persons, proto cannot be based on these unproven facts in any way/ Sense moreover, the transfer of data to the company was never the inquiry of information about specific ones persons, but generally valid conclusions relating to certain social segments and types customers, not only such information is commercially usable/ The purpose of the legislation and the principle of administrator responsibility [47] At the outset, the appeal body emphasizes that the purpose of the legal regulation of the protection of personal data is prevention, i.e. preventing or at least minimizing the risk of interference with the rights of data subjects/ The practical reflection of the aforementioned preventive approach is, among other things, that all definitions contained in the legislation must be interpreted broadly and at the same time all exceptions must be made interpret as narrowly as possible/ This corresponds to the long-term decision-making practice of the Court of Justice (e.g. the judgment in the Lindqvist case, C-101/01 of November 6, 2003 - the judgment in the Ryneš case, C-212/13 of December 11, 2014 - judgment in the Jehovan todishajat case, C-25/17 of 20 July 2018, judgment in the Nowak case, C-434/16 of 20 December 2017)/ Regulation (EU) 2016/679, compared to the previous legislation (directive of the European Parliament and the Council 95/46/EC of October 24, 1995, on the protection of natural persons in connection with the processing personal data and on the free movement of such data), expressly regulates the principle of responsibility manager/ According to this principle, the manager must, pursuant to Article 24 of Regulation (EU) 2016/679 specific way of performing processing operations to the risks that from this processing personal data follow/ At the same time, the administrator is obliged to comply with the processing of personal data in particular the general principles formulated in Article 5 paragraph 1 of Regulation (EU) 2016/679 (again adequately in relation to possible risks) and must be able to manage them in accordance with Article 5 paragraph 2 of this regulation demonstrate compliance; this effectively transfers the burden of proof to the administrator/Administrator is therefore obliged to first evaluate the possible risks of the intended (and ongoing) processing/ The higher the risk of interference with the rights of data subjects, the more specific the processing more rigorously, the administrator must assess the possibilities of the entire processing, while it is necessary to primarily focus on fulfilling the principles of personal data protection and their compliance and only secondarily examine whether it would be possible to apply any of the exceptions to these principles arising from Regulation (EU) 2016/679/ In the case of high-risk processing that would could have resulted in a noticeable interference with the rights of data subjects, the controller must, to the maximum extent possible to the extent possible to ensure compliance with the obligations arising from Regulation (EU) 2016/679 and not rely on the application of any exceptions/ 16/57 A. Personal data [48] The accused in her statement during the inspection (ref. UOOU-07166/18-12 of August 1 2018) said that with the paid version of the antivirus software, users are accused identifiable, not part of the payment data (in the scope of name, e-mail address, city and the user's country, license information, payment method information) which are collected by an authorized third party for the purpose of payment processing, may be provided by the accused/ From the Company's Personal Data Protection Policy (Annex No. 7 to reference no. UOOU-01025/20-11) it follows that the accused in the case of a request for the provision of support collects personal data in the scope of name, e-mail address, telephone number, address, possibly also IP address, information about hardware, software, URL addresses of visited pages, files stored on the computer, e-mail messages and similar data/ The above is according to of the appellate authority, it is clear that part of the antivirus software users, i.e. paying customers and the users who requested support were identified for the accused (not only identifiable)/ [49] In the Product Processing Principles (Annex No. 7 to Ref. UOOU-01733/19-16) it is stated that the accused in the case of using the product !ntivirus for computers (Mac and Windows) processes personal data (except account data and billing data, if relevant), namely operational data. identifier of delivered content (message), IP address, malware samples, detection, URLs and referring pages, product events and usage, and device data. internal online identifiers (GUID, Device ID), computer or device information, location, information about applications in the device, about other products accused in the device, about the Internet and connections, about the number of devices on the network and about browsers (installed, default)/ Based on these it was also possible to identify the user if the information was indirectly processed by the Accused personal data within the meaning of Article 4 point 1 of Regulation (EU) 2016/679, which the accused herself does not contradict/ [50] From the statement of the accused as part of the inspection of August 1, 2018 (ref. UOOU-07166/18-12) it follows that the accused assigns a randomly generated to each antivirus software installation an alphanumeric code called a GUID/ So if multiple products are installed on the device antivirus software, or if the product is uninstalled and reinstalled, each of these installations will have a different GUID, according to the accused, and thus the GUID is not unique static identifier/ In the Company's Personal Data Protection Principles (Annex No. 7 to ref/ UOOU-01025/20-11) it is further stated that for customers of paid products and services for personal computer is GUID associated with billing information/ a) Data transferred to the company [51] Part of the processed data was allegedly passed on to the V Produktových company principles of processing (submitted by the accused on December 20, 2019, appendix no. 7 to ref. UOOU- 01733/19-16) is listed for !ntivirus for computers (Mac and Windows). "If it is Web Shield function active and you consent to data processing (internal identifier (GUID), product version, time information, de-identified and stripped URLs (if not cached), carefully selected aspects of some pages without identifiers, selected requests) for the purposes of trend analysis, which means that you will subsequently provide this set of data companies to develop products and services”/ For the product !ntivirus for mobile devices (!ndroid) is listed. "If Web Shield is active and you enable the processing of clickstream data (internal identifier (GUID), product version, approximate location along with de-identified 17/57a stripped URLs and information related to website URLs, that you visit online) for trend analysis purposes, will then provide this file data in a form that removes identifiers and thus enables the company to develop products and services" (emphasis added by the appellate authority)/ It is further stated for this product that also shares time information and Application IDs/Same range of transmissions with the company data (except the application ID) is stated in the Consent Use Policy (submitted by the accused December 20, 2019, Annex No. 2 to Reference No. UOOU-01733/19-16). [52] In Appendix B (called Amended and Supplemented Data License Agreement, in AJ Restated Data License Agreement) Data orders (in AJ Data Order Form) concluded between the accused and the company on August 30, 2019 (hereinafter referred to as the "Data Order" or "Agreement") is stated in point 1/7 entitled "Data manager". "Company a acknowledge that Data may include personal data as defined by the relevant by legal regulations ("Personal Data")/ To the extent that the Data contains Personal Data, the parties analyzed the nature of the use of Data based on the Agreement and established that the company has the discretion to determine its use of the Data in accordance with this By contract and therefore is the Data Controller". From the above, according to the appellate authority, unequivocally it follows that the accused was aware that they could be handed over to the company personal data of the users of its anti-virus software, even if it is performed incorrectly anonymization/ The accused stated in the breakdown that she had processes set up in case the transfer of personal data to the company occurred inadvertently, which, of course, according to the accused does not prove that she actually passed on personal data/ From point 1/7 of Annex B The order of data, however, implies that the company could continue to receive personal data to use/ If the company had accidentally transferred personal data according to the contract only dispose of it, then she would not decide on their use herself and would not be in the position of an administrator of personal data/ If the company was not supposed to process personal data at all, then it should according to the appeals body, it did not make sense to be defined as a data controller in the contract/ [53] In Appendix B of the data order (item 1/1/called "License"), it is stated that the company granted a license "to download a copy of the Data (as such is defined and determined in the Appendix! each relevant Order) /0/ and to use the Data for business activities company to incorporate into the company's products and services in the Reserved area, in particular to use the Data as a whole or to incorporate it into the company's services and to make the Data included in the company's services available to third parties persons, specifically the company's customers (highlighted by the appeals body). According to Annex B of the Data Order (item 1/2/), "reserved area" means the area "marketing, marketing analytics, advertising technology, marketing automation, marketing optimization, consumer behavior analysis, eCommerce analysis and analytics trends"/ The Company thus, in accordance with the Data Order, could receive the "Data" (representing or containing personal data) incorporate into your products and further make them available to your customers/ 7 In AJ: “Data Controller. and acknowledge the Data may include personal data, as defined by applicable legislation ("Personal Data")/ To the extent Data contains Personal Data, the parties have analyzed the nature of the use of Data under the Agreement and have determined that has discretion to determine its uses of the Data in compliance with this Agreement and thus is a Data Controller.” 18/57b) Anonymization and pseudonymization [54] According to Recital No. 26 of Regulation (EU) 2016/679, data protection principles "should apply to all information relating to an identified or identifiable physical persons. Personal data to which pseudonymisation has been applied and which could be assigned to a natural person based on additional information, should be considered information on an identifiable natural person/ When determining whether a natural person is identifiable, the should have taken into account all possible means, such as selection by earmarking reasonably assume that the administrator or another person will use them for direct or indirect purposes identification of the natural person/ To determine whether use can reasonably be expected means of identifying a natural person, all objective factors should be taken into account, such as the cost and time required for identification, taking into account the technology available at the time of processing and for technological development/Principles of personal data protection would therefore should not apply to anonymous information, namely information that does not relate to an identified or identifiable natural persons, nor to personal data anonymized so that the data subject is not or has ceased to be identifiable/ This regulation therefore does not apply to the processing of these anonymous information, including processing for statistical or research purposes"/ [55] Recital No. 28 of Regulation (EU) 2016/679 then states that "the use of pseudonymization of personal data can limit risks for data subjects and help administrators and processors to fulfill their data protection obligations"/ [56] It follows from the opinion of the Working Group WP 29 No/5/2014 on anonymization techniques that creating a truly anonymous file is “not an easy matter” or “data file considered anonymous can for example be combined with another set of data so that to identify one or more natural persons"/ The opinion further explains the concept anonymization, which is understood as “a technique that is used on personal data so that it is irreversibly impossible to identify", while the data must be in such a form that made it impossible to identify the data subject by any means that may be reasonable used by the administrator or any other person/ !if the data were truly anonymous, it should not data subjects to be able to identify even the administrator himself/There is more in the stated opinion stated that “It is therefore essential to understand that if the data controller does not delete the original (identifiable) data at the level of the given operation and part of the data set will pass (for example after removing or masking identifiable data), represents the resulting file data continues to be personal data"/ !even though the accused company forwarded data, ze of which some identifiers have been removed (but not, for example, GUIDs), cannot, according to the appellant authority to consider the transmitted data set as completely anonymous / In addition, the recipient of this data (the company had the option, based on the data provided, of the data subjects again identify (for more details, see/ below). [57] According to the appellate body, anonymization must mean such modification of personal data, which usually irreversibly removes the very personal essence of the data, absolutely, not only relatively in relation to one recipient of the data/ In contrast, pseudonymization is measures to mitigate the risks arising from the processing of personal data, without being affected by it the nature of the personal data/In this case, it is a measure relative to the specific recipients/ Furthermore, Recitals No. 75 and 85 of Regulation (EU) 2016/679 speak of "unauthorized 8https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_cs.pdf 19/57 cancellation of pseudonymisation", which in itself proves the assumed reversibility pseudonymisation, while preserving the personal nature of personal data/ [58] The question of the boundary of anonymization is related to the issue of the so-called subjective and objective the concept of personal data. According to the objective approach, it is personal data if objectively, there is other information somewhere that, in conjunction with anonymized information, can lead to (re)identification of data subjects/ According to the subjective concept, in the event that the administrator does not have the necessary information leading to the identification of data subjects, or personal data he does not act, even though this information may exist beyond his reach/ Given the strong the pervasive principle of prevention, as the basic purpose of the regulation of the protection of personal data, it is necessary to look at the concept of personal data rather from the perspective of an objective concept, which the previous decision-making practice of the Court of Justice also corresponds/ [59] The judgment of the Court of Justice in the Breyer case (C-582/14 of 19/ October 2016), which stipulates a rather objective approach/ In the aforementioned judgment (paragraphs 44-46) The Court states. “The fact that additional information needed to identify the user the website is not available to the online media service provider, but the internet connection provider of this user cannot rule out that a dynamic IP addresses maintained by the online media service provider represent for this the provider of personal data within the meaning of Article 2(a) Directive 95/46/Jenic, it is necessary to determine whether the possibility of combining the dynamic IP address with the listed additional information available to it this internet connection provider, represents a means that can reasonably be used for the identification of the data subject/As led by the Advocate General in point 68 of his opinion, these are not situations where the identification of the data subject is prohibited by law or would be practically impracticable, for example due to the fact that it would require a disproportionate effort in terms of time and in terms of economic and human resources, so the risk of identification would in fact it appeared insignificant/“/ It follows from the above that to be a data subject identifiable, not all information necessary for identification may be in the hands of one administrator (objective approach). The identification of the data subject is not according to the Court of Justice (subsequently on rec/ 26 of Regulation (EU) 2016/679) enabled if prohibited by law (not only contractually, as the accused submits), or practically unfeasible. [60] The appeal body sees a significant difference in whether the identification of data subjects prohibited by law or contract. Compliance with the prohibition of processing resulting directly from the law basically anyone can invoke it and it is possible to enforce it under public law/ The stated prohibition it also has an important preventive function, which is essential in the field of personal data processing/ The Office does not dispute the principle of pacta sunt servanda, however, in the case of private law contracts arrangements, the content of which is usually known only to the contracting parties, is the possibility to claim or enforce the fulfillment of obligations agreed between the contracting parties (or compensation for damages caused to data subjects) significantly more limited. The fact that the contract can be changed by the contracting parties, the contract can also be invalid or unenforceable/ [61] In the opinion of December 4, 2023, the accused argues the current decision by the practice of the Court of Justice, which, according to her, demonstrates a deviation from the objective concept of the term personal data on the subjective/ From the judgment of the Tribunal in the Single Resolution Board case (T-57/20, dated April 26, 2023) is a really obvious bias towards the subjective concept of the term personal data, however the conclusions therein cannot be applied to the present case, they are not (as explained below) the company had the option, eg/ on the basis of publicly available additional 20/57 information, data subjects to be identified/ In addition, according to the appellate authority, there is application power of said judgment is at least limited, since it is only a decision of the Tribunal, against which an appeal was filed to the Court of Justice- it cannot also be overlooked that from the point of view of the assessment of the concept of personal data, the relevant decision of the Tribunal is obvious departure from the previous decision-making practice of the Court of Justice/ [62] In the grounds of the judgment of the Court of Justice in Gesamtverband Autoteile-Handel (C-319/22, dated 9/ November 2023) is a subjective approach on the part of the Court of Justice indicated, the legally binding conclusion of the decision, on the contrary, confirms the necessity of a broad interpretation concept of personal data/ [63] It is indisputable that the accused collected and further processed personal data of users of its antivirus software/ The process of anonymizing personal data is also one of the methods of personal data processing in the sense of Article 4 point 2 of Regulation (EU) 2016/679/ Administrator must be able to demonstrate, according to Article 5 paragraph 2 of Regulation (EU) 2016/679, that the processing of personal data is in accordance with the principles of personal data processing indicated in Article 5 paragraph 1 of this Regulation/ Taking into account the nature, scope, context and purposes processing also to variously probable and variously serious risks for rights and freedoms natural persons, according to Article 24 of Regulation (EU) 2016/679, the administrator is obliged to implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this regulation/ It clearly follows from the above that it is the administrator, who bears the burden of proof and therefore has the obligation to demonstrate to the supervisory authority that his processing is in accordance with Regulation (EU) 2016/679/ [64] The appellate body called for a note No. UOOU-01025/20-103 dated November 28, 2022 accused to document information about the processing of personal data, specifically. • to submit Annex 1 Annex! "Scope of the structure of Existing Data" to the Order of data entered into between the accused and the company (Order of data the accused submitted to the administrative body on April 14, 2020 via data mailboxes without the aforementioned attachment)- • to communicate a detailed specification of the data, including their structure, which in the assessed period handed over to the company • to present a representative sample of the data that was passed on to the company, and that includes the data in its original form, i.e. before removing identifiers (before anonymization, as this process refers to the accused), from which the data was transferred set created- • to communicate how accurate the time information was (e.g. accurate to milliseconds), which the accused handed over to the company together in the period under review with URL addresses (as stated e.g. in the Consent Use Policy, in the Product processing principles that the accused sent to the Office on December 20, 2019)- • to inform whether it could have been transferred to the company during the period under review eg/ address in this format https://www.amazon.com/gp/buy/addressselect/handlers/edit- address.html?ie=UTF8&addressID=REMOVED&addressIdToBeDeleted=&enableDel 21/57 iveryPreferences=1&from=&isBillingAddress=&numberOfDistinctItems=1&showBa ckBar=0&skipFooter=0&skipHeader=0&hasWorkingJavascript=1; • to inform whether the company was provided with data from which it was possible find out, for example, this information. Device ID. (eg/ abc123x), Date: (eg/ 2019/12/01), Hour Minute Second: (eg/ 12.03.05), Domain: (eg/ Amazon.com), Product: (eg/ !pple iPad Pro 10.5 - 2017 Model - 256GB, Rose Gold), Behavior: (eg/ !dd to Cart) - if not all the given data, then in what scope; • for a more detailed explanation of the concept of aggregated data, which company received and used from the accused (stated in the Personal Data Processing Principles of December 19, 2019 and in the Privacy Notice – a document sent to the Office of the accused on 5 August 2019); • to inform how many users of the accused product (or device) are being transferred data concerned (the company stated on its website that the data comes from 100 million devices)/ [65] However, the accused did not provide the Office with the required information/ Pursuant to § 36 paragraph 1 of the Act No. 500/2004 Coll., the parties to the proceedings are entitled to propose evidence and make other proposals throughout the duration of the proceedings until the decision is issued, and according to § 52 of Act No. 500/2004 Coll., the participants are obliged to indicate evidence to support their claims/ Accused in proceedings before an administrative body of first instance even now before the appeals body only repeats that personal data anonymized, i.e. that it did not transfer any personal data to the company without she described the anonymization process in detail and documented (based on the request of the Office) a sample (output anonymization process) of transmitted "anonymized" data or by any other accurately specified the scope of the transmitted data, or the scope forwarded dates indicated in the Office's invitation (July 28/November 2022) however expressed/ Nor Order of data, on the basis of which the accused, according to his claim, the data of the company forwarded, it does not contain a closer (let alone a detailed) specification, despite the express designation Annexes 1 Annexes ! “Scope and Structure of Existing Data” and the text “Exact Scope and the structure of Existing data from each source is shown below in Annex 1 of this Annex!” (Art. 1 Side dishes !). The accused repeatedly refers to the use of robust anonymization techniques (patented process), however, the fact that the anonymization performed by her resulted in truly anonymous data, contrary to the administrator's responsibility principle, did not prove/ c) Possibility of re-identification of data subjects [66] According to the appeal body, the accused did not (only) transmit anonymous data, because data subjects could be re-identified/ [67] A natural person is identifiable if it is possible to distinguish him from others in a way, which will allow the holder of the information to treat this person differently than other persons/ Person is directly identifiable if the holders of the information can identify the person to whom the data is provided relate, only using information and methods that are easily available to them - the person is indirectly identifiable if only possible by obtaining auxiliary information or by use methods which are not readily available/ Obtaining such auxiliary information may require some effort, such as searching the Internet/ Identification may also rely 22/57 about a combination of data that is not unique in isolation, but only when considered together in a given context, while supporting information enabling the identification of subjects the data may not be available to a single person/ The appeal body is aware that it is complete anonymization of some data may be possible, considering the amount of publicly available information and technological developments (including newly used artificial intelligence), very complex and in some cases even impossible/ In the case of processing anonymized data, the administrator must consider and regularly assess the probability and severity of the risk of re-identification of data subjects/ !anonymization should be irreversible, i.e./ it should prevent any re-use identification of the data subject, with the risk of re-identification by any user reasonably assumed means must be very low (ideally none). [68] The defendant stated in the deposition that she had deleted the data before handing over to the company all identifiers/ However, as mentioned above, the accused handed over to the company including a generic user identification number (GUID), which is the identifier of the installation/Z Order data (Annex No. 10 to No. UOOU-01025/20-11, namely Article 3 of the Annex!) shows that the company is required to replace the GUID with another unique identifier (JID) and destroy the GUID, whereby the company is contractually prohibited from dealing with the GUID in any further way/ Appeal the authority notes that the accused handed over data to the company, including unique identifier that she was aware of/ [69] Furthermore, it follows from the Data Order (Article 5) that the data were transmitted in real time, delayed by the time required to perform anonymization, but at least once per hour. Furthermore, it is stated in the Data Order (Article 3 of the Annex!) that the company may not use the GUID for no other purpose than assigning the correct JID to the relevant data and to check that the correct JID has been assigned to the relevant data. It follows from the above that the same JID was always assigned to one GUID, i.e. that the transmitted data (internet browsing history) were not limited to a short period of time, e.g. only one hour/ The more data (long browsing history, time data, location data, etc.) the company had, the higher the uniqueness of the viewed URL string, which increased the probability of successful identification of data subjects/ [70] Deletion of identifiers from browsing history according to the accused was carried out using algorithms and methods described in a patent registered in the US! under no. (no/ is mentioned in the breakdown, apparently this is a typographical error)/ It follows from the mentioned patent that if there are several users with the same parameter value (part URL), then this value will not constitute personal data/ However, if the frequency of occurrence values in the URL low, the parameter could contain data aimed at identifying the subject data/ In other words, a website that is visited frequently probably won't contain personal data, whereas a page visited by only one person, for example, is personal the data may contain/ In this case, the parameter values may be removed from the URL or replaced by other information, e.g./ by the word "private"/ [71] To get an idea of what data was removed from URL addresses, or what parts URLs were transmitted, it is necessary to proceed from the structure of URL addresses/ URL addresses have their own fixed given structure, they consist of individual parts (fields) arranged in a specified order and separated by specified characters/ Some fields are optional. URL by default consists of these parts. protocol (e.g./ HTTP), address part [server name, domain of the other 9https://cs.wikipedia.org/wiki/Uniform_Resource_Locator 23/57 order, top-level domain - e.g. www.dpp.cz or uoou.gov.cz, port (for the http protocol is the port number 80)], path (the directory structure in which the page is located), query (labeled followed by the query parameter), the last part of the URL is the fragment (refers to a specific place on the page). [72] It follows from the Patent (item 0043) that the path, query and fragment in particular are different of users may vary and usually contain private information (PII)/ However, this information does not may also appear in other parts of URLs/Parts of URLs that may contain these private information, is referred to in the Patent as "parameter"/ [73] It follows from the above that the URL addresses were during the "anonymization process" according to the Patent only certain parts are removed (excluding URLs that were not based on this process forwarded at all), which could differ significantly in scope/From some URLs it could be so removed a large part of them, from others, on the contrary, a substantial part remained and some (probably the majority, or at least a significant part of them, because in a normal search information on the Internet or reading messages (URL addresses, private information, as a rule, do not contain) remained unchanged, i.e./ were transmitted complete/ Based on the transmitted URL addresses (even after possible removal of some parts) it was possible to track the user's (unique) movement on internet, what pages he visited, what videos he watched, what articles he read, what he searched for, what he bought/ If this data were linked or compared with other data (as described below), then it would it was possible to identify data subjects and find out information about their interests, behavior, preferences etc. [74] The identification of data subjects was dealt with, for example, in a scientific study by Stanford University, 10 which implies that de-identified browsing history can be linked to profiles on social networks such as Twitter, Facebook or Reddit using publicly available information, by virtually any attacker who has access to browsing history/ Tato study shows that 72% of 374 were successfully de-anonymized (re-identified) users/ According to the appeal body, the company itself, or any of its an employee who had access to Internet browsing history to link that data to the data from publicly available sources (e.g. social networks), possibly also from other sources (company according to the accused, she had multiple data sources) and thus identify individual users/ It is not decisive whether it would be possible to identify all or only some user. [75] The company could data subjects using publicly available information self-identify/ An example can be a route search (e.g./ on Google Maps). if the starting or destination point of the route is often repeated for one user (e.g. it is often entered in the morning the same starting point and in the evening the destination point is the same as in the morning), then it can be concluded that in this the point where the user resides/at the address is to identify the user in a number of cases, especially in situations where when it is possible to find out much more about the user from the history of visited websites information - if such an address were, for example, London, Baker Street 221B, another supplementary the information might not even be needed to identify the data subject (note/appeal the authority deliberately chose the address of a literary figure for illustration). Identification options users could be wider if the company had more data sources/How already mentioned, the combination of data from different sources (including publicly available ones) can lead 10 De-anonymising web browsing Data with Social Network. Jessica Su. Sharad Goel. Stanford University. https://dl.acm.org/doi/pdf/10.1145/3038912.3052714. 24/57 to identify users. In the case of the !ntivirus for mobile (!ndroid) product, it was information about the approximate location is also transmitted, which not only facilitates the identification of the data subject, but can also lead to a sensitive intervention in his privacy/ [76] The risk of re-identification was also dealt with by the Working Group WP 29, which in its opinion č/5/2014 (pp/31–32) described the ways in which, on the basis of anonymized data data subjects have been re-identified/ It follows from the stated opinion that anonymized data on movie ratings given by Netflix users over a 14-day period represent such unique data that the connection with data from publicly available databases, below rates movies (IMDB), users have been re-identified (based on their granting ratings to the same films in the same time ranges)/ !although the mentioned case is not with now subject matter identical, it is clear that the company (and anyone who had or should access to data on visited URLs) could identify users, e.g that at a certain time they entered their comment, review or assessment. [77] It follows from the administrative file that the accused published a post on the Twitter social network "!though it sounds alarming, it is very easy to identify you in an anonymized data set. A new study found that there is no need to de-anonymize data and trace it back to you many/" , referring to an article titled "Sorry, Your Anonymized Data 12 probably not anonymous" of July 23, 2019, from which it follows (with link on a study published in the journal Nature Communications ) that on the basis of de-identified web browsing history can identify specific users/ The post listed was later removed/ According to her statement in the statement of 4/ December 2023, the accused considers the scientific study of Stanford University as unnecessary, as it was devoted to the connection of profiles on social networks with a complete internet browsing history/According to the appellate body listed the study highlights how relatively simple it can be to re-identify data subjects, while the appeals body considers that data subjects can be identified even on the basis of an incomplete one browsing history, as evidenced by a study published in the journal Nature Communications, which the accused drew attention to on her Twitter account, and which she does not contradict in any way. To this, the appeal body adds that the problem of anonymization, or the difficulty of achieving it full anonymization is not addressed only in recent years in connection with Regulation (EU) 14 2016/679, but also the professional public has been drawing attention to this issue for a relatively long time. The appeal body considers it necessary to emphasize at this point that the accused is not a company providing any software but anti-virus software primarily intended to protect data and user privacy/ Users also turn to anti-virus software companies, who do not orient themselves in the field of information technology and cyber security and do not know how secure your privacy in this environment/ In this regard, excellent or above-standard expertise (including expertise in personal data protection) and ethical level of conduct, i.e. that a company that offers privacy protection will not data, 11V AJ „!s troubling as it sounds, it´s very easy to identify you in an anonymized data set/ ! new study finds that 12 doesn't take much to de-anonymize data and trace it back to you"/ Srov/ document no./ UOOU-01025/20-2. In AJ "Sorry, your ´anonymized´ data probably isn´t anonymous", available here. https://mashable.com/article/anonymous-data-sets-easily-de-anonymized. 13Available here.https://www.nature.com/articles/s41467-019-10933-3.pdf. 14 For example, the article entitled “Broken Promises of Privacy. Responding to the Surprising Failure of Anonymization", published in the UCLA Law Review in 2009 (Vol. 57, No. 6, pp. 1701-1777), available here. https://www.uclalawreview.org/pdf/57-6-3.pdf. 25/57 which could reveal any privacy of users, transfer or sell to other entities/ The accused, as a professional user privacy protection committee, should be aware of the risks (difficult to achieve complete anonymization of data) and should be really sure (without of any doubt) that the data it transfers to another administrator does not contain any personal data data, and that even the subsequent processing of the transferred data cannot lead to an invasion of privacy users/ [78] CEO 15 accused in an interview with ČT24 on the 16th for questioning to his reaction to the findings of foreign professional journals that it is possible relatively easily to de- to anonymize the data that comes from the antivirus that the accused resells to the company , i.e. that "it is possible to connect the specific behavior of specific users, what they do on the Internet", he stated that "there are studies that investigate this in some way"/ He further stated, that the accused had a contract with the company (and so did the customers they had a contract with him) in which it was "explicitly forbidden any of these things to do", by which the accused was legally treated/According to the appellate body, she knew about the fact (about the existence of studies) that based on the user's behavior on the Internet (browsing history internet pages) it can be identified relatively easily/ Subsequently in the subject during the interview, the CEO of the accused stated that the accused did not know that this could happen, because the data did not contain personally identifiable information (personally identifiable information or PII). In her statement of 4 December 2023, the accused objected that the administrative body individual parts of the interview out of context, as the CEO did admit that there are studies that are dealing with the possibility of re-identification in general, but he emphasized that the data has been comprehensive anonymization and at the same time there were contractual mechanisms that any attempts to reverse identification was prohibited. This statement and the media statement of the accused CEO, however, in the context of that the accused knew (and shared on the social network Twitter) that "it is very easy to identify you in an anonymized data file", the appeals body considers it to be purposeful/ [79] If the accused knew about the possibility of re-identification of data subjects on the basis of their de-identified internet browsing history, then it is not apparent to the appeals body, on on the basis of which she could believe that if the so-called PII were removed, it would not be possible for data subjects identify. In the case of anonymized data processing, it is the administrator's duty to examine whether is the data still anonymous due to technological progress, or whether there is no possibility how to retrospectively identify data subjects/ In such a case, the data can no longer be considered considered anonymous and should be treated as personal data/ [80] Company website as of June 24 2019 contained, among other things, the following information. "Market smarter with consumer journey analytics. Examine every search, click, and buy. On every site; See it all. From search to purchase. Get a super-detailed view of every buyer path, as it twists and turns; Analysis with ultimate flexibility. Explore on-demand or dive deep with data feeds; Be confident in your insights. Our 100 million panelists in 188 countries means data you can trust" and "Get deeper analysis with granular data feeds. Follow user journeys at the atomic level; Answer all yours business questions with unlimited data; Combine with your own sources for custom analysis" 15!English abbreviation for the position "Chief Executive Officer", whose equivalent in Czech is usually executive director of the company/ 16 Available here. . 17 Available from. . 26/57(unofficial translation. "Marketing smarter with consumer journey analyses/ Explore every search, click and buy/ On every site - track everything/ From search to purchase. Get an extremely detailed view of each buyer's journey as it twists and turns- !lyse with maximum flexibility/Explore data on demand or dive deeper of data sources - You will be sure of your findings / Our 100 million panelists in 188 countries represents data you can trust/" and "Get deeper analysis with granular of data sources/ Track user journeys at an atomic level- Answer all your business questions based on unlimited data- Combine with your own sources for tailor-made analyses"). [81] The company's website as of January 28, 2019 19 further contained information is the only company that unlocks walled-garden data to empower marketers to target and expand their customer base/ The company's real-time, opt-in global panel tracks five billion actions a day across 100 million devices to deliver insights into online consumer behavior" (unofficial translation: is the only company that makes available 20 data from closed platforms and thus enables marketers to target their customers and expand their customer base/ Worldwide panel of consenting users of the company, with the possibility real-time login, monitors five billion events per day on 100 million devices, provides thus insight into the online behavior of consumers/"). [82] From the history of the company's website, it can be seen that its customers were for example companies [83] According to the appellate authority, it follows from the above that the company transferred (sold) data obtained from the accused to other companies, while this data was very detailed/ For the completeness of the appeal, it is recalled at this point that the transfer of data between companies and its customers is not the subject of this procedure, however, further handling of the data by the company is described with regard to the context of the entire processing/ Company according to its website, it offered potential customers the option to obtain detailed information about the behavior of Internet users (cf. the text "Examine each search, click and buy/ On every site; track everything/From search to purchase/"), while explicitly stating the possibility of combining this data with customers' own data. The company was not only a sister company of the accused but also offered its own products (detailed user information) on their publicly accessible websites pages/ The accused was thus well aware of how the company handles data. [84] It is precisely in combining data from different sources that the great risk of repetition lies user identification/ In the event that a third party links anonymized browsing data of the Internet obtained from a company with its own database, identification may occur data subjects/ According to the appeal body, the behavior of users on the Internet is unique, they are not the websites they visited, their order, number and time spent on them differ spent/ If, for example, he obtained detailed anonymized data about Internet browsing 18 meant by users. 19Available from.. 20 The term walled-garden (originally meaning "a garden surrounded by a high wall"). 21 Compare official record No. UOOU-01025/20-112. 27/57online store, could compare the movement of the internet user with its own data and the user simply identify if, for example, it is his registered customer, or if the customer purchased the goods and provided his billing information in that context/ The fact that the online store identifies its own customer, it is not too problematic in itself, because in this way it does not get any other information than what it already has in the entire database. Essential however, the internet store gets (new) data about the internet browsing history not only on its own websites, but also, for example, about which pages the customer came to the website from of this online store he came, what other websites he subsequently visited, if applicable and other detailed information about its movement across the Internet/ It is then possible to find out from this data (I would not be certain) e.g. interests of the data subject, data on his behavior or habits (where moves where, place of residence, but also education, profession, religious beliefs, political opinions, health status or sexual orientation/ Any other use of these of information, which can also be highly sensitive, can significantly interfere with the subjects' privacy data/ [85] After all, the possibility of linking data by an employee is also described in the Patent, in part explaining implicit private information (implicit private information)/ Appealing to this the authority adds that the linking of databases does not have to take place only on the basis of some identifier/ In the case of browsing history, which is basically unique for each user, you can to compare the anonymized data with the data that is available, for example, to the aforementioned internet provider shop, and to recognize the customer according to his "internet path"/In some cases this identification can be very easy, as the information that specific would be sufficient the item was added to the cart and purchased at a certain time/ By comparing this information with your own database on the sale of this item at a given time, the customer can be easily identified/ Uniqueness of data in the case under consideration does not lie in the personal data contained in the URL, but in the uniqueness of user behavior on the Internet/ The company had movement data of users on the Internet (URL addresses and time data were tied to the GUID/JID identifier), byu (according to the Data Order) this Internet browsing history was not completely complete/ [86] In the case under consideration, it may be sufficient to re-identify the data subject even relatively a small part of the anonymized Internet browsing history, so it is not an option re-identification determining whether the accused person was passing on a complete browsing history, or only part of it/ The said question would be relevant in relation to what all is possible to find out about an identified person/ The larger part of the browsing history someone has available, the easier it is (and more likely) the data subject can be successfully identified and at the same time can to get more (detailed) information about him/ At the same time, at this point, the appeal body emphasizes, It is not necessary to be able to identify all users/If only they can be identified a small part of them, it is not possible to talk about anonymous data/ Given that the accused transmitted anonymized browsing history from around 100 million devices (cf. above), and due to the aforementioned options for third parties to re-identify the data subjects, even if only a small part of the users were identified, the privacy of many would be invaded of data subjects/For the sake of completeness, the appellate body states that it is not decisive in the case under consideration, whether the re-identification of the data subjects actually took place, or is it sufficient to intervene to the interest protected by law, which is the protection of personal data and the privacy of data subjects, could actually happen (or may happen in the future)/ [87] In connection with anonymization, it can be stated that it does not apply to anonymous data Regulation (EU) 2016/679, i.e. neither the obligation to properly secure data, resulting from Article 32 28/57 of the aforementioned regulation/ However, the data provided by the accused company cannot be considered for anonymous - as explained above, there is a big one in case of data leakage or publication the likelihood that data subjects could be re-identified, which they might have resulting in a fundamental interference in their privacy/ At the same time, there are a number of entities (incl of the company's customers, i.e. companies with huge databases of their own), which would could identify Internet users based on anonymous browsing history/ In addition the appellate authority further adds that (as described above) the accused was aware that there are third parties that could re-identify individual users/ d) !aggregated data [88] In the Personal Data Processing Policy of 19 December 2019 and in the Privacy Notice (document sent to the Office of the accused on August 5, 2019) it is stated that the company received and used aggregated data from the accused/ The accused was within the framework of the call of November 28, 2022 (ref. UOOU-01025/20-103) requested by the appeal body (among others) for a more detailed explanation of the term aggregated data/ However, the accused provided the requested information She did not provide the authority/ [89] The opinion of the WP 29 Working Group can be used to explain the concept of aggregation No. 5/2014 on anonymization techniques, in which it is stated that the goal of the aggregation technique is prevent the data subject from being singled out by being assigned to a group of at least x other persons/ For this, it is necessary to generalize the values of the touch rate attributes so that every person shares the same values/!aggregated records thus combine information about individuals into information that relate to a group of persons, and it is not possible to single out individual data subjects from them/ Movement of users on the Internet is unique, i.e. a highly probable phenomenon that is viewed by different users and different websites at the same time in the same order and spent the same amount of time on them, etc. The company offered its customers the ability to examine “every click of the buyer"/ According to the contract, the data was transferred to the company "in real time, with delayed by the time required to perform anonymization, at least once per hour". Along with the browsing history, the accused also transmitted a unique GUID identifier, i.e. transmitted the data containing the browsing history of the Internet pages was broken down by individual by installing antivirus software or an Internet browser add-on. Considering everything according to the appeal body, the above was not and could not be aggregated data. The Appellate Body is aware that a GUID is an installation identifier, whereas a single device may be used by more than one person, however more can be identified based on browsing history of individual users (for example, if users of one computer each have their own account on a social network and/or shop online). Furthermore, it can be stated that there are currently many of these devices, especially mobile phones, are often used by only one person. e) Contract [90] The transfer of data between the accused and the company took place on the basis of of the contract called Data Order/ The final provision of this Contract states: "The Agreement constitutes the exclusive and complete agreement between the Parties regarding the subject matter of the Agreement and supersedes and terminates any prior or contemporaneous agreement of the Parties with respect to its subject matter and supersedes and terminates any prior or contemporaneous written or oral agreement, arrangements, guarantees and assurances of the given subject, especially after the contract between the Parties 30/ August 2014, which consists of the Order Form, Terms of Order, Description of Data 29/57a of the Data License Agreement"/ The Agreement further states that "The term 'Agreement' used here refers to this Order, Annex ! – Description of data (including Annex 1) and Annex B – License Agreement”/ In Appendix B of the Data Order (item 12/3/) it is stated that the changes and modifications to this Agreement will only be effective if made in writing/ [91] Point 3 of the Data Order entitled Description of Data states that "Definition of Data that are to be provided on the basis of this Order ("Data"), is set out in the Appendix !"/ Pursuant Side dishes ! called Data Description is Existing Data "all anonymized usage data, provided to the Company on the Effective Date collected by the Company through the computer programs, mobile applications, services and others listed below functions", with "The exact scope and structure of Existing Data from each source is set out below in Annex 1 of this Annex !” (highlighted by the appellate authority)/ Annex 1 of Annexes ! (as, in which the accused was presented to the administrative body of the first instance on April 14, 2020) however, it only contains the heading "Scope and Structure of Existing Data", without anything else content. [92] The Office therefore invited the accused in a letter dated November 28, 2022 (ref. UOOU-01025/20- 103) to submit the above-mentioned annex, as well as to communicate and submit other information regarding the data transmitted by the Accused to the Accused company on this request responded with a letter dated December 14, 2022, in which she stated that she "decided not to provide requested information with reference to the principle of prohibition against self-incrimination and other procedural guarantees arising from the Charter of Fundamental Rights and Freedoms, the ECHR and the EU Charter"/ Office therefore the accused addressed another invitation dated January 9, 2023 (ref. UOOU-01025/20-105), in which he requested on submission of Annex1 Annex ! “Scope and Structure of Existing Data”, Annexes 2 “Competitive entities" and Annexes 3 "Essential columns of data"/ At the request of the accused, the Office extended the deadline for provision of the requested and at the same time specified that he requires the presentation of the original of the Agreement including all its attachments/ The accused informed the Office in a letter dated 7/ February 2023 that the attachments required by the Authority were never finalized or signed/ The accused further stated that The contract was negotiated in the summer of 2019 and signed on August 30, 2019, i.e. outside the time period when the alleged offense investigated by the Office in the current one should have occurred proceedings / However, according to the accused, the contract was supposed to apply retroactively from February 2019 / But before the parties had time To finalize the contract, the cooperation was terminated, and shortly thereafter, in February 2020, it was terminated activities of the company Although the annexes were never finalized, it does not mean according to accused, it was not clearly stated what the companies exchanged with each other/The purpose of the contract was only to formalize the existing exchange of data between the companies at the given time/ Finally accused stated that with the company they were part of one corporate group, while the scope information exchanged was clear between the parties/ [93] In addition, the appeal body states that the subject of the Data Order was the transfer of data the accused company, but it is not possible to find out from it, specifically, what information the accused had transfer to the company (cf. point [91] above), is therefore not sufficientnot specified subject of performance. The Accused in its Statement of December 4, 2023 (in response to the Preliminary findings of the Office) stated that the Data Order is governed by California law and the accused is not obvious, from which the Office infers that California law requires a written form of this type contracts. From Annex B point 12/6/ Order of data, entitled "Governing law/ Submission jurisdiction.”, this Agreement is governed by the laws of the State of New York, not California 22 However, according to the Data Order (point 1/), in conjunction with Article 9/1, the contract was to be effective from 1/ January 2019/ 30/57 by law/ Requests in written form, or/written definition of the scope of transferred data, the appellate body infers from the express agreement of the contracting parties (cf. points [90] and [91] above). The Data Order expressly states that “This Agreement constitutes the exclusive and complete agreement between the Parties regarding the subject of the Contract /0/", and that the exact scope of the data they have to be provided on the basis of the aforementioned contract is specified in the Data Order/ It is clear from the above that the contracting parties have agreed on the written form of the contract, inclusive specifications of the data transferred/ One can therefore only speculate about why this agreement is contractual parties failed. Based on the above, the appellate body considers the argumentation alleged that the extent of the information transferred was known to the contracting parties as irrelevant. [94] Regarding the accused's argument that she did not have time to finalize the contract, the appellate authority states that the transferred data were not specified in more detail even in the previous contract (Contract on provision data license) concluded between the accused and the company on 30/ August 2014/ In it it only stated that “'Data' means anonymized usage data that the company collects and makes available for download and use by companies The accused therefore had 5 years to specify the subject of the contract (until the conclusion of a new contract in 2019). In view of the above, the appellate body considers this argument of the accused to be valid purposeful/ [95] In the statement, the accused stated that the re-identification of the data subjects was not possible reasonable to assume, as it was contractually prohibited, referring to Article 4/6 of Annex B Data Orders. "the company may not use the Data in any way in an attempt to to identify or reverse engineer any identifiers relating to the Data or otherwise attempt to derive or gain access to such direct identifiers”/ In addition the appellate authority states that it is certainly possible to contractually prohibit any attempts at identification natural persons/ These legal guarantees are usually a way to strengthen other administrators measures taken to reduce the risks associated with the processing of personal data by making them legally enforceable, and are thus primarily instruments that summon authorized recipients anonymous, or of pseudonymous, liability information/ !however these guarantees may reduce the risk of identification attempts, they do not replace anonymization as such/ B. Legal title and purpose of personal data processing [96] The accused further states in the statement that if the head of the Office had concluded that there had been to the transfer of personal data, this was done in accordance with Regulation (EU) 2016/679/ Accused under submitted its statement to subsets of anonymized product data which made it possible for companies to create a product charting general Internet trends, not interests of individual users/ Administrative authority of the first instance in the contested decision according to the accused does not dispute that the accused had a legal title to collect personal data, however, it claims that it had no legal basis for handing them over to the company. According to accused, the purpose of transferring the data to the company was compatible with the primary purpose processing according to recital l/50 and article/5 paragraph/1 letter/b) regulation (EU) 2016/679, or processing personal data for statistical purposes is processing with a compatible purpose/Meaning statistical analysis of trends carried out by the company was a survey of general knowledge regarding the behavior of consumers, their preferences and other relevant circumstances/ This activity used statistical methods and arrived at statistical results that showed general tendencies and trends, not information about individual persons/ The accused admits that this was the case 31/57o commercial activity, however, statistical activity following commercial interests also fulfills it definition of statistical activity according to Regulation (EU) 2016/679/ [97] The accused further stated that even if she gave the company personal data and purpose the transfer of the data would not be compatible with the primary purpose of the processing, it should for the transfer of the data the company has a legal title in the form of a legitimate interest/ The accused does not agree in the conclusion of the administrative body of the first instance, the transfer of data was not for the data subjects expected, especially because accused data subjects of transferring data to the company explicitly informed/ According to the accused, the processing of pseudonymized or of anonymized data for the purposes of statistical analysis in the case of digital companies in any way unexpected, are not it is a generally known fact that digital companies generally trends between their customers and use the data obtained for this purpose/ In the case of data transfer company, according to the statement of the accused, the administrator's legitimate interest outweighed the interests data subjects, or the transfer of data for data subjects did not pose any risk and subjects data subjects could refuse the transfer of data through the opt-out mechanism. Opposite this the legitimate interests of the accused, both the commercial interest and the interest in general improvement of products and investigation of consumer preferences/ [98] On the legal title of personal data processing (transfer of data to the company the appellate authority states that due to the requirement to inform data subjects of the legal title at the time of obtaining personal data [Article 13 paragraph 1 letter c) of Regulation (EU) 2016/679], must administrator to determine the relevant legal title before the actual data collection/ Elected the legal title cannot then be changed arbitrarily during data processing/ According to the appeal body so it is not possible to proceed with the accused's argument that she was passing on anonymous data [to which Regulation (EU) 2016/679 does not apply\, in case the data were not anonymous, processed personal data for statistical purposes, unless this purpose is compatible with the primary one purpose of processing, the accused would process the data on the basis of a legitimate interest/ Although the appellate body is convinced that the accused legal title processing personal data in advance nor did not choose, i.e. did not have a legal title, for the individual legal titles objected to accused, the appellate body will nevertheless express its opinion/ [99] It follows from Article 5 paragraph 1 letter b) of Regulation (EU) 2016/679 that personal data must be "collected for certain, expressly stated and legitimate purposes and may not be further processed in a way that is incompatible with these purposes - further processing for purposes archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes purposes pursuant to Article 89(1) shall not be considered incompatible with the original purposes ("purpose restrictions")"/ Similarly, recital No. 50 of Regulation (EU) 2016/679 states that "Further processing for the purposes archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes purposes should be considered compatible lawful processing operations”/ Although it follows from the above that further processing for statistical purposes is not considered incompatible with the original purposes, the above cannot be interpreted as a general exception to the purpose limitation, i.e that personal data can be processed for statistical purposes without any further/ Article 89 paragraph 1 Regulation (EU) 2016/679 explicitly stipulates that even processing for statistical purposes is subject to in accordance with this Regulation, appropriate guarantees of the rights and freedoms of data subjects; as well as Article 5 paragraph 1 letter e) of this regulation presupposes the implementation of relevant technical and organizational measures with the aim of guaranteeing the rights and freedoms of data subjects/ [100] The compatibility of purposes in the processing of data for statistical purposes was also dealt with by Pravávky the WP 29 group in its opinion No. 3/2013 on the limitation of the purpose in which (in part III/2/3/) 32/57 commented on the then valid provision of Article 6(1)(b) of the Directive of the European Parliament and of the Council 95/46/EC of 24 October 1995 on the protection of natural persons in connection with the processing personal data and on the free movement of such data [which was similar in content to Article 5 paragraph 1 letter b) of Regulation (EU) 2016/679\ so that this provision "should not be interpreted as a general exception to the compatibility requirement and is not intended to be a general authorization to further data processing for historical, statistical or scientific purposes in all cases/ As well as in any other case of further use must be in deciding what guarantees they can be considered appropriate and sufficient, taking into account all relevant circumstances and factors' 23 (unofficial translation). [101] Even in the case of personal data processing for statistical purposes, it cannot do so according to of the appellate authority to disproportionately interfere with the rights of data subjects/ the Administrator should do so should also have adequately taken into account the circumstances in the case of data processing for statistical purposes referred to in Article 6 paragraph 4 and in Recital 50 of Regulation (EU) 2016/679, it is also stated. "Legal the basis for the processing of personal data under the law of the Union or a Member State may also to serve as a legal basis for further processing/ In order to determine whether the purpose of further processing is compatible with the purpose for which the personal data was originally collected, the controller should, po fulfillment of all requirements for the legality of the original processing, to be taken into account, among other things any link between these purposes and the purposes of the intended further processing, the context in which personal data has been collected, in particular reasonable expectations of further use nature of personal data that data subjects have based on their relationship with the controller personal data, consequences of intended further processing for data subjects and existence appropriate safeguards both during the original and during the intended further processing operations'. In the case under consideration, the accused should have assessed the risks and possible further consequences processing for data subjects/ As mentioned above, based on the data transmitted it was possible for the company to re-identify data subjects from the browsing history potentially discover a large amount of even sensitive data (including special categories of data), which would there may have been a noticeable interference with the privacy of the data subjects and caused them harm/ In case data processing for statistical purposes is also important to distinguish between situations where it will this further processing carried out by the original data controller, and situations where they will be personal data transferred for such further processing to a third party (can be compared to data processing through cookies directly by the website operator and through third-party cookies)/ The appellate authority agrees with the accused in that the average user is aware that the administrators of personal data use the data obtained for statistical purposes. This expectations, however, point to statistics related to the subject of the manager's activity, in a relationship to the accused in connection with the operation or improvement of anti-virus software functions accused/ However, according to the appellate authority, users did not normally expect that the accused, as a company providing products for the protection of data and therefore user privacy, will be within "trend analyses" to process their data not related to the provision of the service of the accused and these transfer (sell) personal data to a third party, which will further use it for its own purposes commercial interests, i.e. sell to customers with large data sources of their own, 23 "It should not be read as providing an overall exception from the requirement of compatibility, and it is not intended as a general authorization to further process data in all cases for historical, statistical or scientific purposes purposes. Just like in any other case of further use, all relevant circumstances and factors must be taken into account account when deciding what safeguards, if any, can be considered appropriate and sufficient." 33/57 The fact that the company is a sister company of the defendant, in a situational change, since, from the point of view of Regulation (EU) 2016/679, it was a separate administrator/ [102] According to the accused, the purpose of the statistical analyzes was to observe trends, not to identify them individuals, and the essence of the matter was to transfer data of a non-personal nature (listed in of the opinion of 4/ December 2023)/ However, the assessment of whether it is personal data is not dependent on on the intended purpose, or/ the result of data processing/ The decisive factor in the case under consideration is, that the accused was handing over data that the company was supposed to process further/ As a result of this processing, declared by the accused, should have been completely anonymous summary statistics/ However, it cannot be overlooked that the company was given data on the basis of which this company itself could identify the data subjects, while to evaluate whether it was personal data, it is not decisive whether she did so or not/ [103] Regarding the commercial activities of the company, the appeal body further states that in the Order of the data, point 1/1 of Appendix B states that the accused grants the company a "license to download a copy of the Data (as defined and set forth in the Appendix ! each applicable Orders) /0/ and to use the Data for the company's business activities to incorporate the company's products and services in the Reserved Area, especially for use Data as a whole or to incorporate it into the company's services and to make it available Data included in the company's services to third parties, specifically customers of the company According to the appellate authority, it follows that the company further processed the data it received from the accused, and this data (incorporated into of its products or services) made available to its customers/the Company thus used data for your commercial interests/ [104] In this context, it is crucial to assess whether the company processed personal data data for the purpose of creating statistics/ Statistical purposes, according to Recital No. 162 of the Regulation (EU) 2016/679 “understands any operations of collection and processing of personal data necessary for statistical surveys or for the generation of statistical results/ /0/ If applicable for statistical purposes, the result of the processing is not personal data, but summary data, and this neither the result nor the given personal data is used to support action or decision relating to a specific natural person”/ According to the !academic dictionary of foreign words with statistics means “1. numerical recording and investigation of mass phenomena; 2/ branch dealing with investigation, processing and quantitative characterization of mass phenomena and large of data sets.” The fact that statistical output is general knowledge, not information about individuals, is also recognized by the accused in her statement (cf. e.g. point 98/ of the statement of the accused). As mentioned above, the company offered on its website the ability to gain "extremely detailed insight into every buyer's journey," which says that the company did not use the data for statistical purposes/ The Appellate Body admits that the company could also offer its customers products that contained statistical results, however, clearly offered (i) data that cannot be considered statistical results activities/According to the appeal body, it cannot be said that the data were passed on to the company and further processed only for the purpose of creating statistics/ The Appellate Body agrees with the accused also in that the statistical result is used for other purposes, i.e. for own commercial interests/ However, in the case of the company, it was not about the processing of statistics either on the offering or sale of purely statistical results/ This is also evidenced by the contractual agreement cited above 24Available at https://prirucka.ujc.cas.cz/?slovo=statistika. 34/57 wording that the company is entitled "to use the Data as a whole or to their inclusion in the company's services and making available the Data included in the services company to third parties", from which there is no requirement that the Data be before by such incorporation and disclosure first further modified as might be expected if The data should really only be used for "statistical trend analysis"/ [105] In her opinion of December 4, 2023, the accused stated that the proclamation from the company's website cannot be used as evidence, they are not considered about statements of a marketing nature, which are essentially simplistic and their purpose It is not descriptive to describe the legal and technical processes used/ Marketing statements would however, it should not have been misleading or deceptive/It is not clear to the Appellate Body how to interpret otherwise information that the company was offering "per-click" data, which it wasn't really offering Detailed user information is not included in summary statistics only/The Accused appears on the market as a serious company/ The Appellate Body does not find it credible that its sister the company tried to reach new customers with misleading marketing statements. In addition, the company's customers at the time included large ones MNCs (as mentioned above) would easily detect misleading statements. [106] To the defendant's argument that for the transfer of personal data to the company she would testified to a legal title in the form of a legitimate interest, the appellate authority states that the duty of the administrator before starting data processing on the basis of Article 6 paragraph 1 letter f) of Regulation (EU) 2016/679, first of all, assess whether he has a legitimate interest in this processing, whether this processing is necessary from the point of view of this legitimate interest and whether above this interest in this particular one in this case, the interests and rights of the data subject do not prevail (perform the so-called balance test). Considering to the fact that, according to her statements, the accused was and still is convinced that the company she passed on anonymous data, she did not perform the balance test properly/ It stands on one side legitimate interest of the accused/ As the accused stated in the breakdown, this is a commercial interest and interest in general product improvement and consumer preference survey/ The interests and basic rights and freedoms of data subjects stand on the second imaginary scale protection of their personal data and privacy/ As described above, internet users browsers can be re-identified and linked to their internet browsing history there may be a noticeable impact on their privacy, i.a. because this data could be misused. If the accused had performed the balance test properly, she would have arrived, according to the appeals body to the conclusion that its legitimate interest does not outweigh the interests of data subjects. [107] In the case of personal data processing pursuant to Article 6(1)(f) of Regulation (EU) 2016/679 it is also necessary to take into account whether the data subject can reasonably expect such processing [see recital No. 47 of Regulation (EU) 2016/679\/ Based on information provided by the accused (more on that in the section on information obligations) users could expect that the accused will transfer (share) only anonymous data/ In addition, it was not clearly specified for what purpose, on the basis of which legal title the data will be shared, and with whom/ If data subjects they did not have sufficient and relevant information about the processing of their data, they could not have real information an idea of how data processing will take place and could not reasonably perform such processing expect/ [108] From the point of view of reasonable expectation, the phenomenon of the considered case is also essential in the relationship between the breadwinners with the accused, as a provider of anti-virus software/ According to the appellate authority one of the main reasons users purchase antivirus software is to protect their data and the associated protection of their privacy/ Self-accused on the screen of the activation process 35/57 trend analysis (as of April 2019) 25 declared that users can be confident that their privacy will be respected. [109] The accused CEO stated in an interview for ČT24 26 that he understood the surprise of users that the transfer of data to the company may have caused, since not everyone had to read the screen on which they had to confirm the transfer of data (for which the accused according to his words, she apologized to the users)/ In addition, the appeal body specifies that for confirmation processing, or consent to processing, took place only from July 2019, until time (provably since April 2019) users could only click under the displayed information on the “continue” button/ In this context the Appellate Authority finds it necessary to mention that users of the antivirus program or the Online Security extension could not expect that their data will be transferred (sold) to another administrator/ Accused, as a company offering products and privacy protection, users trusted, therefore may not have been enough cautious about the information about the transfer of data provided by the accused, since the sharing of data, which could interfere with their privacy they did not expect/ the CEO accused in the interview further stated that the news about the company's data transfer caused a certain antipathy on the part of the accused, i.e. certain loss of trust/ The Appellate Authority states that if the transfer of data to the company users reasonably expected, and were properly informed about it (i.e. including the sale of data). informed, they would not be surprised by the news about the monetization of their data / About the surprise of users the monetization of their data is also evidenced by the fact that due to the collection and sale of user data information provided by the Dutch organization for consumer protection a collective action against the company, to which (according to data from the public of available sources ) was supposed to connect more than 10,000 antivirus software users from the Netherlands/ By transferring data to the accused company (and third parties) se 28 was also dealt with by the American Federal Trade Commission (Federal Trade Commission), which among other things, it prohibited the accused from selling internet browsing data for marketing purposes. [110] Accused in its Opinion of December 4, 2023 on violation of Article 6 of Regulation (EU) 2016/679 described in the Preliminary Findings stated that the decision of the administrative body of the first instance was found guilty of violating Regulation (EU) 2016/679, which should have consisted in that it relied on the processing of personal data for the purpose of statistical trend analysis legal basis of legitimate interest/ From the preliminary findings, the accused should have learned that she had process personal data without any legal title, which he considers a surprising conclusion/ In the statement of the contested decision, the administrative body of the first instance stated that the accused was found guilty of processing personal data without a legal title. The appeals body therefore it is not clear for what reason the accused considers the same (preliminary) conclusion of the appellate body for surprising/ The Appellate Body admits that the justification relating to the legal title is in the Preliminary findings (as well as the justification of this decision) significantly supplemented, which however, it is a response to the defendant's arguments presented in the resolution. 25 Annex no. 5 of document no. 26 Available here. 27 28Available here. 36/57 C. Information obligation [111] The accused further disagrees with the conclusions of the administrative body of the first instance regarding the violation of the information obligation/In addition, the accused states that she informed her customers on the transfer of data for the purpose of statistical analysis/ The accused considers it unfounded and the formalistic complaint of the administrative body of the first instance that the processed data are anonymized/ The accused provided this information because she was and still is convinced that anonymized personal data/ Even if the Office came to the conclusion that the data was only pseudonymised, the accused is convinced that she has informed her customers sufficiently/According to the accused cannot expect customers to know the definition of anonymisation and pseudonymisation. The purpose of Article 13 of Regulation (EU) 2016/679 is to inform data subjects in understandable language, while everyone understands the concept of anonymization as the removal of identifiers/ In the assessed case, according to the accused, it was important that users were informed that the accused "remove everything that could personally identify the customer" (point 136 of the breakdown). [112] The accused also agrees to the information and analytical data of third parties did not state what data was processed for statistical purposes/ In the Privacy Policy data of the company in April 2019 accused, according to its statement, its customers informed that the URLs of the visited pages will be deleted of identifiers used for statistical purposes/ According to the accused, the same information cannot still be used repeat, as the documents would be disproportionately long and it would not be possible to use them orientate. In the company's April 2019 Privacy Policy, it is in the section on the analytical data of third parties, it is stated that the accused transfers data that is about users collects/ What kind of data it collects is indicated in the other relevant places of the Personal Protection Policy data/ According to her statement, the accused duly informed her customers about the fact that she was collecting including information about browsing the Internet/ [113] The accused in her statement on April 14, 2020 submitted (annex/5) "screen of the activation process of trend analysis and privacy settings from April 2019"/ According to the accused users could object to the processing at any time/ it was displayed to users the following information. “Almost every piece of software you use collects information about you activities/ Search engines, games and many more/ We do the same/ Thanks to this we can you provide better products and services/ But you can trust that we will your privacy respect. Furthermore, we promise you that we will never share or publish any of your personal information data outside ! of course no one else will contact you without your consent marketing purposes/ The information collected helps us meet new people and interesting trends/ We may share this information with third parties outside However before we do this, we will remove anything that could in any way personally identify you/ More information about our privacy policy/If the product is installed you decide to disable the anonymous sharing of your data with the Company and third parties, you can do so in the program settings by unchecking the box 'Participate in data sharing' (emphasis added by the accused)"/ [114] In the Company's Principles of Personal Data Protection (Annex No. 7 to Ref. UOOU- 01025/20-11) it is stated: [115] “If we no longer need the personal data, we will stop using it or using it we will limit in accordance with the policy of minimization/ For example, your email, URLs of pages that you visited and your files are scanned for malware detection and protection/ Then 37/57 we will delete your e-mail address and other personal data, or we will use hashing for any identifiers, whereby we change the service data into pseudonymized or anonymized data users of paid services and anonymous data for users of free services than data about the Services we will reuse for research, analysis, statistics, messaging, development, etc products, in-product messaging and marketing" (Chapter H/ Data and Services)/ [116] “Statistics that have been anonymized are aggregated data according to from a geographical point of view, and therefore cannot be used to identify persons, we also share by third parties for the purpose of trend analysis" (chapter 1/ Objectives of our policy, point 1/7)/ [117] “We may use anonymous browsing data for third-party trend analysis/All users can turn off data sharing in product settings – Privacy” (chapter Mobile-Specific Service Data - Web Shields)/ [118] “We pseudonymize and anonymize Clickstream data and reuse it for cross-product direct marketing, cross-product development, and third-party trend analytics” (Chap Products and Services and !ntiVirus and for Internet Security). [119] It follows from the above information that the accused informed the users of her products about the sharing of anonymous data/ Users were thus not informed that their data was being passed on personal data, to what extent or to which entities/ It is the same according to the appeal body insufficient information about the very purpose of data processing/ Stating that "information they help us get to know new and interesting trends" and "thanks to you, we can provide better products and services' is too general and doesn't say anything in particular about how processing is in progress, what data is necessary for processing or who is to be processed involved. The accused did not even inform the data subjects about what is specifically meant by her by "trend analysis". Appellate authority even after a detailed study of the information provided the accused does not find the information about data processing sufficiently clear to the data subjects and comprehensible, i.e. rather, they cannot be considered sufficiently comprehensible for the average person user. Moreover, as was demonstrated above, it was not a (purely) statistical activity/ According to the appellate authority, the information on the processing in question was insufficient and misleading/ [120] The accused also did not properly inform about the legal title on the basis of which she transferred personal data of the company After all, according to the appeal body, it could not even do so, they are not accused, she was not, and according to the content of the filed breakdown, she still is not capable of legal title unambiguously detect/ [121] First of all, the accused considers the transmitted data to be anonymous, the processing of which is Regulation (EU) 2016/679 does not apply. In the analysis, the accused then argues that the purposes are compatible processing for statistical purposes according to Article 5 paragraph 1 letter b of Regulation (EU) 2016/679/ At the same time states that it would also be evidenced by the legal title of legitimate interest according to Article 6 paragraph 1 letter f) of the above regulation/ From July 2019, the accused introduced consent to the processing of personal data, although it states that the processed data was completely anonymous (the period from July 2019, however is not the subject of this administrative procedure)/ 29 In July 2019, the accused made it possible to grant consent to the transfer of data for the purposes of trend analysis/ Users were information is displayed. "Do you want to share your data with us? Other companies may collect your data, but we do not we do not want. (emphasis added by appeals authority) If you give us permission, we will collect anonymous data about you computer, network and websites you visit/ It helps us create better products and services for millions 38/57 [122] Regarding the accused's argument that she sufficiently informed the customers about what data processes for statistical and analytical purposes, the appeal body states that the information was contradictory and unclear/ If the accused informed about the transfer of anonymous information, users did not need to read the Privacy Policy in detail data/In addition to the Personal Data Protection Policy itself, information on collection and transfer data fragmented in several places and confusing for the average user/ Accused, though informed the user what data it collects as part of the provision of its products, however already did not provide sufficient information about exactly what data and for what purpose it was transferring to the company . In the Privacy Policy, for example, it informed that it will delete the e-mail address address and other personal data/ Users could thus not know which data was deleted and which were passed/ Nor could they know how identifiers are removed from URLs, and had to rely on the accused's information that the data passed on to the company is anonymous/ After all, the accused objected in the resolution that the Office was using the process of anonymization did not deal sufficiently/ The accused thus claims on the one hand that from her Personal Protection Principles data, it is clear enough what data was transferred, on the other hand, he argues that The office did not ascertain the exact scope of the data transferred, or that it did not deal with the process sufficiently anonymization. [123] The appellate body emphasizes that the accused was found guilty of violating Article 13 paragraph 1 letter c) of Regulation (EU) 2016/679, i.e. that at the moment of obtaining the personal data of its customers did not inform about the purpose of the processing for which the personal data are intended, nor about the legal basis of this processing/ The use of an incorrect term is not the subject of the appeal body's deliberations (anonymization or pseudonymization) or other wording, but how the accused personal data in processed the facts/ The essential thing is that the removal of identifiers did not occur to the anonymization of data in the sense that it is understood by the public (as stated by the accused in the breakdown), because (as explained above) the user can be re-identified/ If the accused informed about the transmission of anonymous data, gave users the false impression that based on the data transmitted data cannot be identified. [124] Regarding the obligation to provide information, the appellate body further states that the accused within the scope of provision informs data subjects of its products electronically/In this case, it was simple provide individual information in layers/ The user can thus be in one layer first basic information provided, and if interested in more detailed information can click to the link on which (in the next layer) he will get detailed information/ The Appellate Body does not agree with the defendant's argument that if it listed the information in more places, users would did not orientate in the information provided/ [125] The accused stated in her statement of December 4, 2023 that in accordance with the absorption the principle should be the violation of the information obligation (second offense) subsumed under the first offence, or the Office's conclusion on insufficient anonymisation is the basis for both offences, and the accused should not bear separate responsibility for them/ Principle of absorption however, it means that a more severe punishment absorbs a milder one, not that the accused should not be further punished of our users - including you/ This data is aggregated and completely anonymous, so it cannot be used to identify you identify or trace. We may share it with external partners for market and trend analysis and collection purposes more valuable information/ If you ever change your mind, you can always change your settings in the app privacy. (emphasis on the accused)"/ Below this information are the buttons "No thank you" and "I agree" (Appendix No. 1 statement of the accused from April 14, 2020 reference number UOOU-01025/20-11). 39/57 offenses responsible/ The purpose of joint proceedings on multiple offenses is to impose only one fine, while the strictest rate of fine for an administrative offense is used to determine its amount punishable/It is clear from the decision of the administrative body of the first instance (p/20) that the accused was imposed a fine (in accordance with the absorption principle) for an offense according to §62 paragraph 1 letter b) of the Act No. 110/2019 Coll., which the accused committed in violation of Article 6(1) of Regulation (EU) 2016/679/ The fact that the accused had committed multiple offenses was assessed as an aggravating circumstance/ [126] Regarding the concurrent violation of Article 6 and Article 13 of Regulation (EU) 2016/679, the accused in her opinion of December 21, 2023 referred to the opinion of General Advocate Michal Bobek in the matter YOU ARE! "SS" (C-175/20) in which he stated. “If no clear and predictable legal basis is given which would ultimately allow such data transfer, it can hardly be expected that it would the administrator who collected the data has already informed the data subject in accordance with of Article 13 GDPR"/ According to the accused, it follows from the quoted opinion that "violation of Article 6 automatically includes and thus inevitably means a violation of Article 13 of the GDPR precisely in scope information on the legal basis"/ In the given case, according to the appellate body, the General arrived the lawyer came to the conclusion that it was not possible to demand the fulfillment of the information obligation according to Article 13 Regulation (EU) 2016/679, or the administrator in question about the possible further processing of personal data (about the possible obligation to hand over the required data to the tax administration) he did not know at all (obligation to pass on personal data was not established by national law)/ In the case now being dealt with, however it is not the same situation, or the accused knew that she was processing (transmitting) personal data/ The accused also provided information about the transfer of company data to users, would be incorrect, therefore she was aware that the obligation according to Article 13 of Regulation (EU) 2016/679 applies to her/ IIc. Amount of punishment [127] Furthermore, the appellate body dealt with the IV/part of the breakdown, according to which it has the contested decision to suffer from a whole range of defects of the parties to the imposed sentence/ The authority should have decided according to the accused in fundamental contradiction with its previous practice, to incorrectly apply the criterion of seriousness and take into account practically only the facts against the accused, while the facts in her the benefit should mostly be ignored/ A. Compliance with the current decision-making practice of the Office [128] The accused refers to § 2 paragraph/4 of the administrative order, according to which the administrative body no unreasonable differences arose when deciding factually identical or similar cases/ In the case under consideration, the administrative body of the first instance, according to the accused, made a decision in the obvious and fundamental inconsistency with its previous decision-making practice/ The fine imposed on the accused is more more than 5/000x higher than the sum of all fines imposed by the Office during the three years of the Regulation (EU) being effective 2016/679/ According to the accused, it is hard to imagine that only two months lasting and completely formal (without any real impact on data subjects) the violation of Regulation (EU) 2016/679 could to be so much more serious than any other violation of the said Ordinance in its totality/ Further the accused pointed out that the fine imposed on her is more than 50/000 times higher than the previous highest fine imposed by the Office/ Relevant difference from the previous decision-making practice of the Office according to the accused is not even the amount of her turnover/ The accused believes that the reason why the Office imposed on her diametrically different fine, could consist in the process of international cooperation/ Effort however, according to the accused, complying with foreign supervisory authorities is not a legitimate reason for a decision contrary to previous decision-making practice, otherwise the punishment must correspond to the severity 40/57 offense and other relevant factors on the part of the accused, and not the procedural procedure, which the Office used/ [129] According to the appellate body, the amount of the imposed fine is incomparable with others, previously imposed fines, for the reason that the act committed by the accused cannot compare with cases that the Office has dealt with so far/ the Office with similar processing of personal data not dealt with in the past / The case under consideration is completely unprecedented in the way that the data was processed, their scope, the number of affected data subjects and the possible impact on their rights/ In this context, the appellate authority states that the Office would order the accused extraordinarily a high fine even without discussing the case with other supervisory authorities within the framework of the mechanism international cooperation according to Article 60 of Regulation (EU) 2016/679/ The entire case and the amount of the imposed fine according to the appellate body, it is necessary to assess it in the context of so-called Big Tech cases, i.e. cases large technology companies such as Meta, !mazon, Google, !pple, Whats!pp or Microsoft, which, like the defendant, have hundreds of millions of customers/In this context, the appellant for illustration, the authority only adds that Whats!pp was fined 225 million EUR , which is approximately 16 times the fine imposed on the accused and Meta Platforms was fined EUR 405 million , more than 28 times the fine of was imposed on the accused/ Comparison with fines imposed by foreign supervisory authorities is according to the appellate body, completely relevant, as Regulation (EU) 2016/679 is direct applicable throughout the EU and fines should thus be awarded according to the same criteria/ In this regard, it is not decisive whether the fine was awarded to the administrators by the Office or another supervisory authority/ Regarding the argument of the accused (stated in the opinion dated 4/ December 2023) that stated technology companies have a much higher turnover than the accused (the imposed fine is therefore unreasonable according to the accused), the appellate body states that if the fine had been imposed according to the Instructions of the European Board for the Protection of Personal Data No. 4/2022 on the calculation of administrative fines according to GDPR 32 (hereinafter referred to as "Instructions No. 4/2022" - chapter 6/2/) would be imposed from the company's worldwide turnover for the previous financial period/ According to rec. 150 Regulation (EU) 2016/679, for the purposes of imposing administrative fines on a company, the company should be understood in the sense of Articles 101 and 102 of the Treaty on the Functioning of the EU/ Court of Justice in the judgment of 5 December 2023 in Case Deutsche Wohnen, C-807/21, (paragraphs 55.-57/) stated that. "As stated by the Advocate General in point 45 of its opinion, the reference to the concept of "undertaking" within the meaning of Articles 101 and 102 TFEU, which is contained in point 150 of the justification of this regulation, it must be understood precisely in this specific context the context of the calculation of administrative fines imposed for violations referred to in Article 83 par. 4 to 6 regulations GDPR. In this regard, it should be emphasized that for the purposes of applying the competition rules according to Articles 101 and 102 TFEU, this term includes any entity that performs economic activity, independent of the legal status of this entity, causes its financing/ It thus indicates an economic unit, even if from a legal point of view it is an economic unit composed of several natural or legal persons/ This economic unit is formed a unified organization of personal, material and immaterial elements that it follows for a long time certain economic objective (judgment of 6 October 2021, Sumal, C-882/19, EU:C:2021:800, point 41 and cited case law). From Article 83, paragraphs 4 to 6 of the GDPR regulation, which refers to the calculation of administrative fees 30 Available here.https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission- announces-decision-whatsapp-inquiry. 31 Available here.https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission- announces-decision-instagram-inquiry. 32Available herehttps://edpb.europa.eu/system/files/2024- 01/edpb_guidelines_042022_calculationofadministrativefines_cs.pdf. 41/57 fines for violations listed in these paragraphs, in this context it follows that if the entity, by which the administrative fine is imposed, by the enterprise or part of the enterprise within the meaning of Articles 101 and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage of the total worldwide annual turnover of the company in question for the previous financial year."/If would the appellate body, when calculating the fine, be based on the company's turnover, as defined by the Court court, the imposed fine would be significantly higher, which would, however, be contrary to the prohibition principle reformatioinpeius. Change for the worse is prohibited by national law, therefore the appeal body did not act in a way that would lead to an increase in the imposed fine/ [130] The imposed penalty cannot be considered exemplary/As stated further, the Authority imposed in accordance with Article 82 of Regulation (EU) 2016/679, the punishment it considers to be effective, proportionate and deterrent, both with regard to all the circumstances of the case and the turn of the accused/ Above according to the appeal body, the imposed fine is also fully in accordance with Instructions No. 4/2022. [131] In her statement dated December 4, 2023, the accused objected that the Office's statement that the fine was issued in accordance with Instruction/4/2022 does not stand, or at the time of issuing the challenged decision, these instructions have not yet been issued, although according to the accused it is clear that the Office with them was notified at the time of issuing the contested decision/ So if the Office proceeded with determining the fine according to the mentioned instructions, it was, according to the accused, a breach of principles fair trial and inadmissible retroactive application/ The Appellate Body considers it is necessary to emphasize at this point that the instructions of the Board serve to ensure that Regulation (EU) 2016/679 was interpreted uniformly/ If the Office states that the fine was imposed on the accused in accordance with Instructions No. 4/2022, this does not mean any change in the procedure for imposing fines, but only that the fine was imposed in accordance with Regulation (EU) 2016/679, with the correct the application of the individual criteria is also confirmed by the subsequently issued instructions/ The fine was therefore imposed according to Regulation (EU) 2016/679, not according to the instructions of the Board for its interpretation, therefore cannot act on the inadmissible retroactive application of legal regulations/ If the appeal the authority came to the conclusion that the subsequently issued Instructions No. 4/2022 interpret Regulation (EU) 2016/679 more favorably for the accused, which did not happen in the case under consideration, the conclusions of the administrative of the first-instance authority, the appellate authority would correct (it could reduce the fine). [132] As it was possible to reveal from the "anonymized" data that a particular German judge is interested in pornography, even in the case under consideration they could be about specific subjects data, information (even of a very sensitive nature) that can be used is found (also in the future), and only for targeted advertising and offering relevant products, but perhaps also for targeted action on specific natural persons/ The Appellate Body is convinced that the transmission of browsing history (byu incomplete) to third parties may constitute a sensitive interference with the privacy of data subjects and, in the case of a targeted focus on specific subjects data may cause them irreparable harm/ The opinion of the accused that she committed only formal violation of Regulation (EU) 2016/679 without any impact on data subjects, therefore the appeal body resolutely refuses/ B. Seriousness of Conduct [133] Here, the accused primarily points to the difference between typical and specific (individual) the seriousness of the action, while the decision of the administrative body of the first instance is incorrect 33 Compare the article referred to in footnote 12, which the accused referred to in her post on the social network Twitter. 42/57 take into account the type seriousness as the seriousness of the offence/ On the other hand, the administrative authority of the first instance, according to the accused, did not evaluate the specific seriousness of the act in question/ However, according to the accused, the purpose of evaluating the seriousness of the conduct is not to assess how it is in general the given action is typically serious (the legislator has already carried it out), but on the contrary, assess how a given act (specific conduct) serious in comparison with other violations of the given provision/ Pursuant to in her opinion, on the contrary, the concrete seriousness of her actions can be assessed as very low, or not the alleged breach should have lasted only two months and the data subjects were not affected by rights, because the alleged potential connection of the data sets never happened and could not happen. According to the accused, the office is effectively punishing conduct for which there is no threat or violation protected interest did not occur/ Finally, the Office should also have given up on proving a concrete one number of allegedly affected entities/ [134] However, the accused can be proved right, that, in general, type severity is not possible expressed in the sanction part of the norm to be taken into account when determining the penalty, this is clearly not the case/ According to Article 83 paragraph 5 of Regulation (EU) 2016/679, a wide range of breaches of obligations can be sanctioned arising from Regulation (EU) 2016/679, cannot be passed over without noticing that the violation of some of them makes the act itself in a particular case more serious than the violation of some others/ Thus this is typically the case in the event of a violation of legal obligations of such intensity that it occurs to the violation of the basic principles of personal data processing/ It can be stated, for example, that it exists the principled difference between the short-term exceeding of the deadline for responding to the data subject's request and violation of the legality of processing in the absence of a legal title to the processing of personal data of data, even though the orders by classification correspond to the amount of administrative fines above 20,000,000 EUR, or up to 4% of global annual turnover/ [135] On the contrary, a violation of the principle of legality in the form of the absence of any legal title the processing of personal data clearly represents the most serious type of behavior of the delinquent, they are not without it, it cannot be a legal processing of personal data/ In the absence of legal title is fundamentally irrelevant from the point of view of legality, whether and how the administrator fulfills any subsequent obligations, otherwise this processing is illegal from the very beginning. Similarly, also professional commentary literature. "The legal title is a condition without which it is not processing in no case possible, or/ is illegal from the beginning/ Therefore, there must be existence of the legal title, in addition to determining the purpose of the processing, is always the first thing that the controller must do before the intended one resolve by processing/ In the event that the administrator does not have a single valid legal title for processing will not be, the entire processing is illegal from the beginning/ In the event that such processing will be resolved supervisory authority, it is very likely that they will order this processing to stop and thus dispose of unlawfully processed data/ At the same time, it should be kept in mind that even in the event that the controller does not need to obtain consent and may rely on some other legal title, must properly fulfill all other obligations arising from the Regulation, for example the obligation to provide information according to Article 13 or 14 of the Regulation/" [136] The above is confirmed by iInstructions No. 4/2022 (item 62., example 5a), in which it is stated, that the supervisory authority “gave significant weight to the nature of the breach, not the provisions breached (Article 6 GDPR) is the basis of the legality of data processing as a whole/ Failure to comply with this provision, the legality of the processing as a whole is excluded." 34 NULÍČEK, M/, et al/ Article/6 Legality of processing/ In. NULÍČEK, M/, et al/ General regulation on personal protection data (GDPR). Practical commentary [The !SPI system\/ Wolters Kluwer [cit/ 20237-12]. ASPI_ID 1<032016R0679CZ. Available in the !SPI/ ISSN System. 2336-517X. 43/57 [137] The fact that the infringement of individual articles of Regulation (EU) 2016/679 is divided into two categories (Article 83(4) and (5) of the Regulation) according to severity, does not mean that the severity of all behavior in one category is the same/On the contrary, the more serious the illegal behavior within one category, the higher the fine may be imposed by the supervisory authorities/ The existence of a legal title is according to the appellate body, conditio sine qua non, i.e. a condition without which processing cannot take place of personal data (legally) take place/ Administrative body of the first instance according to the appeal body quite correctly assessed that the absence of a legal title to the processing is absolutely essential non-compliance with the terms of personal data processing/ [138] The objection of the accused cannot be accepted even in relation to the justification of the decision to violate Art. 13 of Regulation (EU) 2016/679/ It is not possible to express consent with the administrative body of the first degree that, generally speaking, the information obligation significantly affects the general option full application of the rights of data subjects/ All the more so when it was the absence of any relevant information about the processing of personal data, its purpose and the absence of other information, on on the basis of which data subjects would be able to make themselves truly free and informed decision of the parties of their personal data as required by Regulation (EU) 2016/679/ [139] The question of duration and the related seriousness of actions is a relative question, not this one the period must be evaluated with regard to other circumstances of the case/ It can be stated that two months although they do not represent an extremely long period of time, nevertheless, in the considered matter, they cannot be considered for a short period of time/ As the administrative authority of the first instance correctly stated, with regard to the intensity violations and the number of affected subjects, this time cannot be definitely evaluated as mitigating circumstance, or even a single day would be significant/ It is then undecided whether to real connection of datasets or other specific identification of data subjects has occurred/ In this context above all, it is necessary to remind that the legislation on the protection of personal data does not duplicate ex post protection of personality according to the Civil Code/ Existence of protection legislation personal data, on the other hand, primarily pursues the purpose of preventing possible misuse of personal data and for this purpose establishes a number of personal data processing principles, including the requirement have a valid legal title, data minimization, technical and organizational measures, etc., in such a way as to minimize the potential risk, perhaps even only of potential, misuse/ Simply put, to commit an offense under Regulation (EU) 2016/679, it is sufficient that the rights of data subjects have been threatened (threatening delict), i.e. it does not have to realistically interfere with their rights by unauthorized processing of their data (this would, after all could be assessed as an aggravating circumstance)/ The Office therefore dealt with the case under consideration primarily as a result of an offence, which is understood as a threat to an interest protected by law, not its effect. The appellate body does not blame the accused for having interfered with rights individual data subjects, but that it cannot be ruled out (it is not certain) that this did not happen, or the subject data sets containing personal data have been transferred (sold) to a third party/ [140] The administrative body of the first instance stated in its decision that the duration of the offense se managed to prove to the extent stated in the statement of the decision, he then stated that for the purpose determination of the seriousness of the act took into account the nature of time limitlessness the beginning of the accused processing, but not the actual time preceding the proven one (decisive) period/ It follows from the contested decision that the administrative body of the first instance he considered that the processing "did not begin limitedly at the beginning of the proven time, but until the time proved to have entered as 'running'"/ From the contested decision according to the appellate authority it clearly follows that the accused was found guilty and fined for the violation obligations of the administrator of personal data in the period "from an unknown day in April 2019 to 44/57 of an unspecified day in July 2019"/ The administrative body of the first instance explicitly stated that when determination of the seriousness of the conduct was not taken into account earlier processing, but only the character unlimited time limit for the beginning of the criticized processing/ The appeal body agrees with the administrative one by the authority of the first instance, that it is impossible to determine the exact date of the beginning or end of the subject matter processing, therefore the time of the offense is limited by month and year, not exact date. The accused's activity did not occur before April 2019 or after July 2019 is not the subject of this proceeding, therefore the appeals body did not consider it/ [141] Regarding the counts of specifically (potentially) affected data subjects, the appeal body it primarily reminds that the legal regulations consider actions that affect the byu to be sanctionable even a single data subject/ Possible quantification is then important above all in context with the assessment of the punishment for this action from the point of view of its seriousness — and this is how the number of affected or of potentially affected subjects of personal data by the actions of the accused reliably ascertained as enormous, i.e./ making the illegal act serious from a quantitative point of view/ To this the conclusion can then be cited from the judgment of the Supreme Administrative Court of January 31, 2019, file no. stamp 9 As 380/2017: "It is clear that it would be a disproportionate burden on the defendant if he had to for the purposes of delimiting the deed accurately to units to enumerate the number of affected data subjects/ That would of course, it was appropriate in situations where the delict concerns a single or several individuals of data subjects, or when a more accurate number can be ascertained without incurring disproportionate costs effort (e.g. if personal data is processed automatically and is therefore accurate quantified)/ In general, however, it can be expected that precisely in the sphere of compliance supervision regulations in the field of personal data protection, which are usually processed en masse, will situations often arise where the affected personal data, data subjects and other circumstances will defined only by species with a reasonable estimate of their number (and of course also their of kind)/ The Supreme Administrative Court certifies the reasoning of the contested judgment, in which the others state that "in relation to the consideration of the seriousness of the plaintiff's illegal conduct, the court does not consider as necessary that the number of subjects of personal data affected by the actions of the plaintiff is completely accurate Enumerated 'into one', ordinal determination that there were thousands of subjects - due to the number units managed or owned by the plaintiff, which are enumerated in the statement of the decision - is, in the opinion of the court, completely sufficient for consideration of the seriousness and scope of the illegal act"/ As stated above, the transfer of data to the company related to data obtained from roughly 100,000,000 devices/ One device can be used by multiple users and so can one a user can use multiple devices, so it's impossible to know exactly how many, according to the appeals body of customers accused of data transmission/ However, the Appellate Body agrees with the conclusion administrative authority of the first instance, that the number of affected data subjects was enormous/ [142] As the administrative body of the first instance correctly stated, the processing of personal data was part of the professional activity of the accused, i.e. in connection with her business activity, while it was a systematic, not random, activity/ The personal data of the accused customers were processed through information technology/ About this sophisticated processing the accused informed her customers only very superficially, moreover in a misleading way/ Pro it was practically impossible for the data subjects to find out (verify) what data is being transferred and for what purpose purpose, and thus had to rely on the information of the accused, as a professional in the field, whose products are used to protect data privacy/Users cannot know that the accused transmits (sells) data that is not anonymous, nor that it can be identified and thereby to a fundamental intervention in their privacy / The subject data processing could not customers the accused to expect and thus could not defend their rights/ The purpose of the illegal in question the processing was then the support of the business activity of the accused, i.e. making a profit/ Regarding 45/57 scope, the appellate body emphasizes the international, practically global character of the subject matter processing (the accused offers its products in more than 150 countries of the world)/ [143] Harm caused to data subjects is impossible due to the large number of those affected examine subjects individually according to the appeal body/ As already stated above, the actions of the accused have endangered the privacy of data subjects, with impacts on rights of individual entities may manifest themselves only in the future. After all, it cannot be stated with certainty that that the users were not identified, nor that they were not or are not based on their knowledge preferences or behavior however targeted/ C. Additional criteria for determining the amount of the fine specified in Regulation (EU) 2016/679 [144] According to the accused, the Office took into account (often incorrectly) all the circumstances that were in her disadvantage, but ignored (with one exception) the circumstances that were in her favor or he did not look at them without justification/ [145] In January 2020 a number of Czech and foreign media reported that the accused was selling her data of the company's customers (some of these articles are part of the official record ref/ UOOU-01025/20-3 dated 27/ February 2020)/ The Office by the mentioned press release only responded to this media case, with the aim of informing the public that he registered this case, and that will deal with it/ The appeal body is convinced that it had a negative impact on the accused publication of information in the media, and not the press release of the Office/ This is evidenced by the fact that the value of the accused shares on the Prague Stock Exchange fell significantly even before that press release was issued (for example, on the website of Czech Television in an article entitled [146] Individual circumstances, the incorrect consideration of which when deciding on the amount of administrative fines objected by the accused, the appellate body assessed as follows/ a) Fault [147] As the first relevant criterion, the accused indicated culpability, i.e. whether a violation had occurred intentionally or negligently [Article 83 paragraph 2 letter b) of Regulation (EU) 2016/679\/ The accused stated that culpability has two components, namely knowledge and volition/ Decision of the administrative body the first degree of culpability states that the accused knew what she was doing and therefore acted deliberately/Alone 35 Available here. . 46/57, however, according to the accused, knowledge means negligent culpability/ Intentional culpability only the knowledge component is not enough and the free component/ !rgument of the first administrative body is also necessary degree that the accused acted within the framework of her business activity, she cannot, according to the accused be sufficient to meet the high evidentiary standard for intentional wrongdoing/ Administrative Authority at the same time, according to the accused, it does not refer to any fact that would at least indicated, let alone proved, the accused to violate the provisions in question/ Furthermore the accused stated that she acted in an excusable legal error (error iuris), which she excludes culpability, as the accused anonymized the transmitted data and did not know that she was transmitting personal data data/ In its supplementary opinion of December 21, 2023, the accused is subjective culpability pages referred to the latest judgments of the Court of Justice of the European Union on the matter Nacionalinis södertättää centras (C-683/21) and Deutsche Wohnen (C-807/21), both from on 5/ December 2023/ [148] According to the mentioned recent jurisprudence of the Court of Justice (C-683/21 and C-807/21) it may be the administrator is fined for violating Regulation (EU) 2016/679 only if this committed the violation culpably, i.e. intentionally or negligently, while in the case of legal entities persons, it is not necessary for the violation to be committed by its governing body, or for the latter to be informed of this violation the authority knew/ In the judgment of the Court of Justice (C-683/21, point 81) it is further stated that “As regards the question of whether the breach was intentional or negligent, and whether it is therefore possible for to impose an administrative fine on him according to Article 83 of the GDPR regulation, it is necessary to further specify in this regard, that the administrator can be sanctioned for actions falling within the scope of the GDPR regulation if this manager could not have been unaware of the illegal nature of his actions, regardless of whether he knew whether he did not know that he was violating the provisions of the GDPR"/ [149] No specific definition can be found in European law or in the jurisprudence of the Court of Justice intention and negligence, while the interpretation of these concepts in the judgments of the Judges is not always complete consistent and unambiguous/ According to the Corps Instructions (WP 253) for application and determination of administrative fines for the purposes of Regulation 2016/679 (page 11), "intention" means knowledge and arbitrary conduct, where "unintentional" means not intended to cause a breach, even if the controller, or/ the processor, violated the duty of due care required by law/ the Instructions given expressly state that “deliberate violations that show contempt for the law are more serious than unintentional, and therefore may rather be grounds for imposing an administrative fine/ /0/ Among the circumstances indicating the intentionality of the breach could include illegal processing carried out with the express approval of the trustee's senior management or despite the trustee's recommendation for protection of personal data or regardless of existing policies, such as the acquisition and processing of data about the employees of a competitor with the aim of discrediting this competitor in the market/ It can go further for example by the following. altering personal data in order to create a false (positive) appearance of meeting goals /0/, trading personal data for the purpose of marketing, i.e./ selling data in a manner as if it was done with consent, even though the data subject was not asked as if he should dispose of them, or regardless of his guest's place of residence/" Circumstances suggestive negligence The WP 253 Guidelines list “for example, failing to study and comply with existing policies, human factor failure, failure to check personal data in published information, failure to implement technical updates or policies in a timely manner (rather than their simple non-implementation)/ Businesses should be responsible for introducing adequate structures and resources the nature and demands of their business/ Administrators and processors therefore cannot justify violation of the Personal Data Protection Act by claiming a lack of funds/" Procedures and documentation of the processing activity follows a compliance risk assessment approach 47/57 with the regulation/ This concept of intent and negligence is also adopted in the following Instructions of the Corps No. 4/2022 (Chapter 4/2/2/)/ [150] According to § 15 paragraph 2 letter b) of Act No. 250/2016 Coll., the offense is committed intentionally, if the offender knew that the negotiation could violate or threaten an interest protected by law, and in case he violates or endangers it, it was understood (intention indirect)/ As it was already stated above, the accused knew that the data she sold to a third party could be used again assign to specific data subjects, i.e. that it is personal data/ The accused, however did not take sufficient steps to ensure that the data subjects could not be identified and did not to encroach on their privacy/ Contractual prohibition is not possible in the context of an imminent encroachment on the subjects' rights data as a sufficient measure/ Due to the way personal data is processed the accused could not verify how the transmitted data is further processed, nor detect whether the re-identification of data subjects is actually taking place, and it could not and effectively prevent/Others cannot be overlooked either that the company its customers on its website, it basically encouraged the linking of data obtained from it with the customers' own databases, which could have occurred (by these customers even unintentionally) to identify the users of the anti-virus software of the accused/ As stated by the accused in in its opinion of December 4, 2023 (item 33), the company had more data sources/ By combining data from different sources, the Company could data subjects identify/ [151] Encroachment on the privacy of data subjects (violation or threat to an interest protected by law) according to the appellate body, he was apparently not the accused's primary target in selling the company's data I would not necessarily be concerned with the aforementioned adverse impact on the rights of data subjects occur, according to the appeals body, it should be seen as a side effect of the perpetrator's actions, while the accused was aware of this consequence/ If the invasion of privacy was the purpose processing, then it would be a direct intention, which would constitute an even more serious violation Regulation (EU) 2016/679/ The Appellate Body considers it proven that the accused knew that based on the data transmitted to the company can be re-identified by the data subjects, and was with the understanding that users' privacy may be affected/Appeals at this location emphasizes that any contractual prohibition of re-identification of data subjects does not make them personal data data anonymous/ [152] The above-mentioned conclusion of the appellate body is also confirmed by a former employee of the accused in an interview for ze, in which he stated that unpersonalized the data transmitted by the accused can be personalized relatively quickly, while some the accused's employees knew about it, warned the accused about it, and some even left because of it/ To the objection of the accused stated in the opinion of 4/ December 2023, that in said interview, he did not describe the tools needed to re-personalize the data or whether they were available to the company, the appellate authority states that the statement is stated only in the context that it confirms the conclusions reached by the appellate body/ On the basis of the said interview, the appellate body does not explain how it could the company data subjects identify/ [153] In Instructions No. 4/2022 (item 55/, example 4) there is a circumstance indicating an intentional violation the example given is "trading personal data for the purpose of marketing, i.e. selling data 36 Available here. . 48/57 as if it were done with consent, although the data subject was not asked how were to be dealt with, or regardless of his opinion/“/ In the case now under consideration although it was not primarily a matter of selling personal data for direct marketing purposes, it was nonetheless on trading with personal data that could be used for marketing purposes (from history viewing it was possible to find out the interests and behavior of the data subjects, and it was possible to offer them products and services corresponding to their interests)/ In the case under consideration, they are not according to of the appellate body decisive marketing purposes, but the fact that it was a sale of personal data, while the accused completely ignored the opinions of the data subjects/ the accused gave to the subjects data, the option to choose not to transfer their data (opt-out)/ to insufficient fulfillment of the information obligation (accused by the data subjects in general did not inform that their personal data was being traded or how their data would be hereinafter specifically used), it cannot be considered a real choice, since users decided on the basis of incomplete or misleading information/ The appeals body is therefore convinced that the conclusion about the intentional conduct of the accused is in accordance with the instructions of the Corps/ [154] Regarding the alleged excusable legal error, the appellate body states, that the accused acted intentionally and knew that her act was illegal/ Even if this was not the case, the accused is a privacy protection company whose relationship with its users of antivirus products is, by its very nature, based on trust, which is assumed to be high expertise and ethical level of her behavior/ The accused had before the transfer of data company (i.e./ before starting the processing of personal data in question) very carefully assess whether it is really anonymous data, as she must have been aware that that in the case of transferring data that could be assigned to specific users, in addition to such a large extent, there could be a sensitive principle to the privacy of data subjects/ The accused could thus make the alleged legal mistake if she made sufficient efforts avoid/ The appellate body therefore states that the accused could not act and did not act in an excusable legal error/ Moreover, according to § 17 paragraph/ 1 of Act No. 250/2016 Coll./ it does not act culpably, the one who, when committing the offense, did not know that his act was illegal, if he could not have made a mistake to avoid/ The cited § 17 is included in Chapter II/Act No. 250/2016 Coll. regulating liability natural person for a misdemeanor/ Title III/ regarding the liability of a legal entity for a misdemeanor does not mention the institute of legal error/ The institute of legal error is therefore in Act No. 250/2016 Coll. explicitly addressed only in relation to natural persons, not legal entities/ [155] At this point, the appellate body considers it necessary to remind that the accused provides software intended to protect the privacy of its users/ From the accused, as from an expert in the information and cyber field, an extremely high level of orientation is thus expected in the area of personal data protection/ The accused was aware of the risk of data processing, or/ difficult to achieve complete anonymization of data (especially in a very rapidly developing technological environment), nevertheless decided to monetize the data about its users above in the manner described/ b) The level of responsibility of the administrator, taking into account the technical and organizational ones introduced by him measure [156] According to the accused, the administrative body of the first instance should have taken into account when evaluating the case according to Article 83 paragraph 2 letter d) of Regulation (EU) 2016/679 introduced technical and organizational measures/ The accused has at least pseudonymised the transmitted data (in her opinion, it is anonymized)/Pseudonymization is listed in Article 32 of Regulation (EU) 2016/679 as one 49/57 of the methods of securing personal data, that is why the administrative body of the former had a pseudonym grade as a mitigating circumstance/ [157] The appellate body agrees with the accused that the administrative body of the first instance should have evaluated her adopted technical and organizational measures, although the subject of this procedure is not a violation obligations arising from Articles 25 and 32 of Regulation (EU) 2016/679/ As already mentioned above, the accused did take certain measures, consisting in removing some identifiers from the URL addresses (name, surname, e-mail address, etc.), or in a contractually prohibited re-use identification of data subjects, however, these measures were not sufficient to make it possible to consider the transmitted data as anonymous/ The accused at the same time even at the request of the appeals body did not provide information from which the appellate body could draw the conclusion that the measures taken was sufficient/ As follows from Instructions No. 4/2022 (item 81.), the adoption of technical and organizational the measure should be considered a mitigating circumstance only in exceptional cases when the manager goes beyond his duties/ In general, however, the level of responsibility of the manager will be considered an aggravating or neutral factor/ In the considered case according to the appellant body, the accused took certain measures, which could make it difficult (but not impossible) to re-offend identification of data subjects, therefore the degree of responsibility of the administrator is considered by the appeals body as a neutral factor/ The Appellate Body, like the administrative body of the first instance, did not evaluate it the degree of responsibility charged as an aggravating or mitigating circumstance/ c) Prior Violation [158] According to the accused, it should have been taken into account that the accused had not yet been punished for illegal conduct in connection with the processing of personal data/ According to the accused by default, in the case of the offender's first illegal act, punishment is waived or imposed penalty at the lower limit of the legal rate, or can it be expected that the warning itself (or minimal punishment) will deter the offender from future wrongdoing. [159] Even on this point, the appellate body did not find the accused statement relevant/ If it turns out appeals body from the diction of Article 83 paragraph 2 letter e) of Regulation (EU) 2016/679, then this stipulates the obligation to take into account all relevant previous violations by the administrator or processor. The European legislator only reflects here that recidivism in general in itself is objectionable aspect of the offender's personality and testifies to the insufficient corrective effect of the previous one measure, which must be taken into account in the amount of the penalty. Absence of prior violation is not envisaged by the said provision as a mitigating circumstance, while neither the appellate authority he did not come to the conclusion that in such a serious and socially harmful act, there should be fundamentally taking into account that this is the first administrative penalty imposed on a specific administrator or to the processor within the competence of the administrative authority/Regulation (EU) 2016/679 (as well as any other generally binding legislation) is based on the assumption that its addressees, i.e. in this administrators and processors, if applicable, will comply with their obligations arising from it. That's why it would the fact that he has not yet been punished for his violation should not be considered mitigating circumstance. [160] The above-mentioned conclusion also follows from Instructions No. 4/2022 (point No. 94), in which it is stated that the existence of previous illegal acts can be considered aggravating when calculating the fine circumstance/ However, the absence of previous violations cannot be considered a mitigating circumstance, or compliance with Regulation (EU) 2016/679 is the norm/ 50/57d) Category of personal data [161] According to the accused, the administrative body of the first instance should also have taken into account the fact that the unauthorized processing did not concern a special category of personal data/ According to the accused, it is not possible to claim that the action in question is as serious as if there was special processing data category/ [162] The appellate body of the accused disagrees with this conclusion/ Prohibition of processing without of the relevant legal title, or proper notification of this processing, applies generally to any personal data/ Other (stricter) conditions set by regulation (EU) 2016/679 for the processing of special categories of data represent a specific superstructure processing of "standard" personal data/ Processing of special categories of data would s considering their sensitive nature was undoubtedly a criterion that fundamentally increased the harmfulness of the conduct under consideration/ This does not mean, however, that illegal processing "only of standard" data without these characteristics was a mitigating circumstance/ It would be found only as not an aggravating circumstance, as the administrative authority of the first instance correctly evaluated. [163] The same conclusion follows from Instructions No. 4/2022 (point 57), in which it is regarding the requirement to take into account the category of personal data concerned [Article 83 paragraph 2 letter g) of Regulation (EU) 2016/679\ stated that the regulation clearly emphasizes the types of data (data covered by art. 9 and 10 of the said regulation) which deserves special protection and therefore a stricter response, as far as it goes for fines. According to the appellate authority, it cannot be inferred from the above instructions that they were unjustified the processing of only "standard" personal data should have been extenuating circumstances/ On the contrary, illegal processing of a special category of personal data is assessed more strictly/ e) The manner in which the Office became aware of the meeting [164] The administrative body of the first instance states in the contested decision that the subject matter The Office found out about the meeting from the media/ According to the accused, this is not true, as all his data operations, including the transfer of anonymized data to the company for the purpose statistical analysis, she notified the Office already on August 1, 2018. According to her statement, the accused she could not report that she was committing an offense because she did not know about it (and still with this conclusion does not agree)/Accused deleted because they have notified the Office of all relevant factual information yet before the start of the local administrative proceedings/ Reports on the case in the media then according to the accused only drew attention to the whole matter and induced the Office to take certain action/ The fact that the Office learned relevant information about the transfer of data to the company from the accused, by according to her, he should have taken into account as a mitigating circumstance/ [165] When assessing the circumstances according to Article 83 paragraph 2 letter h) of Regulation (EU) 2016/679, it is possible take into account how the supervisory authority became aware of the violation, in particular whether the administrator or the processor reported the violation, and if so, to what extent/ As the accused states in the breakdown, She did not report the violation of Regulation (EU) 2016/679 to the Office/ It is true that the accused as part of the control maintained under sp/ stamp/ UOOU-07166/18 with a note dated August 1, 2018, informed the Office that it was handing over the company's data, however, it stated (in fact, as it claims so far) that it is data anonymized/ The Authority had no indications at the time that the allegations accused in any way questioned, that is why he did not deal more closely with the transfer of anonymous data/ !ž on the basis information from the media and from the complaint dated February 22, 2020, the Office suspected that the accused transferred personal data to the company, not anonymous data/ Appeals body so 51/57 reached the same conclusion as the administrative body of the first instance, i.e. that the way in which became aware of the violation, cannot be considered a mitigating circumstance/ In accordance with Instructions No. 4/2022 (point 99.) the appellate body evaluates this circumstance as neutral/ f) Previously ordered measures [166] The accused further objects in the statement that the administrative body of the first instance in the challenged the decision did not take into account the criteria set out in Article 83(2)(i) of Regulation (EU) 2016/679, i.e. fulfillment of the measures that were previously ordered to the accused in connection with the same subject/ !anything the accused agrees that corrective measures in the sense of Article 58 paragraph 2 of Regulation (EU) 2016/679 against the accused, the Office did not issue, it believes that the administrative body of the first instance neglected the fact, that the accused completely complied with the Office's requests that it sent to her as part of the "preparatory proceedings" before by initiating administrative proceedings, which led to the Office of proceedings for the imposition of remedial measures did not initiate/ According to the accused, the measures were not imposed, but only due to the fact that the accused cooperated with the Office/ If the fulfillment of previously imposed measures is an extenuating circumstance, by rather, according to the accused, the mitigating circumstance is the fact that the correction took place even without the deposition of these measures/ [167] Pursuant to Article 83(2)(i) of Regulation (EU) 2016/679, the supervisory authority shall take into account fines for the fulfillment of measures that were against the given administrator or processor in connection with the same subject matter previously ordered/ As the accused herself states, the Office did not take any measures against her imposed/ According to the appeals body, it is not possible to evaluate the fulfillment of an obligation that was not imposed/ At the same time, as already mentioned above, control under sp/ stamp/ UOOU-07166/18, on the basis of which the accused voluntarily accepted the legal measures, it was not aimed at the transfer of personal data company, because the Office did not know that personal data were being transferred/ According to the appellant for the authority, the condition of the same subject of proceedings is not met/ Administrative authority of the first instance assessed the circumstance according to Article 83 paragraph 2 letter i) of Regulation (EU) 2016/679 correctly as neutral/ According to the appeal body, this conclusion is fully in accordance with Instructions No. 4/2022 (point 102/), in which it is stated that compliance with previously ordered measures (which in this case neither has not been mandated) is mandatory for the controller or processor, and should not be on its own considered a mitigating circumstance/ g) Character of the company [168] According to the accused, the drafters of Regulation (EU) 2016/679 apparently did not intend for the amount fines the relevant nature of the administrator, otherwise they would have stated it in the regulation/ Accused according to their own statement provides an anti-virus program, while not disguising that its services are connected with trust from clients, however, this applies to a whole range of other services/ Accused then emphatically rejects the claim of the administrative body of the first instance that she should have disappointed the trust of her colleagues customers when, without their knowledge, it transmitted anonymized data for the purpose of analyzing trends/ The accused properly informed her customers, moreover, nothing can be done from trend analysis illegitimate, as it is a socially beneficial activity (enables to improve services and general customer comfort) that most internet companies do/ [169] In addition, the appellate body primarily states that according to Article 83 paragraph 2 letter k) of Regulation (EU) 2016/679 the supervisory authority to take into account any other aggravating factors when deciding on fines or a mitigating circumstance relating to the circumstances of the given case/ Instructions No. 4/2022 (point 109/) state in this context that the aforementioned provision intentionally leaves room for 52/57 discretion of the administrative body regarding the economic and social situation in which the administrator or processor operates, legal situation and market situation/Assessment of character (business activities) company (accused) and the products offered by it (i.e. that economic social and market context) is, according to the appeal body, necessary to include in the assessment circumstances that may affect the amount of the fine/ The accused creates and offers products that have to protect the information and privacy of their users, in the considered case in the online environment (Online Security product)/ Users both from the accused and from a professional in the field data protection, customers expect, among other things, an above-average level of protection of their personal data the accused gave her access to their data, as they assumed that their confidentiality would be maintained/ Using the tools, the accused wanted the users to prevent unauthorized use of their access data, or at least minimize the risk of such misuse or unauthorized access/ However, the accused endangered their privacy in a very dangerous way/ Although the accused allowed users of antivirus software and its Internet expansion browsers to refuse the transfer of data to the company, insufficiently to the user informed about what data is being transferred/ The Appellate Body is convinced that the transfer would far fewer users (if any) would have consented to data if they knew it was being transmitted their personal (not anonymous) data/ The essential aspect according to the Appellate Authority is that the accused handed over the personal data of the users, which she obtained precisely in connection with the provision of antivirus software/Don't even want to overlook the fact that the accused under the Data Order sold this data to the company, i.e. passed it on for the purpose of making a profit/ [170] The European Board for the Protection of Personal Data also applies in its decision-making practice provision of Article 83 paragraph 2 letter k) of Regulation (EU) 2016/679 "fundamental importance for adaptation the amount of the fine to the particular case", while "it should be interpreted as an example of the principle impartiality and justice applied to a specific case" 37 (unofficial translation)/ Sbor also stated that Article 83(2) of Regulation (EU) 2016/679 does not represent an exhaustive list evaluation criteria that the supervisory authority must take into account when determining the amount of the fine, so that the fine was effective in each individual case in accordance with Article 83 paragraph 1 of the aforementioned regulation, adequate and dissuasive/ The appeal body is the same as the administrative body of the first instance evaluates the nature of the accused's conduct as an aggravating circumstance/ h) Duration of proceedings [171] According to the accused, the administrative body of the first instance should have taken into account the disproportionate length proceedings/ The consequence of the long administrative proceedings (over two years) is that the sanction lacks a corrective one and motivational effect, if they are not, the accused cannot project the result of the proceedings into her own in any way practice/ The accused voluntarily rectified the alleged deficiencies and the imposed fine is thus waived with the individual preventive purpose of administrative punishment/ The unreasonable length of the proceedings is according to accused by one of the criteria taken into account in sentencing in criminal proceedings, whereas the principles of criminal law are also appropriately applied within the framework of administrative punishment/ The length of the proceedings is according to accused also relevant for decision-making according to Regulation (EU) 2016/679/ The accused points to 37 Binding decision of the Board No. 3/2022 on the dispute submitted by the Irish supervisory authority regarding the company Meta Platforms Ireland Limited and its Facebook services [Article 65 of Regulation (EU) 2016/679\, point 368/. "The EDPB considersthisprovision"of fundamentalimportanceforadjustingtheamountofthefinetothespecificcase"and that "it should be interpreted as an instance of the principle of fairness and justice applied to the individual case"/ The EDPB recalls that Article 83(2) GDPR contains a nonexhaustive list of assessment criteria to be considered, if appropriate, by the LSA in determining the amount of the fine corresponding to what is necessary to be effective, proportionate, and dissuasive in accordance with Article 83(1) GDPR." 53/57 decision of the Norwegian Privacy Board (Personvernnemnda), which canceled the fine imposed by the Norwegian supervisory authority due to the unreasonable length of the proceedings, which lasted almost three years/ At the same time, Personvernnemnda stated that if he did not cancel the fine, he would recommend it to the supervisor office its reduction/ [172] The Office admits that the administrative procedure took a relatively long time/ Significant influence on the length of the procedure, both before the administrative body of the first instance and before the appellate body, had complexity of the entire case/ As the appellate authority has already stated above, the case under consideration is, in terms of method processing of personal data and its extent in the Office's decision-making practice, completely unprecedented/ Accused in the proceedings for dissolution of her claims regarding the anonymization of data (contrary to the principle of responsibility) did not provide evidence in any way and refused to provide The requested information authority/appeal authority must therefore assess all the circumstances accordingly of a complicated case without the cooperation of the accused, which led to delays/ [173] It follows from the administrative file that the Office was not inactive in the matter/ The accused applied extensively her procedural rights (numerous access to the file), she submitted many statements and repeated requests on the extension of the deadline for individual procedural actions/ The fact that the Office also contributed to the length of the proceedings in the course of it, he decided on the accused's motion to order an oral hearing (resolution on the rejection of the motion No./ UOOU-01025/20-43, decision on the rejection of the accused ref/ UOOU-01025/20-81) and about the accused's request to inspect all records from the cooperation mechanism according to Article 60 of Regulation (EU) 2016/679 (resolution on non-compliance with the request ref/ UOOU-01025/20-61, decision on rejection of the decomposition of the accused ref/ UOOU-01025/20-82)/ The length of the proceedings before the administrative body of the first instance and before the appeal body was also influenced by the cooperation mechanism with other supervisory authorities according to Article 60 of Regulation (EU) 2016/679, as both the draft decision of the administrative body of the first instance and the draft decision on the breakdown of the accused was submitted to the other concerned supervisory authorities/ [174] The appellate body disagrees with the accused's view that the fine imposed is lacking individual preventive function of administrative punishment/ The individual preventive function of punishment has deter the offender from further violations of the law in the future/ In addition the individual preventive function is not the only function that the administrative punishment is supposed to fulfill/ In the case under consideration, the preventive function cannot be disregarded, especially the individual one or general, nor from the function of repressive/ [175] On the defendant's argument regarding the decision of the Norwegian Privacy Board, the appeal body states that he completely agrees with the administrative body of the first instance that the said decision is irrelevant to the meaning and scope of the accused's conduct, which is the subject of this proceeding/ Appeal the authority also points out the fact that the Office is not bound by the decision of another supervisory authority office, which in the proceedings conducted by it in accordance with Regulation (EU) 2016/679 and its national legal regulations reduced or canceled the fine due to the unreasonable length of the proceedings/ i) Newness of the relevant regulation [176] According to the accused, the fact that the incriminated conduct should have been taken into account it took place only one year after the effectiveness of Regulation (EU) 2016/679/ It should have played a significant role the novelty of the legislation in question and the technical complexity of the relevant processes (necessity create complicated technical solutions)/ According to the accused, this approach is also confirmed by earlier ones statement of the Office, which itself emphasized that the goal of its activity in the initial phase of effectiveness 54/57 Regulation (EU) 2016/679 will primarily achieve a compliant state and not a punitive one progresses. [177] At this point, the appellate body can only express a certain degree of surprise or even concern about the possible activity of the accused prior to the applicability of Regulation (EU) 2016/679/ The necessity of having a valid legal title to handle personal data, or theirs processing, is the very basic principle of the legal regulation of personal data protection and in general any interference in a person's personal sphere, and this was unconditionally valid in essence in an unchanged form according to Act No. 101/2000 Coll., on the protection of personal data and on the amendment of certain laws, which transposed Directive 95/46/EC into the Czech legal order. 38 Similarly to Regulation (EU) 2016/679, Act No. 101/2000 Coll. on the processing of personal data on the existence of available legal titles on the part of the administrator and related performance other obligations, including the obligation to provide information/ It is possible to accept eventual discussions about small matters nuances between dictions of individual legal titles according to § 5 par. 2 enacter/101/2000 Coll. paragraph 1 of Regulation (EU) 2016/679, however, from the point of view of the context of the matter, the differences are completely irrelevant/ The same applies in the case of the definition of personal data/ After all, you are the accused yourself obviously she must have been aware of these obligations, or else in point 200 of the breakdown she explicitly refers to to and knowledge of personal data protection regulations effective before Regulation (EU) 2016/679 confirms when it is invoked to take into account the absence of any penalty for their violation/ In any case, it is not possible to come to the conclusion that in connection with the criticized conduct was any new regulation worthy of special attention/ [178] Beyond the breakdown, the appellate authority states that it agrees with the administrative authority of the first degree assessed as an aggravating circumstance the fact that the accused committed in connection with the same the subject of personal data processing as well as a violation of another provision of Regulation (EU) 2016/679, specifically Article 13 paragraph 1 letter c) As an extenuating circumstance in the sense of Article 83 paragraph 2 letter f) Regulation (EU) 2016/679 the first-instance administrative body and the appeal body took into account the facts, that the accused voluntarily took steps to correct the illegal situation in July 2019 by introducing direct consent [byu, according to the appellate authority, this consent does not fully comply requirements according to Article 4 point 11 of Regulation (EU) 2016/679] with the processing of personal data of users for the purpose of statistical analysis of trends and revision of my privacy policy/ The criteria listed in Article 83(2)(j) of Regulation (EU) 2016/679 are not considered in the case relevant, the accused shall not declare compliance with the approved code according to Article 40 or certificate according to Article 42 of Regulation (EU) 2016/679, therefore the appeal body did not evaluate it/ [179] The appeal body also evaluated the circumstances according to Article 83 paragraph 2 letter c) of Regulation (EU) 2016/679, i.e. the steps taken by the accused to mitigate the damage caused to the data subjects/ It follows from Instructions No. 4/2022 (point 76.) that the measures taken by the administrator must be assessed especially with regard to the element of timeliness and their effectiveness/ Measures that are spontaneous carried out before the administrator becomes aware of the investigation conducted by the supervisory authority, they will more likely to be considered a mitigating circumstance than actions taken after that point/ The company ceased its activities in January 2020, which the appeals body perceives positively, however, this step could not lead to mitigating (or averting) the harm caused imminent harm) to data subjects whose data has already been transferred to the company which further processed and made available to third parties/ They are not known to the Appellate Body any other steps the accused has taken to mitigate the possible consequences of her wrongdoing 38 Directive 95/46/EC of the European Parliament of the Council of 24 October 1995 on the protection of natural persons in the context with the processing of personal data and the free movement of such data/ 55/57 proceedings on data subjects/ On the basis of the above, the appeal body did not evaluate the circumstances arising from Article 83 paragraph 2 letter c) of Regulation (EU) 2016/679 as mitigating or aggravating/ [180] The appellate body thus completely agrees with the procedure of the administrative body of the first instance at calculation of the administrative fine and its amount/ [181] In addition to the above, the appellate body states that the administrative body when calculating the fine was based on the turnover of the accused for the year 2020, which according to the financial statements of the accused published on of the justice portal/cz amounted to CZK/ When determining the amount of the fine, the supervisory authorities have based on the turnover of the accused, which he reached at the time of issuing the decision39, not at the time of the commission of the offense offence/ According to the financial statements of the accused for the year 2022 (the financial statements for the entire year 2023 was not published by the date of this decision) the turnover of the accused reached the above CZK, which is an amount almost CZK 1 billion higher/ The decision on decomposition can be made according to § 152 paragraph 6 letter a) of Act No. 500/2004 Coll. to be amended, if this fully complies with the dissolution and if no injury can thereby be caused to any of the participants/ For this reason, in accordance with the principle of the prohibition of reformatio in peius, the appellate body did not rely on the turnover of the accused per year 2022, the fine imposed by the administrative body of the first instance cannot be increased/ [182] For the sake of completeness, the appellate body will also comment on the possibility of submitting an objection of bias against to the members of the dissolution commission/ The dissolution commission is only an advisory body that does not make decisions in the same things, and thus one cannot speak of bias in the true sense of the word/ The accused was based on of her requests for notification of the composition of the decomposition commission, she was repeatedly told that the list of all properly of the appointed members of the dissolution commission is published on the website of the Office (https://uoou.gov.cz/urad/povinne-zverejnovane-informace/rozkladova-komise), and in the appendix communication ref/ UOOU-01025/20-118 dated January 4, 2024 included a list of the members of the dissolution commission sent. For reasons of preventive protection of the members of the decomposition committee against possible attempts to influence their opinion on the part of the accused The Office does not communicate information to the accused about whether the case will be assigned to the plenary session or a specific senate by the chair of the Office for discussion by the dissolution committee, possibly to a senate expanded by other members of the dissolution commission from other senates/ She was accused repeatedly informed about the composition of the dissolution committee/ If she thought that one of the members was biased by the decomposition committee, she could raise a "bias objection" without being informed about which specific members of the dissolution committee will participate in the discussion of the case/Accused however, she did not object to any member of the dissolution commission. III. Conclusion [183] In view of the above, the accused suggested that the President of the Office be challenged annulled the decision and stopped the proceedings/ However, if the Chairman of the Office comes to the opinion that the accused committed the offence, he should, according to the accused, impose a punishment in the form of a warning or imposed significantly reduce the fine, as its current amount is illegal according to the accused/ [184] In addition, the appellate body summarizes that the reasons for not complying with the dissolution proposal the accused pretends in detail in the previous parts of the justification. The guilty plea is supported primarily about indirect evidence, which, according to the appellate body (in accordance with case law, cf. e.g. the resolution of the Constitutional Court no. I/ ÚS 1875/16 of 19/ December 2016) forms a logical, an unbroken chain of complementary evidence which, in its entirety, reliably prove all the circumstances of the act/ Disrespect for privacy and the right to personal protection 39 56/57 of the data represents a violation of the fundamental rights of the European Union guaranteed by the Charter of Fundamental Rights The European Union, which, above all, the Office is called upon to defend. For all the above reasons decided by the appeal body as stated in the statement of this decision/ Instruction: Against this decision according to the provisions of Section 152 paragraph 5 of the Act No. 500/2004 Coll., Administrative Code, cannot be dissolved/ Prague, April 10, 2024 Master/ Jiří Kaucký chairman (electronically signed) 57/57