UOOU (Czech Republic) - UOOU-01025/20-121: Difference between revisions
From GDPRhub
mNo edit summary |
mNo edit summary |
||
| Line 69: | Line 69: | ||
}} | }} | ||
Cybersecurity and antivirus company Avast was fined €13 | Cybersecurity and antivirus company Avast was fined €13.7 million - the highest fine ever imposed by the Czech DPA. The company failed to anonymize browsing data of more than 100 million users before sharing it with third parties for market analysis purposes. | ||
== English Summary == | == English Summary == | ||
Latest revision as of 09:26, 24 April 2024
| UOOU - UOOU-01025/20-121 | |
|---|---|
 | |
| Authority: | UOOU (Czech Republic) |
| Jurisdiction: | Czech Republic |
| Relevant Law: | Article 5 GDPR Article 6 GDPR Article 6(1)(f) GDPR Article 13 GDPR Article 13(1)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 05.04.2022 |
| Decided: | 10.04.2024 |
| Published: | |
| Fine: | 351000000 CZK |
| Parties: | Avast Software, s.r.o. |
| National Case Number/Name: | UOOU-01025/20-121 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Czech |
| Original Source: | UOOU (in CS) |
| Initial Contributor: | im |
Cybersecurity and antivirus company Avast was fined €13.7 million - the highest fine ever imposed by the Czech DPA. The company failed to anonymize browsing data of more than 100 million users before sharing it with third parties for market analysis purposes.
English Summary
Facts
On a basis of an anonymous complaint submitted on 22 February 2020 and a major media case, the DPA started an investigation against Avast Software s.r.o. (‘the controller’ or ‘Avast’), a company providing antivirus software services and browser extensions (‘add-ons’).
For at least two months in 2019, Avast allegedly collected and sold a portion of their users’ browsing data with a company called Jumpshot, INC. Specifically, they shared pseudonymised browsing history linked to a unique identifier of approximately 100 million users through the add-ons. Jumpshot, INC. claimed to provide this data to marketers, offering insights into consumer online behavior and ‘atomic-level’ user browsing tracking.
The decision-making process consisted of 2 parts – first instance ruling by the DPA and second instance ruling by the Appellant Body within the same DPA.
First instance decision
Due to the cross-border nature of the processing, the DPA authority of first instance submitted a draft decision with other supervisory authorities concerned in the framework of One Stop Shop mechanism. None of the supervisory authorities raised a relevant and reasoned objection to the draft decision.
On 14 March 2022 the DPA found the controller was guilty for committing the abovementioned offences. In particular, the controller processed data without legal basis under Article 6(1) GDPR and in violation of transparency obligations in the privacy policy under Article 5(1)(a) and 13 GDPR. The DPA in the first instance did not dispute that the accused had legal authority to collect personal data, but claims that it had no legal basis for transmitting it to Jumpshot, INC.
The controller filed an appeal arguing that :
- they used robust anonymization techniques for processing;
- the average user was aware that their data was processed for statistical purposes;
- the purpose of transmission of data to Jumpshot INC. was compatible with the primary purpose of the processing pursuant to recital 50 and Article 5(1)(b) GDPR.
Regarding the last point, the primary purpose of the processing was to conduct statistical analysis which is compatible with the purposes of processing conducted by Jumpshot INC. concerning establishment of general tendencies and trends on the market.
Controller's specific arguments in the appeal before the DPA
The controller explained that the anonymization process followed methods patented in the US which removed all identifiers, information that indirectly identifies the user (e.g. user ID) as well as information from which identification could potentially be inferred (e.g. unique combination of certain parameters contained in the URL). The controller also commented on the contract concluded with Jumpshot, INC. that the provision referring to anonymization as the removal of direct identifiers in reality meant much broader process of anonymization. They argued that the re-identification of data subject could not be reasonably foreseen as it was contractually prohibited.
The controller admitted that this was commercial activity, however, statistical activity pursuing commercial interests also meets the definition of statistical activity under the GDPR.
Moreover, the controller considered that the DPA in the first instance wrongly classified data transmitted to Jumpshot, INC. as personal data on the basis that (theoretically) two data sets could be merged and thus the data subjects could be identified. In the controller’s view this would imply that data subject can be identified anytime two data sets including general information are merged together. The controller claimed that certain information can be personal data for one person without being personal data for another person. Moreover, the controller argued that, in line with the CJEU precedents, assessing a data subject's identifiability requires considering means reasonably accessible to controllers or third parties. They contended it is unreasonable to expect third parties to use illegal means.
Furthermore, the controller argued that pseudonymized or anonymized data processing for statistical analysis is common in digital companies. Regarding the transfer to Jumpshot, INC., they assert that the controller's legitimate interest outweighed data subjects' concerns since there was minimal risk, opt-out options, and benefits in commercial and product improvement pursuits.
The controller complained that the DPA did not inform them in detail throughout the proceedings of what they were charged with, thereby violating Article 6(3)(a) ECHR, according to which 'everyone, who is charged with a criminal offence" has the right "to be informed promptly and in a language which he understands in detail of the nature and cause of the charge against him". The controller also considered that his procedural rights were violated by the the denial of access to cooperation mechanism records, coupled with the controller's non-participation in the One Stop Shop procedure.
Another procedural defect identified by the controller was a violation of their legitimate expectations as the case was already dealt with by the DPA on 2 July 2018 in the case no. UOOU-07166/18. The controller disagreed with the argument of the DPA of first instance that the case from 2018 concerned only the development of an antivirus programme and not its add-ons.
The controller finally argued that the fine imposed by the DPA of first instance is more than 5.000 higher than the sum of all fines imposed by the DPA in the three years and 50.000 times higher than the highest fine imposed by the DPA. The controller disagrees that a mere two-month-long violation without any real impact on data subjects could be so much more serious than all other breaches of the GDPR.
Holding
On the question of legal basis, the DPA stated that even in the case of processing personal data for statistical purposes, disproportionate interference with the right of data subject is prohibited. The DPA agreed with the controller that an average user was aware that data controller used the data collected for statistical purposes. However, these expectations are directed towards statistics related to the controller’s business. Therefore, the average user did not expect that the controller, as a provider of data protection products, would conduct trend analysis on their data unrelated to the provided services and transfer/sell this data to third parties for their commercial interests.
Additionally, the DPA considered that the information provided to data subject was contradictory and opaque as the users would have to read the Privacy Policy in detail to be aware of transmission of anonymous information. Further, the data subjects were not informed of the purpose of the processing nor the legal basis of such processing. As a result, the DPA found a violation of Article 13(1)(c) GDPR.
The DPA noted that the internal identifiers of users were also processed for the purpose of trend analysis as stated in the Product Privacy Policy of the controller. Although the controller transmitted data to Jumpshot, INC. from which it removed some identifiers (but not the internal identifier), the transmitted data cannot be considered completely anonymous. Consequently, the recipients on this data had the possibility to re-identify the data subjects. On this point, the DPA concluded that the controller merely repeated that the data was anonymized without demonstrating that anonymization carried out resulted in anonymous data.
Moreover, the DPA stated that the controller did not carry out the balancing test properly, namely the assessment whether the processing is necessary and whether the legitimate interest of the controller overrides the legitimate interest of the data subjects. Since the internet browser users can be re-identified, their privacy can be significantly infringed. More importantly, the DPA stressed that it was not clearly specified for what purpose and with whom data shared. The users purchased the antivirus software to protect their data and, therefore, did not expect the processing might affect their privacy.
The DPA considered the controller’s argument on the content of the contract expedient. The controller was obliged to specify the subject matter of the processing regardless of the fact that in reality the controller considered anonymous data in the broader sense.
The DPA can did not accept the argument that the controller did not know what they were suspected of. If that were the case, the DPA stated that the controller could have raised this objection immediately after the proceedings were initiated or at any time during the proceedings before the DPA of first instance.
Regarding the violation of procedural rights in the One Stop Shop procedure, the DPA argued that neither Czech law nor GDPR provide for a procedural right of the party to the proceedings to comment on the draft decision before it is issued within the meaning of Article 60(7) GDPR, nor for the right to otherwise participate in this deliberation of the supervisory authorities. Otherwise, there could be an irresolvable procedural deadlocks.
The Appellate Body explained that the principle of ne bis in idem cannot be invoked as the previous decision focused on the compliance of the controller with the obligations under Article 5(2) and 24(1) GDPR. That decision did not prevent the continuation of offense proceedings initiated separately.
Users were thus misinformed by Avast about the transmission of anonymous data for the purpose of trend analysis. It was shown in the proceedings that the data transmitted from individual antivirus software installations was not anonymised, as the transmitted data could re-identify at least some of the data subjects.
Regarding the fine imposed, the DPA said that they did not deal wth similar processing of personal data in the past. The case is unprecedented in the way of data processing, its scope, number of data subjects and possible impact on their rights. Therefore, the DPA imposed a record fine of CZK 351 million (€13,9 milion) for a failure to sufficiently inform the data subjects about the purpose of the treatment for which they were intended as per Article 13 GDPR and for processing in violation of Article 6(1) GDPR, as the controller lacked a valid legal basis.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Czech original. Please refer to the Czech original for more details.
OFFICE FOR THE PROTECTION OF PERSONAL DATA
Lt. Col. Sochora 27, 170 00 Prague 7 *UOOUX00GT7J2*
tel.: 234 665 111
posta@uoou.gov.cz, uoou.gov.cz
Ref/ UOOU-01025/20-121
DECISION
The Chairman of the Office for the Protection of Personal Data as an appellate body competent under
provisions of § 152 paragraph 2 of Act No. 500/2004 Coll., Administrative Code, decided according to the provisions of § 152
paragraph 6 letter b) of Act No. 500/2004 Coll., Administrative Code, as follows.
Dissolution of the accused, company
against the decision of the Office for Personal Data Protection ref/ UOOU-
01025/20-94 of March 14, 2022, is rejected and the contested decision is specified in
in the sense that in the statement I/the contested decision the title "expansion of Internet browsers"
adds the text "(in the scope of pseudonymised data relating to browsing history
of the Internet, corresponding to approximately 100,000,000 users)", in the rest the attacked
confirms the decision.
Justification
I. Definition of the matter
[1] Proceedings for suspicion of committing an offense according to § 62 paragraph 1 letter b) and c) of the Act
No. 110/2019 Coll., on the processing of personal data, in connection with the transfer of personal data
about users of the anti-virus program or its extension of internet browsers
(hereinafter also referred to as "antivirus program, especially data on user behavior during use
personal computer and the Internet, to another administrator according to Article 4 point 7 of the European Regulation
of the Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons
in connection with the processing of personal data and the free movement of such data and cancellation
Directive 95/46/EC (hereinafter referred to as "Regulation (EU) 2016/679" or "GDPR") without legal title
and in connection with the violation of the information obligation according to Article 13 paragraph 1 of Regulation (EU)
2016/679, was initiated by the notification of the Office for the Protection of Personal Data (hereinafter referred to as the "Office"),
which was accused, the company
(hereinafter referred to as "the accused"), delivered on February 27, 2020. The basis for
the initiation of proceedings was file material collected by the Office on the basis of an initiative delivered
1/57 of the Office on February 22, 2020 and further the documents collected as part of the inspection of the UOOU-
07166/18 conducted by the inspector of the Office of the Judge JUDr/ Jiřina Rippelová with the accused on
July 2, 2018 to March 19, 2019, terminated by the handling of objections by the Chairperson of the Office
ref/ UOOU-07166/18-53 of June 4, 2019, and file no./ stamp/ UOOU-01733/19, within
which was dealt with outside the administrative procedure by the acceptance of corrective measures by the accused.
[2] By decision no./ UOOU-01025/20-94 of 14/ March 2022 (hereinafter referred to as "challenged
decision"), the accused was found guilty of committing offenses under Section 62, paragraph 1
letters a) and b) of Act No. 110/2019 Coll., which she should have committed by being the administrator of personal
data transmitted personal data of users of the antivirus program and its extensions
the company's internet browsers
, for the purpose of creating a statistical analysis of trends, although it is not for this processing
did not prove a legal title in the sense of Article 6 paragraph 1 of Regulation (EU) 2016/679, at least
from an unspecified day in April 2019 to an unspecified day in July 2019, i.e. at least after
for a period of two full calendar months, and further by the fact that in connection with the transfer of personal
of the company's data as the controller of personal data at the time of obtaining the personal data
insufficiently informed the data subjects about the processing purposes for which the personal data are
intended, and the legal basis for processing, also for at least the entire period
two calendar months. She was fined for the said criminal act
351,000/000 CZK and also the obligation to pay costs of proceedings in the amount of 1/000 CZK.
[3] The contested decision was delivered to the accused on March 24, 2022 and on April 5
2022, the accused, through her legal representative, filed a blank declaration, which on
11/ May 2022 she added.
[4] The appellate authority, by letter no. UOOU-01025/20-113 dated November 13, 2023, gave
accused in the sense of § 36 paragraph 3 of Act No. 500/2004 Coll.
decision on dissolution/ At the same time, he informed the accused of his preliminary findings in the proceedings
on dissolution (hereinafter referred to as "Preliminary Findings") and invited her to express her opinion on the proceedings in
pursuant to § 36 paragraph 2 of Act No. 500/2004 Coll. To comment, the accused were called by resolution no./UOOU-
01025/20-114 of November 13, 2023 set deadline until December 4, 2023/ Appellate body
at the same time, he invited the accused to submit any justified objections within the same period
biases of members of the decomposition committee/
[5] On December 4, 2023, the Office received the opinion of the accused regarding the documents for
issuance of a decision on dissolution/ Within this opinion, the accused reserved the right to supplement
her statements and proposed evidence later/ Subsequently, on 21/ December 2023, the accused sent the Office
her supplementary opinion/ In both mentioned opinions, the accused stated that she "reserves
the right to file an objection of bias against any of the members of the dissolution committee after it has been
appointed by the Chairman of the Office and the company will be properly informed about it"/
[6] The Appellate Body submitted on March 8, 2024, in accordance with international cooperation
with Article 60 paragraph 3 of Regulation (EU) 2016/679 draft decision on dissolution to other concerned
to the supervisory authorities to comment on it/ However, none of the supervisory authorities raised a complaint
a relevant and justified objection to the submitted draft decision in the sense of Article 60
paragraph 4 of Regulation (EU) 2016/679 and in accordance with Article 60 paragraph 6 of Regulation (EU) 2016/679 should therefore
for agreeing with the draft decision/
2/57 II. Content of the breakdown and assessment by the second-level authority
[7] For clarity and to ensure the consistency of the decision, the appellate body dealt with it
by individual objections according to the division chosen by the accused and this concept to a large extent
will retain even within the framework of their settlement/
[8] Regarding the change in the statement of the decision, the appellate body states that (in accordance with the jurisprudence;
cf. e.g. the judgment of the Regional Court in Brno No. 30 !f 42/2014-71 of 20 June 2016,
approved by the Supreme Administrative Court by judgment no. 5 !s 173/2016-24 of April 3
2017 and by resolution of the Constitutional Court no. stamp/ III/ ÚS 1796/17 of 20/ June 2017) only
specified the description of the act committed by the accused/ This is only a formal change,
because it is still the same act, the description of which has been concretized, not actually changed or
expanded/
IIa. Procedural procedure in the matter
A. Nature and Grounds of Charge
[9] In the analysis, the accused primarily objects to the procedural defects of the proceedings/ The accused stated that the Office
during the entire trial, he did not explain in detail what he blames on her, thereby violating Article 6, paragraph 3
letter a) of the Convention, according to which "everyone accused of a criminal offense" has the right "to be
immediately and in a language they understand, familiarize themselves in detail with the nature and grounds of the accusation against them
to him"/ As a result of this misconduct, the accused allegedly could not properly exercise her rights
defence, i.e. she could not comment on the matter in a qualified manner, propose evidence to prove her
innocence or denial of statements and others/ The accused refers to the judgment of the Municipal Court in Prague
čj/ 10 !f 38/2017-50 of November 14, 2019, according to which "Only vague and informal
awareness of the existence of the accusation is not sufficient (see the judgment of 12/10/1992 in the case of T/ v.
Italy, complaint no. 14104/88, § 28)/ The reason for the accusation is then understood to be the act that was
committed by the accused and on which the charge is based. The nature of the accusation is a legal qualification
of this act (see the judgment of 25/7/2000 in the case of Mattoccia v. Italy, complaint
No. 23969/94, § 59)"/ Furthermore, the accused stated that the Notice of Commencement of Proceedings dated 27/ February
2020 i Memorandum on clarification of the legal qualification of the deed dated January 3, 2022 with reasons
and the nature of the accusation is only addressed in part of one sentence/ More information about the accusation is about the accused
did not receive even at the oral hearing on 28/ May 2020/ Only from the contested decision
the accused found out that she was processing personal data, that the subject of the proceedings was a specific case
alleged transfer of personal data to the company in the period between April
and July 2019, why the Office believes that the secondary purpose of processing was not compatible
with the primary purpose why, according to the Office, the data was not transferred to the company for
the purpose of the statistical activity, why the Office believes that the accused did not have a legal title
legitimate interest and what criteria the Office will take into account when imposing a sentence/ In addition
the accused further stated that the Office defined the subject of the proceedings so broadly and vaguely that she was not able
prepare your defense and assess which documents are in its favor or against it,
whereas, according to the accused, this procedural defect had an effect on the legality of the contested decision/
[10] Administrative body of the first instance in the Notice of initiation of proceedings on February 27, 2020 (hereinafter
only "Notice of initiation of proceedings") notified the accused of the initiation of proceedings on the offense "of suspicion
1
Communication No. 209/1992 Coll. of the Federal Ministry of Foreign Affairs on the negotiation of the Convention on the Protection of Human Rights
and fundamental freedoms and the Protocols following this Convention (hereinafter referred to as the "Convention")/
3/57 from the commission of an offense pursuant to § 62 paragraph 1 letter b) of Act No. 110/2019 Coll. in connection with
by collecting and transmitting data about the users of the antivirus program, respectively
extension of internet browsers (add-ons), especially data on their behavior during use
personal computer and the Internet, to third parties for the purpose of profit, although it was not intended for this
conduct transparently granted consent from the data subjects, thereby breaching the obligation
established in Article 5 paragraph 1 letter a) of Regulation (EU) 2016/679, also for suspicion of committing
offense according to § 62 paragraph 1 letter c) of Act No. 110/2019 Coll. in connection with non-compliance
information obligations towards users who have installed an anti-virus on their device
program or Internet browser extensions (add-ons), which should be infringed
obligation set out in Article 13 of Regulation (EU) 2016/679"/
[11] Furthermore, the administrative body of the first instance informed the accused in the Notice of the initiation of proceedings that
"[p\pending the initiation of this procedure is expert information and assessment from the public
available sources and statements of the company, which are part of the file
of the material of this proceeding"/ At the same time, the administrative body of the first instance invited the accused
"to submit cooperation agreements and transfer of data concluded between companies
and , respectively/ to submit the wording of consents to
by processing personal data provided to share data obtained from the device
with an installed anti-virus program valid in the months of April 2019 and December 2019,
both for the free version and for the paid version of the program, including the method of obtaining it-
to submit the wording of information on the processing of personal data according to Article 13 of Regulation (EU) 2016/679,
for the months of April 2019 and December 2019
2019- to communicate information about numerical designations of Internet browser extensions (plug-ins)
in 2019 and the dates of their release- to communicate the content of the information that the expansion of the Internet
of browsers (add-ons) in the month of April 2019 and in December 2019 sent outside the sphere of devices
user"/From the above, it is clear that the administrative body of the first degree of reasons and nature
he devoted more than just "part of one sentence" to the allegations in the Notice of Initiation, as he states
accused. According to the appeal body, the information contained in the Notice of Initiation of Proceedings is necessary
perceived as a whole and with regard to the wider context of the whole thing.
[12] In addition, the appellate authority states that the administrative proceedings against the accused were initiated on the basis of
initiative received by the Office on 22 February 2020 and information published in the media (official
record no./ UOOU-01025/20-3 dated 27/ February 2020)/
Administrative
of the file were inserted between February 10 and February 20, 2020 (official record dated February 27, 2020)
information from publicly available sources regarding the transfer of data to the accused company
As can be seen from the administrative file, accused several times during the administrative proceedings
used her right to view the letter/On the specific day 2/March 2020 (viewing record
dosupučj/UOOU-01025/20-6) with the contents of the administrative file reported by the protection officer
personal data of the accused, to whom copies were issued in accordance with § 38 paragraph 4 of the Administrative Code
in writing from the file material, namely an anonymous complaint dated February 22, 2020 (ref. UOOU-
2
4/5701025/20-1) containing information on "the company's case and two official records from
February 27, 2020 (ref. UOOU-01025/20-2 and ref. UOOU-01025/20-3).
[13] It follows from the protocol of the oral hearing No. UOOU-01025/20-22 dated May 28, 2020,
that the reason for the accused's request for an oral hearing with the administrative body was mainly clarification
procedural pages matters in relation to the inspection that the Office carried out on the accused in 2019, i.e.
not clarification of the subject of the proceedings/ Furthermore, it follows from the protocol of the oral hearing that the accused
commented on the content of media articles (She considers information from media articles to be speculation and is
convinced that the processing of personal data by the accused company was carried out on
on the basis of a sufficient legal title, and the data transferred to third parties has already been anonymized
without the possibility of identifying the data subjects/" and, for example, the fact that she was asked to document the reasons
for the termination of the company's activities. From the subsequent statement of the accused dated
June 29, 2020, also from her other statements (in particular, opinion No. UOOU-01025/20-11 dated
April 14, 2020, protocol on the oral hearing and inspection of the file ref/ UOOU-01025/20-22
of May 28, 2020, opinion No. UOOU-01025/20-25 of June 29, 2020, submission
ref/ UOOU-01025/20-63 dated April 29, 2021, statement ref/ UOOU-01025/20-72 dated
May 31, 2021, statement No. UOOU-01025/20-93 dated February 23, 2022) according to the appeal
authority, one can hardly come to the conclusion that the accused does not know what she is suspected of/
[14] If the accused in the breakdown (point 29) states that during the administrative proceedings on the offense
conducted by the administrative body of the first instance "she did not know what deed the proceedings here were about",
could raise this objection immediately after the start of the proceedings or at any time during the proceedings before
administrative body of the first instance/ However, the accused did not do that, on the contrary in her opinion
dated April 14, 2020 stated that "[p\osure the Office would come to the conclusion that the company
has committed the offenses of which it is accused, the company emphasizes that it has stopped processing
data for the purposes of statistical trend analysis even before the initiation of this procedure, with immediate effect
effective from 30/ January 2020"/
[15] Based on the above, the appellate authority has no doubt that the accused knew
for what act (reason for accusation) the administrative proceedings are being conducted/ The administrative proceedings in question were
initiated following a major media scandal (which took place at the turn of 2019
and 2020), in which a number of media reported (cf. official record no. UOOU-01025/20-3 dated
27/ February 2020) on the transfer of data to the accused company, while this information
they are part of the administrative file with which the accused has repeatedly familiarized himself/within the Notification
on the initiation of the proceedings, she was accused of being called upon to submit a contract of cooperation and handover
date of closing with the company All communications from April 14, 2020 by accused
She informed the Office that there had been "the dissolution of the company and the termination of its activity"/ Appeals
the body thus came to the conclusion that it is not possible to accept the accused's argument that only from the attacked
decision learned that the subject of the proceedings is a specific case of transfer of personal data
On the contrary, according to the appeal body, the accused was informed in detail
with the nature of the charges against her, the act itself would not be detailed in the Notice of Commencement
proceedings/According to the appellate body, the accused was the subject of the proceedings sufficiently known for his defence
she could properly prepare/ !rgumentation of the accused, taken ad absurdum, would in her
as a result meant that the outcome of the administrative procedure should be clear already at the beginning, with which
the accused should be introduced/ However, the right to a defense cannot and is not interpreted in such a broad way
so conceived. The appellate authority adds that the accused is a large multinational
the company, which was represented by a lawyer during the entire administrative procedure, is therefore not possible
infer that she would not know how to exercise her procedural rights/
5/57 [16] Regarding the defendant's objection that she learned about the time limit only from the contested decision
deed, the appellate authority states that in the Notice of Initiation of Proceedings the accused was called out
other to present the wording of consent to share data obtained from the device with the installed
by the defendant's anti-virus program, valid for the months of April 2019 and December 2019,
to submit the wording of information on the processing of personal data according to Article 13 of Regulation (EU) 2016/679
for the months of April 2019 and December 2019, and to communicate the content of the information which extension
of Internet browsers (add-ons) in the month of April 2019 and in December 2019 sent outside the sphere
the user's device/ According to the appellate authority, it is clear from the Notice of Initiation of Proceedings that
the suspicion of committing offenses related to the period from April to December 2019/
Based on the information found during the administrative proceedings, this period was shortened
and the accused was found guilty of committing offenses in the period from
from an unknown day in April 2019 to an unknown day in July 2019/Time limitation of the deed
in the statement of the contested decision could not, according to the appellate body, be for the accused
surprising (even though the period was different from that resulting from the Notice of Initiation of Proceedings
abbreviated) and according to the appellate authority, this procedure did not interfere with the right of the accused
in her defense/The accused, according to the appellate body, was informed of the reasons for the accusation,
i.e. by the act that the accused was allowed to commit/
the first instance was a so-called "investigative fishing expedition", the appeals body considers
on the basis of the above as unfounded/
[17] Likewise, according to the appellate body, the accused was informed of the nature of the accusation,
they are not in the Notice of Initiation of Proceedings, the accused was informed that she is suspected of having committed a crime
offenses according to Section 62 paragraph 1 letter b) and Section 62 paragraph 1 letter c) of Act No. 110/2019 Coll., which
the administrator or processor commits by violating any of the basic principles for
processing of personal data according to Articles 5 to 7 or 9, or violates some of the subject's rights
of data according to Articles 12 to 22 of Regulation (EU) 2016/679, as it should have violated the established obligations
in Article 5 paragraph 1 letter a) and in Article 13 of Regulation (EU) 2016/679/ In the Memorandum on Clarification of Legal
qualification of the act dated January 3, 2022, the accused was informed that she was suspected of committing
offenses according to Section 62 paragraph 1 letter b) and Section 62 paragraph 1 letter c) of Act No. 110/2019 Coll., since
should have violated the obligations set out in Article 6 paragraph 1 and Article 13 paragraph 1 letter c) of Regulation (EU)
2016/679.
[18] To another argument of the accused, that “insufficient communication of the accusation then the company
harmed also by limiting her right to respect the prohibition against self-incrimination",
the appellate body, in addition to the above, states that the legal principle nemo tenetur se
ipsum accusare (no one is bound to accuse himself) should be seen as a prohibition
coercion to self-incrimination/ However, the accused does not claim that she was in any way self-incriminating
forced.
[19] Regarding the principle of prohibition of self-incrimination, the appellate authority already in the call for submissions
document addressed to the accused (ref. UOOU-01025/20-105 dated January 9, 2023) referred to
judgment of the Supreme Administrative Court of August 11, 2015, No. j/ 6 !s 159/2014 – 52, in which
the court stated the following. “The Limits of the Prohibition of Self-Incrimination in Relation to the Provision of Information
legal entities in administrative offense proceedings, the Tribunal (formerly the Court of
first instance) and the Court of Justice of the European Union (formerly the European Court of Justice)/ Referenced
jurisprudence and concerns the protection of economic competition, however, conclusions and applications of the stated principles are possible
can also be used for the broader legal area of administrative punishment/ With a certain degree of generalization, it follows from the relevant
jurisprudence, in particular the judgment of the Court of Justice of 18/10/1989, Orkem v. Commission (374/87,
6/57 Recueil) and the judgment of the General Court of 20/2/2001, Mannesmannröhren-Werke AG v Commission
(T112/98), that the authority seeks and under the threat of sanctions is authorized to oblige the participant in the proceedings who,
to provide all the necessary information relating to the factual situation that is available to him
known, and to hand over to him any relevant documents that he has at his disposal, even when
they can serve to prove wrongdoing against himself or against another
Granting the absolute right to remain silent would exceed the limits of what is necessary
to preserve the right of defence, and would represent an unjustified obstacle to performance
supervisory powers. In relation to self-incrimination, the Tribunal formulated an important conclusion.
"Obligation to answer purely factual questions posed by the Commission and comply with its requests
on the submission of pre-existing documents cannot lead to a violation of the principle of compliance
defense rights or due process rights/ For nothing prevents the addressee from
in the further course of the administrative proceedings or during the proceedings before the Community Court he proved,
thus exercising his right of defense that the facts described in his answers or
the submitted documents have a different meaning than the one attributed to them by the Commission/" Mere summons of the administrative
the cooperation body cannot be considered a victim of self-incrimination/Similarly according to the appellant
the authority cannot consider a violation of the aforementioned principle if the party to the proceedings voluntarily
presents evidence that will eventually be used against him/
[20] The Constitutional Court also commented on the violation of the ban on self-incrimination, which in its resolution
sp. stamp II. ÚS 4117/19 of April 28, 2020 stated that "by simply requesting the necessary
information relating to the reviewed facts could not have been violated
of the prohibition against self-incrimination, or it was only a matter of presenting the records that the complainant was
required by law to register/ The prohibition against self-incrimination cannot be interpreted in such a way that it is factual
prevented from exercising the supervisory authority of the capital market regulator, which is with regard to
the sophistication and amount of ongoing transactions on the capital market justified by strong
public interest"/ In this context, the appellate body recalls that respect for privacy
and the right to personal data protection is guaranteed by the Charter of Fundamental Rights of the European Union (Articles 7 and 8),
which explicitly raises the level of this protection to the level of a fundamental right in European law
union.
[21] Pursuant to § 68 paragraph 3 of the Administrative Code, the reasons for the statement shall be stated in the justification of the decision
or statements of the decision, the basis for its issuance, considerations by which the administrative body was guided by
their evaluation and in the interpretation of legal regulations, and information on how the administrative body
dealt with the proposals and objections of the participants and their comments on the basis of the decision/
Assessment of whether personal data was processed, the purpose of the processing or whether the accused
processed personal data on the basis of a valid legal title, is an immanent part
decision/ According to the appellate body, the administrative body of the first instance was not bound by the accused
inform in advance how he intends to decide on the matter and how he will assess the matter, are they not these
considerations and legal assessments are part of the decision, not the notification of the initiation of administrative proceedings
proceedings/The accused thus confuses the necessity of identification of the act and its preliminary legal qualification
with the justification of the decision/ The Appellate Body therefore states that the accused was in compliance
with the jurisprudence to which she refers, acquainted with the nature and reason of the accusation against her and could
i.e. fully exercise their procedural rights/
[22] Regarding another argument of the accused, that she only learned from the contested decision what kind
criteria will be taken into account by the Office when imposing the penalty, the appellate authority states that the Office is obliged
when imposing administrative penalties, proceed in accordance with the legal order, in the case under consideration
i.e. in particular in accordance with Regulation (EU) 2016/679 and Act No. 250/2016 Coll.,
7/57 on responsibility for misdemeanors and their proceedings/ However, the administrative authority is not obliged to the accused before
by issuing a decision on the matter, communicate how the individual criteria will be assessed/
[23] The accused further stated in her statement that the Office's misconduct (failure to familiarize herself with the nature
and the reason for the accusation) was not a mere procedural oversight, not the Office in the resolution
No. UOOU-01025/20-43 of January 22, 2021 stated that it is "undesirable that the company
knew the factual and legal considerations of the Authority already before issuing the decision, if they were to ensure a stronger
argumentative position within the proceedings itself"/
[24] The Authority stated in the above resolution. The administrative body further adds that the opinions
of the supervisory authorities in question clearly do not have the character of a binding opinion within the meaning of § 149 par.
1 of the Administrative Code/ At the same time, it is not even a "statement that is the basis of the administrative decision
authority", or it occurs only subsequently, after the draft decision itself has been processed (by
the preparation of the decision can only be started when all the documents have been collected)/ Hereby
the interpretation also ensures the equality of the participants in the individual proceedings/ It would be contrary to this
principle, if the parties to the proceedings, in which the procedure is carried out according to Article 60 of Regulation (EU) 2016/679, had
privileged access to the factual and legal considerations of the administrative body of the first instance
and the supervisory authorities concerned and (through them or directly) to the wording of the draft decision/ That would them
provided a significantly stronger argumentative position even before the decision was issued compared to the participants
common/ The cross-border aspect of the case does not justify the fundamentally different position of the parties to the proceedings
in relation to the information about the proposal". The accused concluded this conclusion, according to the appellate body, entirely on purpose
takes it out of context, since so many international relations were mentioned in the resolution in question
procedure according to Article 60 of Regulation (EU) 2016/679, certainly not in relation to the entire procedure, which
it is clear from the resolution in question/ The accused was not allowed to familiarize himself with the proposal
a decision that has been submitted to other supervisory authorities, however, in cases where
The Office makes decisions without this international procedure, draft decisions to the participants in the proceedings
they are also not presented by default (such an obligation from any legal regulation
does not follow)/ If the Office were to submit draft decisions only to the parties to the proceedings in which it is
processed according to Article 60 of Regulation (EU) 2016/679, i.e. in cases of cross-border processing
carried out by the administrator, for which the draft decision is presented to the other parties concerned
to the supervisory authorities for comment, next to the paradoxical situation: in cases that are typical
more serious (they affect data subjects from different member states of the European Union), would be the situation
of the parties to the proceedings is significantly stronger than in proceedings in which the procedure is based only on the national
legislation/ As an obiter dictum, the appellate authority states that it is currently on the European
level, a proposal for a regulation of the European Parliament and the Council, which establishes another, is being discussed
procedural rules relating to the enforcement of Regulation (EU) 2016/679 - the said proposal is dedicated to/
and on the question of access to the administrative register, and to Chapter IV., in which it is specifically stated in Article 19 Paragraph 3:
"The right of access to the administrative file does not extend to correspondence and exchange of views between
by the leading supervisory authority and the concerned supervisory authorities/ Information exchanged between
supervisory authorities for the purpose of investigating individual cases are internal documents
and are not accessible to the investigated parties or the complainant."
3
European Commission document COM(2023) 348 final, 11657/23.
8/57 B. Participation in administrative proceedings/international procedure
[25] The accused considers another procedural defect to be the fact that the sheep "were decided in a proceeding whose
she could not participate". She added that only within the framework of the pre-administrative body of the first instance
in fact, there were two parallel proceedings, namely proceedings before the Office and proceedings within the framework
international cooperation, which lasted for a considerably longer period of time and actually in it according to the accused
the case was decided/Proceedings within the framework of international cooperation and the accused could not participate,
she did not have access to the documents, her statement was not submitted in this proceeding and that was the point
decided in her absence/ The accused further stated that there is no applicable legal regulation
does not allow the division of the proceedings, therefore it considers such a procedural procedure inadmissible/ Procedure
according to Article 60 of Regulation (EU) 2016/679, according to the accused, it is still part of the national proceedings
and procedurally, with the exception of issues specifically regulated by the mentioned regulation, it is governed by the national one
procedural law/ Only when the situation foreseen in Article 65 of Regulation (EU) 2016/679 occurs, is
according to the accused, further proceedings were initiated before the European Board for the Protection of Personal Data
(hereinafter also "Board" or "EDPB")/ However, even in proceedings before the Board, the accused would have standing
participant and would have full rights of defense/
[26] The accused further stated in the deposition that the Office unlawfully denied her access to the key
part of the administrative file when he did not allow her to view documents from international cooperation,
which he justified by the fact that the statements of other supervisory authorities do not constitute binding opinions,
and therefore the accused should not have access to them/ Documents from international cooperation are related
to the matter, while the administrative file consists of all documents relating to the same matter/Opinions of outsiders
supervisory authorities, according to the accused, had a fundamental influence on the contested decision, or the process
international cooperation lasted longer than the procedure itself and was reworked in the course of it
of the draft decision/ The accused does not agree with the Office's conclusions stated in the decision on dissolution
ref/ UOOU-01025/20-82 of 30/ August 2021 against the resolution of the Office, which was not complied with
the accused's request for access to the part of the file related to the cooperation mechanism pursuant to Article 60
Regulation (EU) 2016/679, since, according to the accused, it cannot be inferred from the Instructions of the Board No. 3/2021 that
she should have had the right to inspect the file only after the proceedings before the Board have started/ The accused also
you do not agree that the procedure within the framework of international cooperation should be the procedure of the European Union
administrative board, since the procedure according to Article 60 of Regulation (EU) 2016/679 is part of the national procedure,
only after the case is referred to the Board in accordance with Article 65 of Regulation (EU) 2016/679, is it started
new proceedings/ In this context, the accused refers to the Board's Instructions 2/2022, in which
stated that "where EU law does not provide specific procedural rules, national ones apply
procedural law/In these cases, the principle of national procedural autonomy usually applies, which
by the general principle of EU law"/According to the defendants themselves, the Authority recognizes that the document is international
cooperation relate to the matter under consideration and that he took them into account when extraditing the accused
decision, therefore, the accused should have been made available, so as not to interfere with her rights to
4 The appellate body at this point considers it necessary to emphasize that the procedure according to Article 60 of Regulation (EU) 2016/679
is not a procedure, but a procedure of international cooperation between supervisory authorities/
5 Instructions 03/2021 for the application of Article 65(1)(a)GDPR (version 2.0) adopted on 24/May 2023, available in English
version at: https://edpb.europa.eu/system/files/2023-06/edpb_guidelines_202103_article65-1-a_v2_en.pdf.
6 Instructions 02/2022 for the application of Article 60 GDPR adopted on March 14, 2022, Czech version available at
https://edpb.europa.eu/system/files/2022-
10/guidelines_202202_on_the_application_of_article_60_gdpr_en.pdf
9/57 defense. Furthermore, the accused objected to inconsistency in the Office's procedure, or in the control procedure
documents from international cooperation were made available to her/
[27] The accused considers the Office's decision on the matter to be another violation of her procedural rights
in proceedings within the framework of international cooperation, in which it could not participate, while this procedure
is contrary to Article 38 paragraph 2 of the Charter of Fundamental Rights and Freedoms (Act No. 2/1993 Coll., hereinafter
"Charter"), according to which everyone has "the right to have his case heard in public, without
unnecessary delays and in his presence and to be able to comment on everything being done
to the evidence"/ According to the accused, the aforementioned article of the Charter is also used in administrative proceedings, and thus
rather in administrative proceedings of a punitive nature/ According to the accused, the Office must ensure that even in the case
proceedings according to Article 60 of Regulation (EU) 2016/679, all rights of the accused to defend themselves remained
preserved/ According to the accused, the Office had (beyond the scope of the inspection of the file described above)
convey her statement and argumentation to foreign supervisory authorities, and allow her to express herself
to the opinions of other supervisory authorities/ The accused explicitly requested the Office (e.g./ in her
statement on 31/May 2021) to share its statement with other supervisory authorities, however
The office did not inform her about this procedure, therefore the accused believes that it did not do so/ Likewise
the Office should have allowed the accused to comment on the objections of other supervisory authorities, which is administrative
the first-instance authority refused in the contested decision, stating that there would be an "unresolvable
procedural loop", which, however, according to the accused, cannot occur/Moreover, there is no possibility to react
the objections of the supervisory authorities are, according to the accused, explicitly stated in the Instructions of the Corps No. 2/2022
to the application of Article 60 of the GDPR (hereinafter referred to as "Instructions No. 2/2022").
[28] To deny access to records from the cooperation mechanism pursuant to Article 60 of the Regulation
(EU)2016/679, the appeals body states that the Office has already made a final decision on this by resolution ref.
UOOU-01025/20-61 of April 23, 2021, and subsequently by decision No. UOOU-01025/20-82
dated August 30, 2021, by which the appeal against the aforementioned resolution was rejected; on both
the said decisions and their justification are hereby referred to by the Appellate Body/ Appellate Body
emphasizes that the Office, in accordance with Article 60 paragraph 3 of Regulation (EU) 2016/679, submitted to others
draft decision to the supervisory authorities concerned, so that they can comment on it, while this draft
the decision was drawn up by the administrative body of the first instance only after they had been collected
all documents of the decision with which the accused was informed and could comment on them/
From the procedure itself according to Article 60 of Regulation (EU) 2016/679 and according to the appeal body
no new documents were created (and could not be created from possible objections or comments).
for issuing a decision, since all the documents were collected before the formulation of the proposal
decision/ Cooperation of supervisory authorities according to Article 60 of Regulation (EU) 2016/679 does not have in the Czech
similar to the legal order/ It can best be compared to deliberation (in the sense of consideration directed
to reach a consensus), within which the other supervisory authorities concerned have the opportunity to comment
to the submitted proposal/ Other supervisory authorities, however, are not in the position of so-called affected parties
bodies (universal §136 of the Legislature/ 500/2004 Coll.) defending their own interests (ev/particular
public interest), whose opinion the decision-making body (in this case the Office) would consider among
proceedings documents/ In other words, the other supervisory authorities are not the ones who would defend their interests
competing with the interests of the party to the proceedings/ National supervisory authorities protect the public interest, which is
in particular the protection of personal data, therefore it is impossible to talk about competition with the interests of the party to the proceedings/
Neither the Czech legal code nor Regulation (EU) 2016/679 recognize the procedural right of a party to the proceedings to express
to the draft decision before this decision is issued in the sense of Article 60 paragraph 7 of the Regulation
(EU) 2016/679, nor the right to otherwise participate in this deliberation of the supervisory authorities/ If, however,
the lead supervisory authority and the supervisory authorities concerned within the said international procedure
did not reach a unified opinion, Article 65 of Regulation (EU) 2016/679 regulates the procedure when it is disputed
10/57 question referred to the Board/In this proceeding, the participant in the proceedings before the Board has the right to be heard
and comment on the documents of the proceedings/Procedure according to Article/65 of Regulation (EU) 2016/679 (to which in this
if it did not happen) however, according to the appeal body, it is necessary to differ from the procedure according to Article 60 of this
ordinance/
[29] In the event that, during the procedure according to Article 60 of Regulation (EU) 2016/679,
shortcomings of the administrative procedure carried out by the leading supervisory authority (e.g. it would be
additional proof is required, or the deed should be qualified differently), manager
the supervisory authority would continue with the proceedings (in this case, according to Legislative Decree/500/2004 Sb/, or
of Act No. 250/2016 Coll.), when the space for the implementation of his
the right to be heard and comment on the basis of the decision/ !nor on this procedural development, however
it did not happen after the deliberation/ The decision of the administrative body of the first instance was so
issued on the basis of documents collected as part of the administrative proceedings with which the accused had
the opportunity to get to know and comment on them/ Her procedural rights thus according to the appellate body
was not affected in any way/
[30] For completeness, the appellate body adds that the procedure according to Article 60 of Regulation (EU) 2016/679
was initiated for the first time as part of the administrative procedure in question already on August 31, 2020, however
have not been completed in the manner envisaged by the said regulation, they are not on the side
of the first-level administrative body itself, doubts arose as to whether it was before drafting
of the draft decision, the accused was given sufficient space to comment on the basis of the decision
in the sense of § 36 paragraph 3 of Act No. 500/2004 Coll. Administrative body of the first instance therefore in this
did not continue with the procedure, so it could not have any legal effects, provided for in Article 60
paragraph 6 sentence of the last Regulation (EU) 2016/679, towards the administrative body, the less the effects towards
accused/ Only after the procedure according to Act No. 250/2016 Coll., respectively
No. 500/2004 Coll., in the framework of which the accused was given room for the standard application of all
procedural rights, on October 31, 2021, the procedure was initiated according to Article 60, paragraph 3 of Regulation (EU)
2016/679, by submitting a draft decision to the supervisory authorities concerned/ This procedure
it ended consensually, that is, no question arose from it that was between the leader
by the supervisory authority and the supervisory authorities concerned is questionable and should be referred
to the decision of the Board pursuant to Article 65 paragraph 1 letter a) of Regulation (EU) 2016/679. The administrative body of the first
degree therefore continued the proceedings by issuing a decision in accordance with § 67 of Act No. 500/2004 Coll.
[31] For clarification, the appellate authority adds to the above that prematurely initiated
the procedure according to Article 60 paragraph 3 of Regulation (EU) 2016/679, which was terminated without legal
relevant result, cannot establish a procedural defect or the illegality of a decision that arose up to
from the next stage of the given administrative procedure, all the more so since even then the accused was given space
to exercise her procedural rights, and that subsequently the draft decision (drafted on the basis of
documents with which the accused had the opportunity to get acquainted and comment on them) according to the procedure
Article 60 paragraph 3 of Regulation (EU) 2016/679 resubmitted to the supervisory authorities concerned
for deliberation.
[32] In addition to the above, the appellate authority states that during the inspection conducted by an independent
although some documents from international cooperation were accused by the inspector of the Office
made available, however, this occurred in a situation where Regulation (EU) 2016/679 was only effective
briefly and the practice of the Supervisory Authorities regarding the procedure according to Article 60 of this Regulation was not even on
not yet clarified at the level of the Corps/ Due to procedural caution, the controlling accused therefore allowed themselves
familiarize with the contents of the documents/ For several reasons, this was a redundant procedure, above all
the control protocol is not, by definition, a draft decision in the sense of Article 60 paragraph 3 of the Regulation (EU)
11/572016/679, and at the same time it is clear that the mentioned procedure chronologically and legally preceded
to the administrative procedure in question, and thus could not have an influence on its legality/
[33] Regarding the accused's objection that the Office denied her the right to have the matter discussed in her
presence, the appeal body states that the accused clearly perceives the procedure according to Article 60 of the Regulation
(EU) 2016/679 as a form of administrative procedure/ As already mentioned above, deliberation
the head of the supervisory authority and other relevant supervisory authorities is not an application of the provisions
Act No. 500/2004 Coll., respectively, does not have the character of administrative proceedings and takes place only after they have already
procedural rights of the participants in the proceedings implemented/Zákónač/500/2004Sb/, Act No/250/2016Sb/
nor do Regulation (EU) 2016/679 confer any additional procedural rights on the parties to the proceedings,
especially since the elementary logic of a directly applicable general regulation such
the form of participation in the deliberation does not functionally assume or/does not allow/Within the procedure
in accordance with Article 60 of Regulation (EU) 2016/679, the supervisory authorities will familiarize themselves with the draft decision and in its
within the same framework as the previous domestic procedure, they assess this/ The Appellate Body emphasizes, however,
that this happens only at the moment when all the procedural steps in the given administrative procedure have already been carried out
actions before the actual issuance of the decision and its delivery to the parties to the proceedings/
[34] Therefore, if the accused demands "procedural participation" in the deliberation, then
in essence, she demands that the Office prepare a draft decision for her in various stages
procedures according to Article 60 of Regulation (EU) 2016/679 submitted for further comments/ Czech legal
however, neither the regulation of the administrative process nor Regulation (EU) 2016/679 guarantee such a right.
[35] In the decision No. UOOU-01025/20-82 of August 30, 2021, the Office stated that in the case
allowing the accused to comment on the objections of other supervisory authorities could occur
to an "unresolvable procedural cycle"/ In the event that based on the comments of the accused
there was a change in the draft decision, this draft would have to be resubmitted to the others
supervisory authorities/ This procedure could be repeated, taken ad absurdum,
to infinity. In Instructions No. 2/2022 (point 168) it is stated "This does not affect the efforts made to
reaching consensus and the possible obligation of the head of the supervisory authority according to the national
rights to provide the right to be heard again in light of anticipated changes
in the revised draft of the decision, which will have a new impact on the controller or processor"/
The Corps at this point speaks of "possible obligations" under national law, and above all
relates this eventuality only to the "revised draft decision", and that in context
of any novelties that the administrator could not comment on, or were not based on existing ones
proceedings documents/Czech legal code, however, the obligation to inform the party of the proceedings with the proposal
the decision does not stipulate, or does not foresee at all that between developing a concept decision
and by completing it procedurally and formally in the form provided for by law (signature
by an authorized official) there was a time space for (at an opportune moment) inspection
to the file, familiarization with the just established concept of the decision, and for further comments
of the party to the proceedings/ This may appear as a certain externality of the remote written procedure
according to Article 60 of Regulation (EU) 2016/679, according to which a time period of weeks is created,
but only for the reason of communication between authorities that are not physically present in one place
in one moment. In the case of the procedure proposed by the accused, the process cycle is complete
undoubtedly it actually happened, or the accused does not respect that they have the "last word" in the matter
supervisory authorities to the submitted draft decision, not the accused to these opinions
supervisory authorities/
12/57 C. Legitimate Expectations
[36] As another procedural defect, the accused objects to the fact that the Office violated her legitimate expectations,
the same act has already been dealt with by the Office once/ The accused states that together with now
in the ongoing administrative proceedings, the Office conducted an inspection (started on July 2, 2018, file no.
UOOU-07166/18), which concerned, among other things, the transfer of data to the company, which should be
obvious, for example/from the accused's statement of August 1, 2018/According to the accused, the matters overlapped
also in terms of time, since following the inspection the Office decided on 18 September 2020 (official record
ref/ UOOU-01733/19-31) that they will not initiate administrative proceedings, whereas the administrative proceedings currently being conducted were
already started on 27/ February 2020/ The accused further stated that she does not agree with the argument of the administrative
authority of first instance, that the aforementioned official record only related to the development of antivirus
program.
[37] In addition, the appeal body states that the inspection (sp/ zn/ UOOU-07166/18) was started on
2/ July 2018 based on an initiative forwarded by the Dutch supervisory authority
(complaint about not being able to disable preset privacy options in free
version of antivirus software for !pple Mac)/ Its subject was compliance
established by Regulation (EU) 2016/679 in connection with the processing of personal data of users
antivirus software controlled, focusing on the level of protection of user privacy
free versions of antivirus software compared to paying customers/ Review report
ref/ UOOU-07166/18-46 dated 19/ March 2019 transfer of data to the company or
it does not mention the statistical analysis of trends at all, which shows that the control was not focused
to transfer data to the company
[38] As the administrative authority of the first instance already stated in its decision (p. 5 of the contested
decision), the control of the accused was focused on fulfilling the duty of the administrator according to Article 5 paragraph 2
Regulation (EU) 2016/679, i.e. the obligation to document compliance with the administrator's procedures
the basic principles of personal data processing, as well as the fulfillment of obligations pursuant to Article 24 paragraph 1
Regulation (EU) 2016/679, i.e. the administrator's obligations to adopt appropriate technical and organizational measures
measures to ensure and be able to document that the processing is in accordance with the said regulation/
The very fulfillment of the basic principles of personal data processing resulting from Article 5 paragraph 1
Regulation (EU) 2016/679 was not directly addressed by the control/ This conclusion was stated by the way
and the chairperson of the Office in handling objections to inspection findings reference number/ UOOU-07166/18-53
of 4/ June 2019/
[39] It is clear from the official record of September 18, 2020 (ref. UOOU-01733/19-31) that the conclusion
on the non-initiation of remedial measures proceedings is based on the documents listed therein, which
inspected in the meantime submitted/ For example, the Personal Data Processing Policy,
updated in February 2020 (appendix/6 statement of the accused from February 26, 2020, ref/ UOOU-
01733/19-20), or other updated documents, information on data processing for the purpose
they no longer contain trend analyzes or information about the transfer of data to the company/
In the mentioned Principles of personal data processing, it is stated "On the basis of legitimate interests
we will use your personal data for the purpose of./0/third-party analytics, for evaluation and improvement
the performance and quality of our products, services and websites and to understand their trends
use- and for evaluating conversions and success of campaigns"/ From the statement of the accused of the day
August 1, 2018 (no. UOOU-07166/18-12, under letter C) it follows that the accused uses analytical
third party tools provided by the Company
13/57 At the time of issuing the official record documents
presented accused analysis of trends did not contain and the company according to the communication
the accused terminated her activity, if the third-party analysis was mentioned in the official record
parties, was not meant to be an analysis of trends, but an analysis of third parties in the sense cited above
Personal data processing policy.
[40] In the call of the Inspector of the Office No. UOOU-01733/19-5 dated June 12, 2019, it is explicitly
stated that by voluntarily carrying out corrections by inspection of identified deficiencies [inspection
a violation of Article 24(1) of Regulation (EU) 2016/679 was established\can be prevented by administrative proceedings
in the matter of the imposition of measures to correct these deficiencies/ Official record ref/ UOOU-01733/19-31
then it contains a conclusion on the non-initiation of proceedings to impose measures to eliminate the identified deficiencies
(i.e., measures to prevent the recurrence of detected errors in the future)/ Appellate body
in this context, he completely agrees with the considerations of the administrative body of the first instance regarding the different
the nature and function of the control procedure, and its possible follow-up administrative procedure of imposition
remedial measures to verify and/or ensure compliance of actions of controlled persons with
by law (cf. p. 4 of the contested decision), and misdemeanor proceedings, the purpose of which is to determine
whether the act actually happened, whether it is a misdemeanor, who committed it and what kind of punishment it is
possible to impose/ According to the appeal body, the Office could not create a legitimate expectation
accused that if he voluntarily takes remedial action, the offense can be prevented
procedure/ Similarly, the fact that the inspector of the Office decided in September 2020 that on the basis of
of the updated documents submitted by the accused will not initiate the procedure for the imposition of measures
to eliminate the deficiencies found in the inspection, does not mean that the Office cannot continue now
conducted by misdemeanor proceedings (started in February 2020), which refers to the act committed
in 2019. In addition, the appellate authority states that the official record of the Office inspector regarding
the non-initiation of proceedings does not have the nature of an administrative decision, i.e. it does not create an obstacle to the matter decided/
The accused cannot thus invoke the principle of ne bis in idem/
IIb. Substantive assessment
[41] In the statement, the accused stated that she did not hand over personal data to the company, as
it has anonymized all transmitted data so that it can be used for trend analysis, but
at the same time so that the data subjects are not identifiable/ For this purpose, they were removed from the data
direct and indirect identifiers as well as so-called/derivative information that could help
to re-identify specific data subjects/ The accused believes that the administrative authority of the first
degree mistakenly considers the transferred data to be personal data on the basis that (theoretically)
two data sets could be combined and thus the data subjects could be identifiable/
According to the accused, it cannot be argued that every time a data subject can be identified by combining two
data sets, both original data sets will be considered personal data, not certain information
can be personal data for one person, and at the same time one person will be personal data for another
person. If it should apply that personal data represents any information that in connection
with the information available to any other person may lead to the identification of the data subject, meant
would that any information that arose from the processing of originally personal data and which
contains some combination of general properties (although it is anonymized in such a way that
that it no longer concerns a specific person), would practically always constitute personal data/ The accused is
of the opinion that according to the jurisprudence of the Court of Justice, when assessing identifiability
of the data subject, it is necessary to take into account the means that could be used by a third party, however
they must be funds that can reasonably be assumed to be from the administrator or third parties
will use/ According to the accused, it cannot reasonably be assumed that third parties will use the funds legally
14/57 not allowed/ According to the accused, the administrative body of the first instance should have examined not only whether two
the data sets in question exist, but above all whether it was actually reasonably possible
assume that this connection will occur/
[42] The accused subsequently described the anonymization process used in the breakdown in such a way that before
by submitting any data to the Company has removed all identifiers by use
algorithms and methods described in a patent registered in the US! under No. This
the automated process removed, according to the accused, both information directly identifying the data
person (e.g. user name), as well as information identifying the user indirectly (e.g. ID
user), but also information from which identification could potentially be derived
(eg/ a unique combination of certain parameters contained in the URL)/ The accused emphasized that
thus, it was not only a matter of removing direct identifiers, but of overall anonymization
of the data file in question/ Likewise, the complete browsing history was not transmitted
website, as the result of the anonymization process was only a certain fragment
of the total file URL/ The accused further stated that the administrative authority of the first instance se
he did not discuss the anonymization process in detail, and it is therefore not clear how he came to the conclusion that they were
personal data transferred to the company/
[43] Identification of data subjects, or any reverse engineering (among other things, the combination of two
data sets), according to the accused, were in the contractual documents concluded with the company
prohibited, therefore it could not reasonably be assumed/ Likewise such a one would
the activity was in violation of legal regulations, specifically with Regulation (EU) 2016/679/ To this
the accused adds that the administrative body of the first instance did not claim or prove that it would ever
reverse engineering by combining the data set of the accused and the company occurred/
The defendant and the company were separate management companies that had to
to manage concluded contracts/ Within the concern, the company was not a managing person
and therefore could not order the accused to hand over the data needed to re-identify the subjects
data, while the company had no means of re-identification
data subjects to reach, and it is difficult to conclude that it was possible to re-identify the subjects
reasonably assume/
[44] The accused also commented on the contents of the contracts concluded with the company
, which regulate, among other things, the procedure of the parties in the event of the transfer of personal data
occurred/ The accused repeated that she only provided anonymous data to the company,
and just for the sake of due diligence, the contracting parties had processes in place even in case
that the transfer of personal data would occur inadvertently and contrary to the subject of the contract/ Pursuant to
the accused administrative authority of the first instance points out in the contested decision that
the contracts in question referred to anonymization as the removal of direct identifiers/Although
the contracting parties have chosen this name (elimination of direct identifiers), in fact
by anonymization, according to the accused, they understood a significantly broader process of anonymization, as described above/
According to the accused, the administrative body of the first instance should not have been satisfied with the party's process
called in the contract, but he should have investigated how this process actually looked/
[45] Regarding the transferred data, the accused further stated that she was transferring browsing history data
of the Internet, which anonymized/only statistical information was transmitted
informative value, i.e. it was possible to determine general trends and consumer preferences from them
etc. However, according to the accused, the company could not identify specific persons in any way,
and not even with regard to their social identity, as stated by the administrative body of the first instance
in the contested decision/ Likewise, the accused did not hand over the complete browsing history
15/57 of the Internet, because the history has been anonymized and some URLs have not been included
for technical reasons (e.g. pages with !jax technology), certain websites were not supported
statistical analysis of trends relevant, therefore they were not part of the data sets in question/ At the same time
transmitted data was collected only from browsers with the extension installed and enabled
Online Security and from Mobile Security mobile applications and on the !ndroid platform,
whereas, according to the accused, it is a generally known fact that users often use more than
one browser/
[46] Furthermore, the accused said that in misdemeanor proceedings it is necessary to establish the facts so that
there were no doubts about the matter, while the conclusions of the administrative body must be legally substantiated
relevant evidence, making unsubstantiated speculation arising from newspaper articles in none
in the case they do not meet/ The Office never demonstrated what data the company provided
to other persons, proto cannot be based on these unproven facts in any way/ Sense
moreover, the transfer of data to the company was never the inquiry of information about specific ones
persons, but generally valid conclusions relating to certain social segments and types
customers, not only such information is commercially usable/
The purpose of the legislation and the principle of administrator responsibility
[47] At the outset, the appeal body emphasizes that the purpose of the legal regulation of the protection of personal data
is prevention, i.e. preventing or at least minimizing the risk of interference with the rights of data subjects/
The practical reflection of the aforementioned preventive approach is, among other things, that all definitions
contained in the legislation must be interpreted broadly and at the same time all exceptions must be made
interpret as narrowly as possible/ This corresponds to the long-term decision-making practice of the Court of Justice
(e.g. the judgment in the Lindqvist case, C-101/01 of November 6, 2003 - the judgment in the Ryneš case,
C-212/13 of December 11, 2014 - judgment in the Jehovan todishajat case, C-25/17 of
20 July 2018, judgment in the Nowak case, C-434/16 of 20 December 2017)/ Regulation
(EU) 2016/679, compared to the previous legislation (directive of the European Parliament and the Council
95/46/EC of October 24, 1995, on the protection of natural persons in connection with the processing
personal data and on the free movement of such data), expressly regulates the principle of responsibility
manager/ According to this principle, the manager must, pursuant to Article 24 of Regulation (EU) 2016/679
specific way of performing processing operations to the risks that from this processing personal
data follow/ At the same time, the administrator is obliged to comply with the processing of personal data
in particular the general principles formulated in Article 5 paragraph 1 of Regulation (EU) 2016/679 (again adequately
in relation to possible risks) and must be able to manage them in accordance with Article 5 paragraph 2 of this regulation
demonstrate compliance; this effectively transfers the burden of proof to the administrator/Administrator
is therefore obliged to first evaluate the possible risks of the intended (and ongoing) processing/
The higher the risk of interference with the rights of data subjects, the more specific the processing
more rigorously, the administrator must assess the possibilities of the entire processing, while it is necessary to primarily
focus on fulfilling the principles of personal data protection and their compliance and only
secondarily examine whether it would be possible to apply any of the exceptions to these principles
arising from Regulation (EU) 2016/679/ In the case of high-risk processing that would
could have resulted in a noticeable interference with the rights of data subjects, the controller must, to the maximum extent possible
to the extent possible to ensure compliance with the obligations arising from Regulation (EU) 2016/679
and not rely on the application of any exceptions/
16/57 A. Personal data
[48] The accused in her statement during the inspection (ref. UOOU-07166/18-12 of August 1
2018) said that with the paid version of the antivirus software, users are accused
identifiable, not part of the payment data (in the scope of name, e-mail address, city
and the user's country, license information, payment method information)
which are collected by an authorized third party for the purpose of payment processing, may be
provided by the accused/ From the Company's Personal Data Protection Policy (Annex No. 7
to reference no. UOOU-01025/20-11) it follows that the accused in the case of a request for the provision of support
collects personal data in the scope of name, e-mail address, telephone number, address,
possibly also IP address, information about hardware, software, URL addresses of visited pages,
files stored on the computer, e-mail messages and similar data/ The above is according to
of the appellate authority, it is clear that part of the antivirus software users, i.e. paying customers
and the users who requested support were identified for the accused (not
only identifiable)/
[49] In the Product Processing Principles (Annex No. 7 to Ref. UOOU-01733/19-16) it is
stated that the accused in the case of using the product !ntivirus for computers (Mac and Windows)
processes personal data (except account data and billing data, if relevant),
namely operational data. identifier of delivered content (message), IP address, malware samples,
detection, URLs and referring pages, product events and usage, and device data. internal
online identifiers (GUID, Device ID), computer or device information, location,
information about applications in the device, about other products accused in the device, about the Internet
and connections, about the number of devices on the network and about browsers (installed, default)/ Based on these
it was also possible to identify the user if the information was indirectly processed by the Accused
personal data within the meaning of Article 4 point 1 of Regulation (EU) 2016/679, which the accused herself does not contradict/
[50] From the statement of the accused as part of the inspection of August 1, 2018 (ref. UOOU-07166/18-12)
it follows that the accused assigns a randomly generated to each antivirus software installation
an alphanumeric code called a GUID/ So if multiple products are installed on the device
antivirus software, or if the product is uninstalled and reinstalled, each
of these installations will have a different GUID, according to the accused, and thus the GUID is not unique
static identifier/ In the Company's Personal Data Protection Principles (Annex No. 7
to ref/ UOOU-01025/20-11) it is further stated that for customers of paid products and services for
personal computer is GUID associated with billing information/
a) Data transferred to the company
[51] Part of the processed data was allegedly passed on to the V Produktových company
principles of processing (submitted by the accused on December 20, 2019, appendix no. 7 to ref. UOOU-
01733/19-16) is listed for !ntivirus for computers (Mac and Windows). "If it is
Web Shield function active and you consent to data processing (internal identifier (GUID),
product version, time information, de-identified and stripped URLs (if not
cached), carefully selected aspects of some pages without identifiers, selected
requests) for the purposes of trend analysis, which means that you will subsequently provide this set of data
companies to develop products and services”/ For the product !ntivirus for mobile devices
(!ndroid) is listed. "If Web Shield is active and you enable the processing of clickstream data
(internal identifier (GUID), product version, approximate location along with de-identified
17/57a stripped URLs and information related to website URLs,
that you visit online) for trend analysis purposes, will then provide this file
data in a form that removes identifiers and thus enables the company to develop products
and services" (emphasis added by the appellate authority)/ It is further stated for this product that
also shares time information and Application IDs/Same range of transmissions with the company
data (except the application ID) is stated in the Consent Use Policy (submitted by the accused
December 20, 2019, Annex No. 2 to Reference No. UOOU-01733/19-16).
[52] In Appendix B (called Amended and Supplemented Data License Agreement, in AJ
Restated Data License Agreement) Data orders (in AJ Data Order Form) concluded between
the accused and the company on August 30, 2019 (hereinafter referred to as the "Data Order" or
"Agreement") is stated in point 1/7 entitled "Data manager". "Company a
acknowledge that Data may include personal data as defined by the relevant
by legal regulations ("Personal Data")/ To the extent that the Data contains Personal Data, the parties
analyzed the nature of the use of Data based on the Agreement and established that the company
has the discretion to determine its use of the Data in accordance with this
By contract and therefore is the Data Controller". From the above, according to the appellate authority, unequivocally
it follows that the accused was aware that they could be handed over to the company
personal data of the users of its anti-virus software, even if it is performed incorrectly
anonymization/ The accused stated in the breakdown that she had processes set up in case
the transfer of personal data to the company occurred inadvertently, which, of course, according to
the accused does not prove that she actually passed on personal data/ From point 1/7 of Annex B
The order of data, however, implies that the company could continue to receive personal data
to use/ If the company had accidentally transferred personal data according to the contract
only dispose of it, then she would not decide on their use herself and would not be in the position of an administrator
of personal data/ If the company was not supposed to process personal data at all, then it should
according to the appeals body, it did not make sense to be defined as a data controller in the contract/
[53] In Appendix B of the data order (item 1/1/called "License"), it is stated that the company
granted a license "to download a copy of the Data (as such is defined and determined
in the Appendix! each relevant Order) /0/ and to use the Data for business activities
company to incorporate into the company's products and services in the Reserved
area, in particular to use the Data as a whole or to incorporate it into the company's services
and to make the Data included in the company's services available to third parties
persons, specifically the company's customers (highlighted by the appeals body).
According to Annex B of the Data Order (item 1/2/), "reserved area" means the area
"marketing, marketing analytics, advertising technology, marketing automation,
marketing optimization, consumer behavior analysis, eCommerce analysis and analytics
trends"/ The Company thus, in accordance with the Data Order, could receive the "Data"
(representing or containing personal data) incorporate into your products and further make them available
to your customers/
7
In AJ: “Data Controller. and acknowledge the Data may include personal data, as defined by
applicable legislation ("Personal Data")/ To the extent Data contains Personal Data, the parties have analyzed
the nature of the use of Data under the Agreement and have determined that has discretion to
determine its uses of the Data in compliance with this Agreement and thus is a Data Controller.”
18/57b) Anonymization and pseudonymization
[54] According to Recital No. 26 of Regulation (EU) 2016/679, data protection principles "should
apply to all information relating to an identified or identifiable physical
persons. Personal data to which pseudonymisation has been applied and which could be assigned
to a natural person based on additional information, should be considered information
on an identifiable natural person/ When determining whether a natural person is identifiable, the
should have taken into account all possible means, such as selection by earmarking
reasonably assume that the administrator or another person will use them for direct or indirect purposes
identification of the natural person/ To determine whether use can reasonably be expected
means of identifying a natural person, all objective factors should be taken into account,
such as the cost and time required for identification, taking into account the technology available
at the time of processing and for technological development/Principles of personal data protection would therefore
should not apply to anonymous information, namely information that does not relate to an identified or
identifiable natural persons, nor to personal data anonymized so that the data subject is not
or has ceased to be identifiable/ This regulation therefore does not apply to the processing of these
anonymous information, including processing for statistical or research purposes"/
[55] Recital No. 28 of Regulation (EU) 2016/679 then states that "the use of pseudonymization
of personal data can limit risks for data subjects and help administrators
and processors to fulfill their data protection obligations"/
[56] It follows from the opinion of the Working Group WP 29 No/5/2014 on anonymization techniques that
creating a truly anonymous file is “not an easy matter” or “data file
considered anonymous can for example be combined with another set of data so that
to identify one or more natural persons"/ The opinion further explains the concept
anonymization, which is understood as “a technique that is used on personal data so that it is
irreversibly impossible to identify", while the data must be in such a form that
made it impossible to identify the data subject by any means that may be reasonable
used by the administrator or any other person/ !if the data were truly anonymous, it should not
data subjects to be able to identify even the administrator himself/There is more in the stated opinion
stated that “It is therefore essential to understand that if the data controller does not delete the original
(identifiable) data at the level of the given operation and part of the data set will pass (for example
after removing or masking identifiable data), represents the resulting file
data continues to be personal data"/ !even though the accused company forwarded data, ze
of which some identifiers have been removed (but not, for example, GUIDs), cannot, according to the appellant
authority to consider the transmitted data set as completely anonymous / In addition, the recipient of this data
(the company had the option, based on the data provided, of the data subjects again
identify (for more details, see/ below).
[57] According to the appellate body, anonymization must mean such modification of personal
data, which usually irreversibly removes the very personal essence of the data, absolutely,
not only relatively in relation to one recipient of the data/ In contrast, pseudonymization is
measures to mitigate the risks arising from the processing of personal data, without being affected by it
the nature of the personal data/In this case, it is a measure relative to the specific
recipients/ Furthermore, Recitals No. 75 and 85 of Regulation (EU) 2016/679 speak of "unauthorized
8https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_cs.pdf
19/57 cancellation of pseudonymisation", which in itself proves the assumed reversibility
pseudonymisation, while preserving the personal nature of personal data/
[58] The question of the boundary of anonymization is related to the issue of the so-called subjective and objective
the concept of personal data. According to the objective approach, it is personal data if
objectively, there is other information somewhere that, in conjunction with anonymized information, can
lead to (re)identification of data subjects/ According to the subjective concept, in the event that
the administrator does not have the necessary information leading to the identification of data subjects, or personal data
he does not act, even though this information may exist beyond his reach/ Given the strong
the pervasive principle of prevention, as the basic purpose of the regulation of the protection of personal data,
it is necessary to look at the concept of personal data rather from the perspective of an objective concept, which
the previous decision-making practice of the Court of Justice also corresponds/
[59] The judgment of the Court of Justice in the Breyer case (C-582/14 of
19/ October 2016), which stipulates a rather objective approach/ In the aforementioned judgment (paragraphs 44-46)
The Court states. “The fact that additional information needed to identify the user
the website is not available to the online media service provider, but
the internet connection provider of this user cannot rule out that a dynamic IP
addresses maintained by the online media service provider represent for this
the provider of personal data within the meaning of Article 2(a) Directive 95/46/Jenic, it is necessary to determine whether
the possibility of combining the dynamic IP address with the listed additional information available to it
this internet connection provider, represents a means that can reasonably be
used for the identification of the data subject/As led by the Advocate General in point 68 of his opinion,
these are not situations where the identification of the data subject is prohibited by law or would be
practically impracticable, for example due to the fact that it would require a disproportionate effort
in terms of time and in terms of economic and human resources, so the risk of identification would
in fact it appeared insignificant/“/ It follows from the above that to be a data subject
identifiable, not all information necessary for identification may be in the hands of one
administrator (objective approach). The identification of the data subject is not according to the Court of Justice (subsequently
on rec/ 26 of Regulation (EU) 2016/679) enabled if prohibited by law (not only
contractually, as the accused submits), or practically unfeasible.
[60] The appeal body sees a significant difference in whether the identification of data subjects
prohibited by law or contract. Compliance with the prohibition of processing resulting directly from the law
basically anyone can invoke it and it is possible to enforce it under public law/ The stated prohibition
it also has an important preventive function, which is essential in the field of personal data processing/
The Office does not dispute the principle of pacta sunt servanda, however, in the case of private law contracts
arrangements, the content of which is usually known only to the contracting parties, is the possibility to claim or
enforce the fulfillment of obligations agreed between the contracting parties (or compensation for damages
caused to data subjects) significantly more limited. The fact that
the contract can be changed by the contracting parties, the contract can also be invalid or
unenforceable/
[61] In the opinion of December 4, 2023, the accused argues the current decision
by the practice of the Court of Justice, which, according to her, demonstrates a deviation from the objective concept of the term personal
data on the subjective/ From the judgment of the Tribunal in the Single Resolution Board case (T-57/20, dated
April 26, 2023) is a really obvious bias towards the subjective concept of the term personal data, however
the conclusions therein cannot be applied to the present case, they are not (as explained below)
the company had the option, eg/ on the basis of publicly available additional
20/57 information, data subjects to be identified/ In addition, according to the appellate authority, there is application power
of said judgment is at least limited, since it is only a decision of the Tribunal,
against which an appeal was filed to the Court of Justice- it cannot also be overlooked that
from the point of view of the assessment of the concept of personal data, the relevant decision of the Tribunal is obvious
departure from the previous decision-making practice of the Court of Justice/
[62] In the grounds of the judgment of the Court of Justice in Gesamtverband Autoteile-Handel
(C-319/22, dated 9/ November 2023) is a subjective approach on the part of the Court of Justice
indicated, the legally binding conclusion of the decision, on the contrary, confirms the necessity of a broad interpretation
concept of personal data/
[63] It is indisputable that the accused collected and further processed personal data of users
of its antivirus software/ The process of anonymizing personal data is also one
of the methods of personal data processing in the sense of Article 4 point 2 of Regulation (EU) 2016/679/ Administrator
must be able to demonstrate, according to Article 5 paragraph 2 of Regulation (EU) 2016/679, that the
processing of personal data is in accordance with the principles of personal data processing indicated
in Article 5 paragraph 1 of this Regulation/ Taking into account the nature, scope, context and purposes
processing also to variously probable and variously serious risks for rights and freedoms
natural persons, according to Article 24 of Regulation (EU) 2016/679, the administrator is obliged to implement appropriate
technical and organizational measures to ensure and be able to demonstrate that the processing is
carried out in accordance with this regulation/ It clearly follows from the above that it is the administrator,
who bears the burden of proof and therefore has the obligation to demonstrate to the supervisory authority that his
processing is in accordance with Regulation (EU) 2016/679/
[64] The appellate body called for a note No. UOOU-01025/20-103 dated November 28, 2022
accused to document information about the processing of personal data, specifically.
• to submit Annex 1 Annex! "Scope of the structure of Existing Data" to the Order
of data entered into between the accused and the company (Order of data
the accused submitted to the administrative body on April 14, 2020 via data
mailboxes without the aforementioned attachment)-
• to communicate a detailed specification of the data, including their structure, which in the assessed
period handed over to the company
• to present a representative sample of the data that was passed on to the company,
and that includes the data in its original form, i.e. before removing identifiers (before
anonymization, as this process refers to the accused), from which the data was transferred
set created-
• to communicate how accurate the time information was (e.g. accurate to milliseconds),
which the accused handed over to the company together in the period under review
with URL addresses (as stated e.g. in the Consent Use Policy, in the Product
processing principles that the accused sent to the Office on December 20, 2019)-
• to inform whether it could have been transferred to the company during the period under review
eg/ address in this format
https://www.amazon.com/gp/buy/addressselect/handlers/edit-
address.html?ie=UTF8&addressID=REMOVED&addressIdToBeDeleted=&enableDel
21/57 iveryPreferences=1&from=&isBillingAddress=&numberOfDistinctItems=1&showBa
ckBar=0&skipFooter=0&skipHeader=0&hasWorkingJavascript=1;
• to inform whether the company was provided with data from which it was possible
find out, for example, this information. Device ID. (eg/ abc123x), Date: (eg/
2019/12/01), Hour Minute Second: (eg/ 12.03.05), Domain: (eg/
Amazon.com), Product: (eg/ !pple iPad Pro 10.5 - 2017 Model - 256GB, Rose
Gold), Behavior: (eg/ !dd to Cart) - if not all the given data, then in what
scope;
• for a more detailed explanation of the concept of aggregated data, which company
received and used from the accused (stated in the Personal Data Processing Principles
of December 19, 2019 and in the Privacy Notice – a document sent to the Office of the accused on
5 August 2019);
• to inform how many users of the accused product (or device) are being transferred
data concerned (the company stated on its website that the data
comes from 100 million devices)/
[65] However, the accused did not provide the Office with the required information/ Pursuant to § 36 paragraph 1 of the Act
No. 500/2004 Coll., the parties to the proceedings are entitled to propose evidence and make other proposals throughout
the duration of the proceedings until the decision is issued, and according to § 52 of Act No. 500/2004 Coll., the participants are
obliged to indicate evidence to support their claims/ Accused in proceedings before an administrative body
of first instance even now before the appeals body only repeats that personal data
anonymized, i.e. that it did not transfer any personal data to the company without
she described the anonymization process in detail and documented (based on the request of the Office) a sample (output
anonymization process) of transmitted "anonymized" data or by any other
accurately specified the scope of the transmitted data, or the scope
forwarded dates indicated in the Office's invitation (July 28/November 2022) however expressed/ Nor
Order of data, on the basis of which the accused, according to his claim, the data of the company
forwarded, it does not contain a closer (let alone a detailed) specification, despite the express
designation Annexes 1 Annexes ! “Scope and Structure of Existing Data” and the text “Exact Scope
and the structure of Existing data from each source is shown below in Annex 1 of this Annex!” (Art. 1
Side dishes !). The accused repeatedly refers to the use of robust anonymization techniques
(patented process), however, the fact that the anonymization performed by her resulted in
truly anonymous data, contrary to the administrator's responsibility principle, did not prove/
c) Possibility of re-identification of data subjects
[66] According to the appeal body, the accused did not (only) transmit anonymous data, because
data subjects could be re-identified/
[67] A natural person is identifiable if it is possible to distinguish him from others in a way,
which will allow the holder of the information to treat this person differently than other persons/ Person
is directly identifiable if the holders of the information can identify the person to whom the data is provided
relate, only using information and methods that are easily available to them - the person is indirectly
identifiable if only possible by obtaining auxiliary information or by use
methods which are not readily available/ Obtaining such auxiliary information may
require some effort, such as searching the Internet/ Identification may also rely
22/57 about a combination of data that is not unique in isolation, but only when considered
together in a given context, while supporting information enabling the identification of subjects
the data may not be available to a single person/ The appeal body is aware that it is complete
anonymization of some data may be possible, considering the amount of publicly available information
and technological developments (including newly used artificial intelligence), very complex and in some
cases even impossible/ In the case of processing anonymized data, the administrator must
consider and regularly assess the probability and severity of the risk of re-identification
of data subjects/ !anonymization should be irreversible, i.e./ it should prevent any re-use
identification of the data subject, with the risk of re-identification by any user
reasonably assumed means must be very low (ideally none).
[68] The defendant stated in the deposition that she had deleted the data before handing over to the company
all identifiers/ However, as mentioned above, the accused handed over to the company
including a generic user identification number (GUID), which is the identifier of the installation/Z Order
data (Annex No. 10 to No. UOOU-01025/20-11, namely Article 3 of the Annex!) shows that the company
is required to replace the GUID with another unique identifier (JID) and destroy the GUID,
whereby the company is contractually prohibited from dealing with the GUID in any further way/ Appeal
the authority notes that the accused handed over data to the company, including
unique identifier that she was aware of/
[69] Furthermore, it follows from the Data Order (Article 5) that the data were transmitted in real time,
delayed by the time required to perform anonymization, but at least once per hour.
Furthermore, it is stated in the Data Order (Article 3 of the Annex!) that the company may not
use the GUID for no other purpose than assigning the correct JID
to the relevant data and to check that the correct JID has been assigned to the relevant data.
It follows from the above that the same JID was always assigned to one GUID, i.e. that the transmitted data
(internet browsing history) were not limited to a short period of time, e.g. only one
hour/ The more data (long browsing history, time data, location data, etc.)
the company had, the higher the uniqueness of the viewed URL string, which
increased the probability of successful identification of data subjects/
[70] Deletion of identifiers from browsing history according to the accused
was carried out using algorithms and methods described in a patent registered in the US! under no.
(no/ is mentioned in the breakdown, apparently this is a typographical error)/
It follows from the mentioned patent that if there are several users with the same parameter value (part
URL), then this value will not constitute personal data/ However, if the frequency of occurrence
values in the URL low, the parameter could contain data aimed at identifying the subject
data/ In other words, a website that is visited frequently probably won't
contain personal data, whereas a page visited by only one person, for example, is personal
the data may contain/ In this case, the parameter values may be removed from the URL
or replaced by other information, e.g./ by the word "private"/
[71] To get an idea of what data was removed from URL addresses, or what parts
URLs were transmitted, it is necessary to proceed from the structure of URL addresses/ URL addresses have their own fixed
given structure, they consist of individual parts (fields) arranged in a specified order
and separated by specified characters/ Some fields are optional. URL by default
consists of these parts. protocol (e.g./ HTTP), address part [server name, domain of the other
9https://cs.wikipedia.org/wiki/Uniform_Resource_Locator
23/57 order, top-level domain - e.g. www.dpp.cz or uoou.gov.cz, port (for the http protocol
is the port number 80)], path (the directory structure in which the page is located), query (labeled
followed by the query parameter), the last part of the URL is the fragment
(refers to a specific place on the page).
[72] It follows from the Patent (item 0043) that the path, query and fragment in particular are different
of users may vary and usually contain private information (PII)/ However, this information does not
may also appear in other parts of URLs/Parts of URLs that may contain these private
information, is referred to in the Patent as "parameter"/
[73] It follows from the above that the URL addresses were during the "anonymization process" according to the Patent
only certain parts are removed (excluding URLs that were not based on this process
forwarded at all), which could differ significantly in scope/From some URLs it could be so
removed a large part of them, from others, on the contrary, a substantial part remained and some
(probably the majority, or at least a significant part of them, because in a normal search
information on the Internet or reading messages (URL addresses, private information, as a rule, do not contain)
remained unchanged, i.e./ were transmitted complete/ Based on the transmitted URL addresses (even after
possible removal of some parts) it was possible to track the user's (unique) movement on
internet, what pages he visited, what videos he watched, what articles he read, what he searched for, what he bought/
If this data were linked or compared with other data (as described below), then it would
it was possible to identify data subjects and find out information about their interests, behavior,
preferences etc.
[74] The identification of data subjects was dealt with, for example, in a scientific study by Stanford University, 10
which implies that de-identified browsing history can be linked to profiles on
social networks such as Twitter, Facebook or Reddit using publicly available
information, by virtually any attacker who has access to browsing history/ Tato
study shows that 72% of 374 were successfully de-anonymized (re-identified)
users/ According to the appeal body, the company itself, or any of its
an employee who had access to Internet browsing history to link that data to the data
from publicly available sources (e.g. social networks), possibly also from other sources (company
according to the accused, she had multiple data sources) and thus identify individual users/
It is not decisive whether it would be possible to identify all or only some
user.
[75] The company could data subjects using publicly available information
self-identify/ An example can be a route search (e.g./ on Google Maps). if
the starting or destination point of the route is often repeated for one user (e.g. it is often entered in the morning
the same starting point and in the evening the destination point is the same as in the morning), then it can be concluded that in this
the point where the user resides/at the address is to identify the user in a number of cases, especially in situations where
when it is possible to find out much more about the user from the history of visited websites
information - if such an address were, for example, London, Baker Street 221B, another supplementary
the information might not even be needed to identify the data subject (note/appeal
the authority deliberately chose the address of a literary figure for illustration). Identification options
users could be wider if the company had more data sources/How
already mentioned, the combination of data from different sources (including publicly available ones) can lead
10
De-anonymising web browsing Data with Social Network. Jessica Su. Sharad Goel. Stanford University.
https://dl.acm.org/doi/pdf/10.1145/3038912.3052714.
24/57 to identify users. In the case of the !ntivirus for mobile (!ndroid) product, it was
information about the approximate location is also transmitted, which not only facilitates the identification of the data subject, but
can also lead to a sensitive intervention in his privacy/
[76] The risk of re-identification was also dealt with by the Working Group WP 29, which in its
opinion č/5/2014 (pp/31–32) described the ways in which, on the basis of anonymized data
data subjects have been re-identified/ It follows from the stated opinion that
anonymized data on movie ratings given by Netflix users over a 14-day period
represent such unique data that the connection with data from publicly available databases, below
rates movies (IMDB), users have been re-identified (based on their granting
ratings to the same films in the same time ranges)/ !although the mentioned case is not with now
subject matter identical, it is clear that the company (and anyone who had or should
access to data on visited URLs) could identify users, e.g
that at a certain time they entered their comment, review or
assessment.
[77] It follows from the administrative file that the accused published a post on the Twitter social network
"!though it sounds alarming, it is very easy to identify you in an anonymized data set.
A new study found that there is no need to de-anonymize data and trace it back to you
many/" , referring to an article titled "Sorry, Your Anonymized Data
12
probably not anonymous" of July 23, 2019, from which it follows (with link
on a study published in the journal Nature Communications ) that on the basis of de-identified
web browsing history can identify specific users/ The post listed was later
removed/ According to her statement in the statement of 4/ December 2023, the accused considers
the scientific study of Stanford University as unnecessary, as it was devoted to the connection of profiles
on social networks with a complete internet browsing history/According to the appellate body listed
the study highlights how relatively simple it can be to re-identify data subjects,
while the appeals body considers that data subjects can be identified even on the basis of an incomplete one
browsing history, as evidenced by a study published in the journal Nature Communications,
which the accused drew attention to on her Twitter account, and which she does not contradict in any way.
To this, the appeal body adds that the problem of anonymization, or the difficulty of achieving it
full anonymization is not addressed only in recent years in connection with Regulation (EU)
14
2016/679, but also the professional public has been drawing attention to this issue for a relatively long time.
The appeal body considers it necessary to emphasize at this point that the accused is not a company
providing any software but anti-virus software primarily intended to protect data
and user privacy/ Users also turn to anti-virus software companies,
who do not orient themselves in the field of information technology and cyber security and do not know how
secure your privacy in this environment/ In this regard, excellent or
above-standard expertise (including expertise in personal data protection)
and ethical level of conduct, i.e. that a company that offers privacy protection will not data,
11V AJ „!s troubling as it sounds, it´s very easy to identify you in an anonymized data set/ ! new study finds that
12 doesn't take much to de-anonymize data and trace it back to you"/ Srov/ document no./ UOOU-01025/20-2.
In AJ "Sorry, your ´anonymized´ data probably isn´t anonymous", available here.
https://mashable.com/article/anonymous-data-sets-easily-de-anonymized.
13Available here.https://www.nature.com/articles/s41467-019-10933-3.pdf.
14 For example, the article entitled “Broken Promises of Privacy. Responding to the Surprising Failure of
Anonymization", published in the UCLA Law Review in 2009 (Vol. 57, No. 6, pp. 1701-1777), available here.
https://www.uclalawreview.org/pdf/57-6-3.pdf.
25/57 which could reveal any privacy of users, transfer or sell to other entities/
The accused, as a professional user privacy protection committee, should be aware of the risks
(difficult to achieve complete anonymization of data) and should be really sure (without
of any doubt) that the data it transfers to another administrator does not contain any personal data
data, and that even the subsequent processing of the transferred data cannot lead to an invasion of privacy
users/
[78] CEO 15 accused in an interview with ČT24 on the 16th for questioning
to his reaction to the findings of foreign professional journals that it is possible relatively easily to de-
to anonymize the data that comes from the antivirus that the accused resells to the company
, i.e. that "it is possible to connect the specific behavior of specific users, what they do
on the Internet", he stated that "there are studies that investigate this in some way"/ He further stated,
that the accused had a contract with the company (and so did the customers
they had a contract with him) in which it was "explicitly forbidden any of these
things to do", by which the accused was legally treated/According to the appellate body, she knew
about the fact (about the existence of studies) that based on the user's behavior on the Internet (browsing history
internet pages) it can be identified relatively easily/ Subsequently in the subject
during the interview, the CEO of the accused stated that the accused did not know that this could happen, because the data
did not contain personally identifiable information (personally identifiable information or
PII). In her statement of 4 December 2023, the accused objected that the administrative body
individual parts of the interview out of context, as the CEO did admit that there are studies that
are dealing with the possibility of re-identification in general, but he emphasized that the data has been comprehensive
anonymization and at the same time there were contractual mechanisms that any attempts to reverse
identification was prohibited. This statement and the media statement of the accused CEO, however, in the context of
that the accused knew (and shared on the social network Twitter) that "it is very easy to identify you
in an anonymized data file", the appeals body considers it to be purposeful/
[79] If the accused knew about the possibility of re-identification of data subjects on the basis of
their de-identified internet browsing history, then it is not apparent to the appeals body, on
on the basis of which she could believe that if the so-called PII were removed, it would not be possible for data subjects
identify. In the case of anonymized data processing, it is the administrator's duty to examine whether
is the data still anonymous due to technological progress, or whether there is no possibility
how to retrospectively identify data subjects/ In such a case, the data can no longer be considered
considered anonymous and should be treated as personal data/
[80] Company website as of June 24
2019 contained, among other things, the following information. "Market smarter with consumer journey
analytics. Examine every search, click, and buy. On every site; See it all. From search to
purchase. Get a super-detailed view of every buyer path, as it twists and turns; Analysis with
ultimate flexibility. Explore on-demand or dive deep with data feeds; Be confident in your
insights. Our 100 million panelists in 188 countries means data you can trust" and "Get deeper
analysis with granular data feeds. Follow user journeys at the atomic level; Answer all yours
business questions with unlimited data; Combine with your own sources for custom analysis"
15!English abbreviation for the position "Chief Executive Officer", whose equivalent in Czech is usually
executive director of the company/
16 Available here.
.
17
Available from. .
26/57(unofficial translation. "Marketing smarter with consumer journey analyses/ Explore every
search, click and buy/ On every site - track everything/ From search to purchase.
Get an extremely detailed view of each buyer's journey as it twists and turns-
!lyse with maximum flexibility/Explore data on demand or dive deeper
of data sources - You will be sure of your findings / Our 100 million panelists in 188 countries
represents data you can trust/" and "Get deeper analysis with granular
of data sources/ Track user journeys at an atomic level- Answer all your
business questions based on unlimited data- Combine with your own sources for
tailor-made analyses").
[81] The company's website as of January 28, 2019 19 further contained
information is the only company that unlocks walled-garden data to empower
marketers to target and expand their customer base/ The company's real-time, opt-in global
panel tracks five billion actions a day across 100 million devices to deliver insights into online
consumer behavior" (unofficial translation: is the only company that makes available
20
data from closed platforms and thus enables marketers to target their customers and expand their
customer base/ Worldwide panel of consenting users of the company, with the possibility
real-time login, monitors five billion events per day on 100 million devices, provides
thus insight into the online behavior of consumers/").
[82] From the history of the company's website, it can be seen that its customers
were for example companies
[83] According to the appellate authority, it follows from the above that the company transferred
(sold) data obtained from the accused to other companies, while this data was very
detailed/ For the completeness of the appeal, it is recalled at this point that the transfer of data between companies
and its customers is not the subject of this procedure, however, further handling of the data
by the company is described with regard to the context of the entire processing/ Company
according to its website, it offered potential customers the option
to obtain detailed information about the behavior of Internet users (cf. the text "Examine each
search, click and buy/ On every site; track everything/From search to purchase/"),
while explicitly stating the possibility of combining this data with customers' own data.
The company was not only a sister company of the accused but also offered its own
products (detailed user information) on their publicly accessible websites
pages/ The accused was thus well aware of how the company handles data.
[84] It is precisely in combining data from different sources that the great risk of repetition lies
user identification/ In the event that a third party links anonymized browsing data
of the Internet obtained from a company with its own database, identification may occur
data subjects/ According to the appeal body, the behavior of users on the Internet is unique, they are not
the websites they visited, their order, number and time spent on them differ
spent/ If, for example, he obtained detailed anonymized data about Internet browsing
18 meant by users.
19Available from..
20 The term walled-garden (originally meaning "a garden surrounded by a high wall").
21
Compare official record No. UOOU-01025/20-112.
27/57online store, could compare the movement of the internet user with its own data and the user
simply identify if, for example, it is his registered customer, or
if the customer purchased the goods and provided his billing information in that context/ The fact that
the online store identifies its own customer, it is not too problematic in itself,
because in this way it does not get any other information than what it already has in the entire database. Essential
however, the internet store gets (new) data about the internet browsing history not only on its own
websites, but also, for example, about which pages the customer came to the website from
of this online store he came, what other websites he subsequently visited, if applicable
and other detailed information about its movement across the Internet/ It is then possible to find out from this data
(I would not be certain) e.g. interests of the data subject, data on his behavior or habits (where
moves where, place of residence, but also education, profession, religious beliefs,
political opinions, health status or sexual orientation/ Any other use of these
of information, which can also be highly sensitive, can significantly interfere with the subjects' privacy
data/
[85] After all, the possibility of linking data by an employee is also described in the Patent, in part
explaining implicit private information (implicit private information)/ Appealing to this
the authority adds that the linking of databases does not have to take place only on the basis of some identifier/
In the case of browsing history, which is basically unique for each user, you can
to compare the anonymized data with the data that is available, for example, to the aforementioned internet provider
shop, and to recognize the customer according to his "internet path"/In some cases this
identification can be very easy, as the information that specific would be sufficient
the item was added to the cart and purchased at a certain time/ By comparing this information with your own
database on the sale of this item at a given time, the customer can be easily identified/ Uniqueness
of data in the case under consideration does not lie in the personal data contained in the URL, but
in the uniqueness of user behavior on the Internet/ The company had movement data
of users on the Internet (URL addresses and time data were tied to the GUID/JID identifier), byu
(according to the Data Order) this Internet browsing history was not completely complete/
[86] In the case under consideration, it may be sufficient to re-identify the data subject even relatively
a small part of the anonymized Internet browsing history, so it is not an option
re-identification determining whether the accused person was passing on a complete browsing history, or
only part of it/ The said question would be relevant in relation to what all is possible
to find out about an identified person/ The larger part of the browsing history someone has available, the easier it is
(and more likely) the data subject can be successfully identified and at the same time can
to get more (detailed) information about him/ At the same time, at this point, the appeal body emphasizes,
It is not necessary to be able to identify all users/If only they can be identified
a small part of them, it is not possible to talk about anonymous data/ Given that the accused
transmitted anonymized browsing history from around 100 million devices (cf. above),
and due to the aforementioned options for third parties to re-identify the data subjects,
even if only a small part of the users were identified, the privacy of many would be invaded
of data subjects/For the sake of completeness, the appellate body states that it is not decisive in the case under consideration,
whether the re-identification of the data subjects actually took place, or is it sufficient to intervene
to the interest protected by law, which is the protection of personal data and the privacy of data subjects,
could actually happen (or may happen in the future)/
[87] In connection with anonymization, it can be stated that it does not apply to anonymous data
Regulation (EU) 2016/679, i.e. neither the obligation to properly secure data, resulting from Article 32
28/57 of the aforementioned regulation/ However, the data provided by the accused company cannot be considered
for anonymous - as explained above, there is a big one in case of data leakage or publication
the likelihood that data subjects could be re-identified, which they might have
resulting in a fundamental interference in their privacy/ At the same time, there are a number of entities (incl
of the company's customers, i.e. companies with huge databases of their own), which would
could identify Internet users based on anonymous browsing history/ In addition
the appellate authority further adds that (as described above) the accused was aware that
there are third parties that could re-identify individual users/
d) !aggregated data
[88] In the Personal Data Processing Policy of 19 December 2019 and in the Privacy Notice
(document sent to the Office of the accused on August 5, 2019) it is stated that the company
received and used aggregated data from the accused/ The accused was within the framework of the call of
November 28, 2022 (ref. UOOU-01025/20-103) requested by the appeal body (among others)
for a more detailed explanation of the term aggregated data/ However, the accused provided the requested information
She did not provide the authority/
[89] The opinion of the WP 29 Working Group can be used to explain the concept of aggregation
No. 5/2014 on anonymization techniques, in which it is stated that the goal of the aggregation technique is
prevent the data subject from being singled out by being assigned to a group of at least x other persons/
For this, it is necessary to generalize the values of the touch rate attributes so that every person shares the same
values/!aggregated records thus combine information about individuals into information that
relate to a group of persons, and it is not possible to single out individual data subjects from them/ Movement of users
on the Internet is unique, i.e. a highly probable phenomenon that is viewed by different users and different
websites at the same time in the same order and spent the same amount of time on them, etc.
The company offered its customers the ability to examine “every click
of the buyer"/ According to the contract, the data was transferred to the company "in real time, with
delayed by the time required to perform anonymization, at least once per hour".
Along with the browsing history, the accused also transmitted a unique GUID identifier, i.e. transmitted
the data containing the browsing history of the Internet pages was broken down by individual
by installing antivirus software or an Internet browser add-on. Considering everything
according to the appeal body, the above was not and could not be aggregated data.
The Appellate Body is aware that a GUID is an installation identifier, whereas a single device
may be used by more than one person, however more can be identified based on browsing history
of individual users (for example, if users of one computer each have their own account
on a social network and/or shop online). Furthermore, it can be stated that there are currently many
of these devices, especially mobile phones, are often used by only one person.
e) Contract
[90] The transfer of data between the accused and the company took place on the basis of
of the contract called Data Order/ The final provision of this Contract states:
"The Agreement constitutes the exclusive and complete agreement between the Parties regarding the subject matter of the Agreement
and supersedes and terminates any prior or contemporaneous agreement of the Parties with respect to its subject matter
and supersedes and terminates any prior or contemporaneous written or oral agreement,
arrangements, guarantees and assurances of the given subject, especially after the contract between the Parties
30/ August 2014, which consists of the Order Form, Terms of Order, Description of Data
29/57a of the Data License Agreement"/ The Agreement further states that "The term 'Agreement'
used here refers to this Order, Annex ! – Description of data (including Annex 1) and Annex B –
License Agreement”/ In Appendix B of the Data Order (item 12/3/) it is stated that the changes
and modifications to this Agreement will only be effective if made in writing/
[91] Point 3 of the Data Order entitled Description of Data states that "Definition of Data that
are to be provided on the basis of this Order ("Data"), is set out in the Appendix !"/ Pursuant
Side dishes ! called Data Description is Existing Data "all anonymized usage data,
provided to the Company on the Effective Date collected by the Company
through the computer programs, mobile applications, services and others listed below
functions", with "The exact scope and structure of Existing Data from each source is set out below
in Annex 1 of this Annex !” (highlighted by the appellate authority)/ Annex 1 of Annexes ! (as,
in which the accused was presented to the administrative body of the first instance on April 14, 2020)
however, it only contains the heading "Scope and Structure of Existing Data", without anything else
content.
[92] The Office therefore invited the accused in a letter dated November 28, 2022 (ref. UOOU-01025/20-
103) to submit the above-mentioned annex, as well as to communicate and submit other information
regarding the data transmitted by the Accused to the Accused company on this request
responded with a letter dated December 14, 2022, in which she stated that she "decided not to provide
requested information with reference to the principle of prohibition against self-incrimination and other procedural
guarantees arising from the Charter of Fundamental Rights and Freedoms, the ECHR and the EU Charter"/ Office therefore
the accused addressed another invitation dated January 9, 2023 (ref. UOOU-01025/20-105), in which he requested
on submission of Annex1 Annex ! “Scope and Structure of Existing Data”, Annexes 2 “Competitive
entities" and Annexes 3 "Essential columns of data"/ At the request of the accused, the Office extended the deadline for
provision of the requested and at the same time specified that he requires the presentation of the original of the Agreement
including all its attachments/ The accused informed the Office in a letter dated 7/ February 2023 that the attachments
required by the Authority were never finalized or signed/ The accused further stated that
The contract was negotiated in the summer of 2019 and signed on August 30, 2019, i.e. outside
the time period when the alleged offense investigated by the Office in the current one should have occurred
proceedings / However, according to the accused, the contract was supposed to apply retroactively from February 2019 / But before the parties had time
To finalize the contract, the cooperation was terminated, and shortly thereafter, in February 2020, it was terminated
activities of the company Although the annexes were never finalized, it does not mean according to
accused, it was not clearly stated what the companies exchanged with each other/The purpose of the contract was
only to formalize the existing exchange of data between the companies at the given time/ Finally accused
stated that with the company they were part of one corporate group, while the scope
information exchanged was clear between the parties/
[93] In addition, the appeal body states that the subject of the Data Order was the transfer of data
the accused company, but it is not possible to find out from it, specifically, what information the accused had
transfer to the company (cf. point [91] above), is therefore not sufficientnot specified
subject of performance. The Accused in its Statement of December 4, 2023 (in response to the Preliminary
findings of the Office) stated that the Data Order is governed by California law and the accused is not
obvious, from which the Office infers that California law requires a written form of this type
contracts. From Annex B point 12/6/ Order of data, entitled "Governing law/ Submission
jurisdiction.”, this Agreement is governed by the laws of the State of New York, not California
22 However, according to the Data Order (point 1/), in conjunction with Article 9/1, the contract was to be effective from 1/ January 2019/
30/57 by law/ Requests in written form, or/written definition of the scope of transferred data,
the appellate body infers from the express agreement of the contracting parties (cf. points [90] and [91] above).
The Data Order expressly states that “This Agreement constitutes the exclusive and complete
agreement between the Parties regarding the subject of the Contract /0/", and that the exact scope of the data they have
to be provided on the basis of the aforementioned contract is specified in the Data Order/
It is clear from the above that the contracting parties have agreed on the written form of the contract, inclusive
specifications of the data transferred/ One can therefore only speculate about why this agreement is contractual
parties failed. Based on the above, the appellate body considers the argumentation
alleged that the extent of the information transferred was known to the contracting parties as irrelevant.
[94] Regarding the accused's argument that she did not have time to finalize the contract, the appellate authority states that
the transferred data were not specified in more detail even in the previous contract (Contract on provision
data license) concluded between the accused and the company on 30/ August 2014/ In it
it only stated that “'Data' means anonymized usage data that the company
collects and makes available for download and use by companies
The accused therefore had 5 years to specify the subject of the contract (until the conclusion of a new contract in
2019). In view of the above, the appellate body considers this argument of the accused to be valid
purposeful/
[95] In the statement, the accused stated that the re-identification of the data subjects was not possible
reasonable to assume, as it was contractually prohibited, referring to Article 4/6 of Annex B
Data Orders. "the company may not use the Data in any way in an attempt to
to identify or reverse engineer any identifiers relating to the Data or otherwise
attempt to derive or gain access to such direct identifiers”/ In addition
the appellate authority states that it is certainly possible to contractually prohibit any attempts at identification
natural persons/ These legal guarantees are usually a way to strengthen other administrators
measures taken to reduce the risks associated with the processing of personal data by making them
legally enforceable, and are thus primarily instruments that summon authorized recipients
anonymous, or of pseudonymous, liability information/ !however these guarantees may
reduce the risk of identification attempts, they do not replace anonymization as such/
B. Legal title and purpose of personal data processing
[96] The accused further states in the statement that if the head of the Office had concluded that there had been
to the transfer of personal data, this was done in accordance with Regulation (EU) 2016/679/ Accused under
submitted its statement to subsets of anonymized product data which
made it possible for companies to create a product charting general Internet trends, not
interests of individual users/ Administrative authority of the first instance in the contested decision according to
the accused does not dispute that the accused had a legal title to collect personal data,
however, it claims that it had no legal basis for handing them over to the company. According to
accused, the purpose of transferring the data to the company was compatible with the primary purpose
processing according to recital l/50 and article/5 paragraph/1 letter/b) regulation (EU) 2016/679, or processing
personal data for statistical purposes is processing with a compatible purpose/Meaning
statistical analysis of trends carried out by the company was a survey of general knowledge
regarding the behavior of consumers, their preferences and other relevant circumstances/ This activity
used statistical methods and arrived at statistical results that showed general
tendencies and trends, not information about individual persons/ The accused admits that this was the case
31/57o commercial activity, however, statistical activity following commercial interests also fulfills it
definition of statistical activity according to Regulation (EU) 2016/679/
[97] The accused further stated that even if she gave the company personal data and purpose
the transfer of the data would not be compatible with the primary purpose of the processing, it should for the transfer of the data
the company has a legal title in the form of a legitimate interest/ The accused does not agree
in the conclusion of the administrative body of the first instance, the transfer of data was not for the data subjects
expected, especially because accused data subjects of transferring data to the company
explicitly informed/ According to the accused, the processing of pseudonymized or
of anonymized data for the purposes of statistical analysis in the case of digital companies in any way
unexpected, are not it is a generally known fact that digital companies generally trends
between their customers and use the data obtained for this purpose/ In the case of data transfer
company, according to the statement of the accused, the administrator's legitimate interest outweighed the interests
data subjects, or the transfer of data for data subjects did not pose any risk and subjects
data subjects could refuse the transfer of data through the opt-out mechanism. Opposite this
the legitimate interests of the accused, both the commercial interest and the interest in
general improvement of products and investigation of consumer preferences/
[98] On the legal title of personal data processing (transfer of data to the company
the appellate authority states that due to the requirement to inform data subjects of the legal
title at the time of obtaining personal data [Article 13 paragraph 1 letter c) of Regulation (EU) 2016/679], must
administrator to determine the relevant legal title before the actual data collection/ Elected
the legal title cannot then be changed arbitrarily during data processing/ According to the appeal body
so it is not possible to proceed with the accused's argument that she was passing on anonymous data [to which
Regulation (EU) 2016/679 does not apply\, in case the data were not anonymous, processed
personal data for statistical purposes, unless this purpose is compatible with the primary one
purpose of processing, the accused would process the data on the basis of a legitimate interest/ Although
the appellate body is convinced that the accused legal title processing personal data in advance nor
did not choose, i.e. did not have a legal title, for the individual legal titles objected to
accused, the appellate body will nevertheless express its opinion/
[99] It follows from Article 5 paragraph 1 letter b) of Regulation (EU) 2016/679 that personal data must be
"collected for certain, expressly stated and legitimate purposes and may not be further
processed in a way that is incompatible with these purposes - further processing for purposes
archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes
purposes pursuant to Article 89(1) shall not be considered incompatible with the original purposes ("purpose restrictions")"/
Similarly, recital No. 50 of Regulation (EU) 2016/679 states that "Further processing for the purposes
archiving in the public interest, for the purposes of scientific or historical research or for statistical purposes
purposes should be considered compatible lawful processing operations”/ Although
it follows from the above that further processing for statistical purposes is not considered incompatible
with the original purposes, the above cannot be interpreted as a general exception to the purpose limitation, i.e
that personal data can be processed for statistical purposes without any further/ Article 89 paragraph 1
Regulation (EU) 2016/679 explicitly stipulates that even processing for statistical purposes is subject to
in accordance with this Regulation, appropriate guarantees of the rights and freedoms of data subjects; as well as Article 5
paragraph 1 letter e) of this regulation presupposes the implementation of relevant technical
and organizational measures with the aim of guaranteeing the rights and freedoms of data subjects/
[100] The compatibility of purposes in the processing of data for statistical purposes was also dealt with by Pravávky
the WP 29 group in its opinion No. 3/2013 on the limitation of the purpose in which (in part III/2/3/)
32/57 commented on the then valid provision of Article 6(1)(b) of the Directive of the European Parliament
and of the Council 95/46/EC of 24 October 1995 on the protection of natural persons in connection with the processing
personal data and on the free movement of such data [which was similar in content to Article 5 paragraph 1
letter b) of Regulation (EU) 2016/679\ so that this provision "should not be interpreted as
a general exception to the compatibility requirement and is not intended to be a general authorization to further
data processing for historical, statistical or scientific purposes in all cases/ As well as
in any other case of further use must be in deciding what guarantees they can
be considered appropriate and sufficient, taking into account all relevant circumstances and factors'
23
(unofficial translation).
[101] Even in the case of personal data processing for statistical purposes, it cannot do so according to
of the appellate authority to disproportionately interfere with the rights of data subjects/ the Administrator should do so
should also have adequately taken into account the circumstances in the case of data processing for statistical purposes
referred to in Article 6 paragraph 4 and in Recital 50 of Regulation (EU) 2016/679, it is also stated. "Legal
the basis for the processing of personal data under the law of the Union or a Member State may also
to serve as a legal basis for further processing/ In order to determine whether the purpose of further processing is
compatible with the purpose for which the personal data was originally collected, the controller should, po
fulfillment of all requirements for the legality of the original processing, to be taken into account, among other things
any link between these purposes and the purposes of the intended further processing, the context in which
personal data has been collected, in particular reasonable expectations of further use
nature of personal data that data subjects have based on their relationship with the controller
personal data, consequences of intended further processing for data subjects and existence
appropriate safeguards both during the original and during the intended further processing operations'.
In the case under consideration, the accused should have assessed the risks and possible further consequences
processing for data subjects/ As mentioned above, based on the data transmitted
it was possible for the company to re-identify data subjects from the browsing history
potentially discover a large amount of even sensitive data (including special categories of data), which would
there may have been a noticeable interference with the privacy of the data subjects and caused them harm/ In case
data processing for statistical purposes is also important to distinguish between situations where it will
this further processing carried out by the original data controller, and situations where they will be personal
data transferred for such further processing to a third party (can be compared to data processing
through cookies directly by the website operator and through
third-party cookies)/ The appellate authority agrees with the accused in that the average user is
aware that the administrators of personal data use the data obtained for statistical purposes. This
expectations, however, point to statistics related to the subject of the manager's activity, in a relationship
to the accused in connection with the operation or improvement of anti-virus software functions
accused/ However, according to the appellate authority, users did not normally expect that the accused, as
a company providing products for the protection of data and therefore user privacy, will be within
"trend analyses" to process their data not related to the provision of the service of the accused and these
transfer (sell) personal data to a third party, which will further use it for its own purposes
commercial interests, i.e. sell to customers with large data sources of their own,
23
"It should not be read as providing an overall exception from the requirement of compatibility, and it is not
intended as a general authorization to further process data in all cases for historical, statistical or scientific purposes
purposes. Just like in any other case of further use, all relevant circumstances and factors must be taken into account
account when deciding what safeguards, if any, can be considered appropriate and sufficient."
33/57 The fact that the company is a sister company of the defendant, in a situational change,
since, from the point of view of Regulation (EU) 2016/679, it was a separate administrator/
[102] According to the accused, the purpose of the statistical analyzes was to observe trends, not to identify them
individuals, and the essence of the matter was to transfer data of a non-personal nature (listed in
of the opinion of 4/ December 2023)/ However, the assessment of whether it is personal data is not dependent on
on the intended purpose, or/ the result of data processing/ The decisive factor in the case under consideration is,
that the accused was handing over data that the company was supposed to process further/ As a result
of this processing, declared by the accused, should have been completely anonymous summary statistics/
However, it cannot be overlooked that the company was given data on the basis of which
this company itself could identify the data subjects, while to evaluate whether
it was personal data, it is not decisive whether she did so or not/
[103] Regarding the commercial activities of the company, the appeal body further states that in the Order
of the data, point 1/1 of Appendix B states that the accused grants the company a "license
to download a copy of the Data (as defined and set forth in the Appendix ! each applicable
Orders) /0/ and to use the Data for the company's business activities
to incorporate the company's products and services in the Reserved Area, especially for use
Data as a whole or to incorporate it into the company's services and to make it available
Data included in the company's services to third parties, specifically customers
of the company According to the appellate authority, it follows that the company
further processed the data it received from the accused, and this data (incorporated into
of its products or services) made available to its customers/the Company thus used
data for your commercial interests/
[104] In this context, it is crucial to assess whether the company processed personal data
data for the purpose of creating statistics/ Statistical purposes, according to Recital No. 162 of the Regulation (EU)
2016/679 “understands any operations of collection and processing of personal data necessary for
statistical surveys or for the generation of statistical results/ /0/ If applicable
for statistical purposes, the result of the processing is not personal data, but summary data, and this
neither the result nor the given personal data is used to support action or decision
relating to a specific natural person”/ According to the !academic dictionary of foreign words with statistics
means “1. numerical recording and investigation of mass phenomena; 2/ branch dealing with
investigation, processing and quantitative characterization of mass phenomena and large
of data sets.” The fact that statistical output is general knowledge, not information
about individuals, is also recognized by the accused in her statement (cf. e.g. point 98/ of the statement of the accused).
As mentioned above, the company offered on its website
the ability to gain "extremely detailed insight into every buyer's journey," which says
that the company did not use the data for statistical purposes/ The Appellate Body admits that
the company could also offer its customers products that contained statistical
results, however, clearly offered (i) data that cannot be considered statistical results
activities/According to the appeal body, it cannot be said that the data were passed on to the company
and further processed only for the purpose of creating statistics/ The Appellate Body agrees
with the accused also in that the statistical result is used for other purposes, i.e. for own
commercial interests/ However, in the case of the company, it was not about the processing of statistics either
on the offering or sale of purely statistical results/ This is also evidenced by the contractual agreement cited above
24Available at https://prirucka.ujc.cas.cz/?slovo=statistika.
34/57 wording that the company is entitled "to use the Data as a whole or to their
inclusion in the company's services and making available the Data included in the services
company to third parties", from which there is no requirement that the Data be before
by such incorporation and disclosure first further modified as might be expected if
The data should really only be used for "statistical trend analysis"/
[105] In her opinion of December 4, 2023, the accused stated that the proclamation
from the company's website cannot be used as evidence, they are not considered
about statements of a marketing nature, which are essentially simplistic and their purpose
It is not descriptive to describe the legal and technical processes used/ Marketing statements would
however, it should not have been misleading or deceptive/It is not clear to the Appellate Body how to interpret otherwise
information that the company was offering "per-click" data, which it wasn't really offering
Detailed user information is not included in summary statistics only/The Accused appears on the market
as a serious company/ The Appellate Body does not find it credible that its sister
the company tried to reach new customers with misleading marketing
statements. In addition, the company's customers at the time included large ones
MNCs (as mentioned above) would easily detect misleading statements.
[106] To the defendant's argument that for the transfer of personal data to the company she would
testified to a legal title in the form of a legitimate interest, the appellate authority states that the duty of the administrator
before starting data processing on the basis of Article 6 paragraph 1 letter f) of Regulation (EU) 2016/679,
first of all, assess whether he has a legitimate interest in this processing, whether this processing is
necessary from the point of view of this legitimate interest and whether above this interest in this particular one
in this case, the interests and rights of the data subject do not prevail (perform the so-called balance test). Considering
to the fact that, according to her statements, the accused was and still is convinced that the company
she passed on anonymous data, she did not perform the balance test properly/ It stands on one side
legitimate interest of the accused/ As the accused stated in the breakdown, this is a commercial interest
and interest in general product improvement and consumer preference survey/
The interests and basic rights and freedoms of data subjects stand on the second imaginary scale
protection of their personal data and privacy/ As described above, internet users
browsers can be re-identified and linked to their internet browsing history
there may be a noticeable impact on their privacy, i.a. because this data could be misused.
If the accused had performed the balance test properly, she would have arrived, according to the appeals body
to the conclusion that its legitimate interest does not outweigh the interests of data subjects.
[107] In the case of personal data processing pursuant to Article 6(1)(f) of Regulation (EU) 2016/679
it is also necessary to take into account whether the data subject can reasonably expect such processing
[see recital No. 47 of Regulation (EU) 2016/679\/ Based on information provided by the accused
(more on that in the section on information obligations) users could expect that the accused
will transfer (share) only anonymous data/ In addition, it was not clearly specified for what
purpose, on the basis of which legal title the data will be shared, and with whom/ If data subjects
they did not have sufficient and relevant information about the processing of their data, they could not have real information
an idea of how data processing will take place and could not reasonably perform such processing
expect/
[108] From the point of view of reasonable expectation, the phenomenon of the considered case is also essential in the relationship between the breadwinners
with the accused, as a provider of anti-virus software/ According to the appellate authority
one of the main reasons users purchase antivirus software is to protect their data
and the associated protection of their privacy/ Self-accused on the screen of the activation process
35/57 trend analysis (as of April 2019) 25 declared that users can be confident that their
privacy will be respected.
[109] The accused CEO stated in an interview for ČT24 26 that he understood
the surprise of users that the transfer of data to the company may have caused, since
not everyone had to read the screen on which they had to confirm the transfer of data (for which the accused
according to his words, she apologized to the users)/ In addition, the appeal body specifies that for confirmation
processing, or consent to processing, took place only from July 2019, until
time (provably since April 2019) users could only click under the displayed information
on the “continue” button/ In this context the Appellate Authority finds it necessary to mention that
users of the antivirus program or the Online Security extension could not expect that
their data will be transferred (sold) to another administrator/ Accused, as a company
offering products and privacy protection, users trusted, therefore may not have been enough
cautious about the information about the transfer of data provided by the accused, since the sharing of data,
which could interfere with their privacy they did not expect/ the CEO accused in the interview further
stated that the news about the company's data transfer caused a certain antipathy on the part of the accused,
i.e. certain loss of trust/ The Appellate Authority states that if the transfer of data to the company
users reasonably expected, and were properly informed about it (i.e. including the sale of data).
informed, they would not be surprised by the news about the monetization of their data / About the surprise of users
the monetization of their data is also evidenced by the fact that due to the collection and sale of user data
information provided by the Dutch organization for consumer protection
a collective action against the company, to which (according to data from the public
of available sources ) was supposed to connect more than 10,000 antivirus software users
from the Netherlands/ By transferring data to the accused company (and third parties) se
28
was also dealt with by the American Federal Trade Commission (Federal Trade Commission), which
among other things, it prohibited the accused from selling internet browsing data for marketing purposes.
[110] Accused in its Opinion of December 4, 2023 on violation of Article 6 of Regulation (EU)
2016/679 described in the Preliminary Findings stated that the decision of the administrative body
of the first instance was found guilty of violating Regulation (EU) 2016/679, which should have consisted
in that it relied on the processing of personal data for the purpose of statistical trend analysis
legal basis of legitimate interest/ From the preliminary findings, the accused should have learned that she had
process personal data without any legal title, which he considers a surprising conclusion/
In the statement of the contested decision, the administrative body of the first instance stated that the accused
was found guilty of processing personal data without a legal title. The appeals body therefore
it is not clear for what reason the accused considers the same (preliminary) conclusion of the appellate body
for surprising/ The Appellate Body admits that the justification relating to the legal title is
in the Preliminary findings (as well as the justification of this decision) significantly supplemented, which
however, it is a response to the defendant's arguments presented in the resolution.
25 Annex no. 5 of document no.
26 Available here.
27
28Available here.
36/57 C. Information obligation
[111] The accused further disagrees with the conclusions of the administrative body of the first instance
regarding the violation of the information obligation/In addition, the accused states that she informed her customers
on the transfer of data for the purpose of statistical analysis/ The accused considers it unfounded
and the formalistic complaint of the administrative body of the first instance that the processed data are
anonymized/ The accused provided this information because she was and still is convinced that
anonymized personal data/ Even if the Office came to the conclusion that the data was only
pseudonymised, the accused is convinced that she has informed her customers sufficiently/According to
the accused cannot expect customers to know the definition of anonymisation and pseudonymisation.
The purpose of Article 13 of Regulation (EU) 2016/679 is to inform data subjects in understandable language,
while everyone understands the concept of anonymization as the removal of identifiers/ In the assessed
case, according to the accused, it was important that users were informed that the accused
"remove everything that could personally identify the customer" (point 136 of the breakdown).
[112] The accused also agrees to the information and analytical data of third parties
did not state what data was processed for statistical purposes/ In the Privacy Policy
data of the company in April 2019 accused, according to its statement, its customers
informed that the URLs of the visited pages will be deleted
of identifiers used for statistical purposes/ According to the accused, the same information cannot still be used
repeat, as the documents would be disproportionately long and it would not be possible to use them
orientate. In the company's April 2019 Privacy Policy, it is in the section
on the analytical data of third parties, it is stated that the accused transfers data that is about users
collects/ What kind of data it collects is indicated in the other relevant places of the Personal Protection Policy
data/ According to her statement, the accused duly informed her customers about the fact that she was collecting
including information about browsing the Internet/
[113] The accused in her statement on April 14, 2020 submitted (annex/5) "screen
of the activation process of trend analysis and privacy settings from April 2019"/ According to the accused
users could object to the processing at any time/ it was displayed to users
the following information. “Almost every piece of software you use collects information about you
activities/ Search engines, games and many more/ We do the same/ Thanks to this we can you
provide better products and services/ But you can trust that we will your privacy
respect. Furthermore, we promise you that we will never share or publish any of your personal information
data outside ! of course no one else will contact you without your consent
marketing purposes/ The information collected helps us meet new people
and interesting trends/ We may share this information with third parties outside However
before we do this, we will remove anything that could in any way personally identify you/ More
information about our privacy policy/If the product is installed
you decide to disable the anonymous sharing of your data with the Company and third parties,
you can do so in the program settings by unchecking the box 'Participate in data sharing'
(emphasis added by the accused)"/
[114] In the Company's Principles of Personal Data Protection (Annex No. 7 to Ref. UOOU-
01025/20-11) it is stated:
[115] “If we no longer need the personal data, we will stop using it or using it
we will limit in accordance with the policy of minimization/ For example, your email, URLs of pages that
you visited and your files are scanned for malware detection and protection/ Then
37/57 we will delete your e-mail address and other personal data, or we will use hashing for any
identifiers, whereby we change the service data into pseudonymized or anonymized data
users of paid services and anonymous data for users of free services than data
about the Services we will reuse for research, analysis, statistics, messaging, development, etc
products, in-product messaging and marketing" (Chapter H/ Data and Services)/
[116] “Statistics that have been anonymized are aggregated data according to
from a geographical point of view, and therefore cannot be used to identify persons, we also share
by third parties for the purpose of trend analysis" (chapter 1/ Objectives of our policy, point 1/7)/
[117] “We may use anonymous browsing data for third-party trend analysis/All
users can turn off data sharing in product settings – Privacy”
(chapter Mobile-Specific Service Data - Web Shields)/
[118] “We pseudonymize and anonymize Clickstream data and reuse it for
cross-product direct marketing, cross-product development, and third-party trend analytics” (Chap
Products and Services and !ntiVirus and for Internet Security).
[119] It follows from the above information that the accused informed the users of her products
about the sharing of anonymous data/ Users were thus not informed that their data was being passed on
personal data, to what extent or to which entities/ It is the same according to the appeal body
insufficient information about the very purpose of data processing/ Stating that "information
they help us get to know new and interesting trends" and "thanks to you, we can
provide better products and services' is too general and doesn't say anything in particular about how
processing is in progress, what data is necessary for processing or who is to be processed
involved. The accused did not even inform the data subjects about what is specifically meant by her
by "trend analysis". Appellate authority even after a detailed study of the information provided
the accused does not find the information about data processing sufficiently clear to the data subjects
and comprehensible, i.e. rather, they cannot be considered sufficiently comprehensible for the average person
user. Moreover, as was demonstrated above, it was not a (purely) statistical activity/
According to the appellate authority, the information on the processing in question was insufficient
and misleading/
[120] The accused also did not properly inform about the legal title on the basis of which she transferred
personal data of the company After all, according to the appeal body, it could not even do so,
they are not accused, she was not, and according to the content of the filed breakdown, she still is not capable of legal title
unambiguously detect/
[121] First of all, the accused considers the transmitted data to be anonymous, the processing of which is
Regulation (EU) 2016/679 does not apply. In the analysis, the accused then argues that the purposes are compatible
processing for statistical purposes according to Article 5 paragraph 1 letter b of Regulation (EU) 2016/679/ At the same time
states that it would also be evidenced by the legal title of legitimate interest according to Article 6 paragraph 1 letter f) of the above
regulation/ From July 2019, the accused introduced consent to the processing of personal data,
although it states that the processed data was completely anonymous (the period from July 2019, however
is not the subject of this administrative procedure)/
29
In July 2019, the accused made it possible to grant consent to the transfer of data for the purposes of trend analysis/ Users were
information is displayed. "Do you want to share your data with us? Other companies may collect your data, but we do not
we do not want. (emphasis added by appeals authority) If you give us permission, we will collect anonymous data about you
computer, network and websites you visit/ It helps us create better products and services for millions
38/57 [122] Regarding the accused's argument that she sufficiently informed the customers about what data
processes for statistical and analytical purposes, the appeal body states that the information was
contradictory and unclear/ If the accused informed about the transfer of anonymous information,
users did not need to read the Privacy Policy in detail
data/In addition to the Personal Data Protection Policy itself, information on collection and transfer
data fragmented in several places and confusing for the average user/ Accused, though
informed the user what data it collects as part of the provision of its products, however already
did not provide sufficient information about exactly what data and for what purpose it was transferring to the company
. In the Privacy Policy, for example, it informed that it will delete the e-mail address
address and other personal data/ Users could thus not know which data was deleted and which
were passed/ Nor could they know how identifiers are removed from URLs,
and had to rely on the accused's information that the data passed on to the company is
anonymous/ After all, the accused objected in the resolution that the Office was using the process of anonymization
did not deal sufficiently/ The accused thus claims on the one hand that from her Personal Protection Principles
data, it is clear enough what data was transferred, on the other hand, he argues that
The office did not ascertain the exact scope of the data transferred, or that it did not deal with the process sufficiently
anonymization.
[123] The appellate body emphasizes that the accused was found guilty of violating Article 13 paragraph 1
letter c) of Regulation (EU) 2016/679, i.e. that at the moment of obtaining the personal data of its customers
did not inform about the purpose of the processing for which the personal data are intended, nor about the legal basis
of this processing/ The use of an incorrect term is not the subject of the appeal body's deliberations
(anonymization or pseudonymization) or other wording, but how the accused personal data in
processed the facts/ The essential thing is that the removal of identifiers did not occur
to the anonymization of data in the sense that it is understood by the public (as stated by the accused in the breakdown), because
(as explained above) the user can be re-identified/ If the accused informed
about the transmission of anonymous data, gave users the false impression that based on the data transmitted
data cannot be identified.
[124] Regarding the obligation to provide information, the appellate body further states that the accused within the scope of provision
informs data subjects of its products electronically/In this case, it was simple
provide individual information in layers/ The user can thus be in one layer first
basic information provided, and if interested in more detailed information can click
to the link on which (in the next layer) he will get detailed information/ The Appellate Body does not agree
with the defendant's argument that if it listed the information in more places, users would
did not orientate in the information provided/
[125] The accused stated in her statement of December 4, 2023 that in accordance with the absorption
the principle should be the violation of the information obligation (second offense) subsumed under
the first offence, or the Office's conclusion on insufficient anonymisation is the basis for both
offences, and the accused should not bear separate responsibility for them/ Principle of absorption
however, it means that a more severe punishment absorbs a milder one, not that the accused should not be further punished
of our users - including you/ This data is aggregated and completely anonymous, so it cannot be used to identify you
identify or trace. We may share it with external partners for market and trend analysis and collection purposes
more valuable information/ If you ever change your mind, you can always change your settings in the app
privacy. (emphasis on the accused)"/ Below this information are the buttons "No thank you" and "I agree" (Appendix
No. 1 statement of the accused from April 14, 2020 reference number UOOU-01025/20-11).
39/57 offenses responsible/ The purpose of joint proceedings on multiple offenses is to impose only one
fine, while the strictest rate of fine for an administrative offense is used to determine its amount
punishable/It is clear from the decision of the administrative body of the first instance (p/20) that the accused was
imposed a fine (in accordance with the absorption principle) for an offense according to §62 paragraph 1 letter b) of the Act
No. 110/2019 Coll., which the accused committed in violation of Article 6(1) of Regulation (EU) 2016/679/
The fact that the accused had committed multiple offenses was assessed as an aggravating circumstance/
[126] Regarding the concurrent violation of Article 6 and Article 13 of Regulation (EU) 2016/679, the accused in her opinion
of December 21, 2023 referred to the opinion of General Advocate Michal Bobek in the matter
YOU ARE! "SS" (C-175/20) in which he stated. “If no clear and predictable legal basis is given which
would ultimately allow such data transfer, it can hardly be expected that it would
the administrator who collected the data has already informed the data subject in accordance with
of Article 13 GDPR"/ According to the accused, it follows from the quoted opinion that "violation of Article 6
automatically includes and thus inevitably means a violation of Article 13 of the GDPR precisely in scope
information on the legal basis"/ In the given case, according to the appellate body, the General arrived
the lawyer came to the conclusion that it was not possible to demand the fulfillment of the information obligation according to Article 13
Regulation (EU) 2016/679, or the administrator in question about the possible further processing of personal data
(about the possible obligation to hand over the required data to the tax administration) he did not know at all (obligation
to pass on personal data was not established by national law)/ In the case now being dealt with, however
it is not the same situation, or the accused knew that she was processing (transmitting) personal data/
The accused also provided information about the transfer of company data to users,
would be incorrect, therefore she was aware that the obligation according to Article 13 of Regulation (EU) 2016/679
applies to her/
IIc. Amount of punishment
[127] Furthermore, the appellate body dealt with the IV/part of the breakdown, according to which it has the contested decision
to suffer from a whole range of defects of the parties to the imposed sentence/ The authority should have decided according to the accused
in fundamental contradiction with its previous practice, to incorrectly apply the criterion of seriousness
and take into account practically only the facts against the accused, while the facts in her
the benefit should mostly be ignored/
A. Compliance with the current decision-making practice of the Office
[128] The accused refers to § 2 paragraph/4 of the administrative order, according to which the administrative body
no unreasonable differences arose when deciding factually identical or similar cases/
In the case under consideration, the administrative body of the first instance, according to the accused, made a decision in the obvious
and fundamental inconsistency with its previous decision-making practice/ The fine imposed on the accused is more
more than 5/000x higher than the sum of all fines imposed by the Office during the three years of the Regulation (EU) being effective
2016/679/ According to the accused, it is hard to imagine that only two months lasting and completely formal
(without any real impact on data subjects) the violation of Regulation (EU) 2016/679 could
to be so much more serious than any other violation of the said Ordinance in its totality/ Further
the accused pointed out that the fine imposed on her is more than 50/000 times higher than the previous highest
fine imposed by the Office/ Relevant difference from the previous decision-making practice of the Office according to
the accused is not even the amount of her turnover/ The accused believes that the reason why the Office imposed on her
diametrically different fine, could consist in the process of international cooperation/ Effort
however, according to the accused, complying with foreign supervisory authorities is not a legitimate reason for
a decision contrary to previous decision-making practice, otherwise the punishment must correspond to the severity
40/57 offense and other relevant factors on the part of the accused, and not the procedural procedure,
which the Office used/
[129] According to the appellate body, the amount of the imposed fine is incomparable with others, previously
imposed fines, for the reason that the act committed by the accused cannot
compare with cases that the Office has dealt with so far/ the Office with similar processing of personal data
not dealt with in the past / The case under consideration is completely unprecedented in the way that the data was
processed, their scope, the number of affected data subjects and the possible impact on
their rights/ In this context, the appellate authority states that the Office would order the accused extraordinarily
a high fine even without discussing the case with other supervisory authorities within the framework of the mechanism
international cooperation according to Article 60 of Regulation (EU) 2016/679/ The entire case and the amount of the imposed fine
according to the appellate body, it is necessary to assess it in the context of so-called Big Tech cases, i.e. cases
large technology companies such as Meta, !mazon, Google, !pple, Whats!pp
or Microsoft, which, like the defendant, have hundreds of millions of customers/In this context, the appellant
for illustration, the authority only adds that Whats!pp was fined 225 million
EUR , which is approximately 16 times the fine imposed on the accused and Meta
Platforms was fined EUR 405 million , more than 28 times the fine of
was imposed on the accused/ Comparison with fines imposed by foreign supervisory authorities is
according to the appellate body, completely relevant, as Regulation (EU) 2016/679 is direct
applicable throughout the EU and fines should thus be awarded according to the same criteria/
In this regard, it is not decisive whether the fine was awarded to the administrators by the Office or another supervisory authority/
Regarding the argument of the accused (stated in the opinion dated 4/ December 2023) that stated
technology companies have a much higher turnover than the accused (the imposed fine is therefore
unreasonable according to the accused), the appellate body states that if the fine had been imposed
according to the Instructions of the European Board for the Protection of Personal Data No. 4/2022 on the calculation of administrative
fines according to GDPR 32 (hereinafter referred to as "Instructions No. 4/2022" - chapter 6/2/) would be imposed
from the company's worldwide turnover for the previous financial period/ According to rec. 150 Regulation (EU)
2016/679, for the purposes of imposing administrative fines on a company, the company should be understood in the sense
of Articles 101 and 102 of the Treaty on the Functioning of the EU/ Court of Justice in the judgment of 5 December 2023 in
Case Deutsche Wohnen, C-807/21, (paragraphs 55.-57/) stated that. "As stated by the Advocate General
in point 45 of its opinion, the reference to the concept of "undertaking" within the meaning of Articles 101 and 102 TFEU, which
is contained in point 150 of the justification of this regulation, it must be understood precisely in this specific context
the context of the calculation of administrative fines imposed for violations referred to in Article 83 par. 4 to 6 regulations
GDPR. In this regard, it should be emphasized that for the purposes of applying the competition rules
according to Articles 101 and 102 TFEU, this term includes any entity that performs
economic activity, independent of the legal status of this entity, causes its financing/
It thus indicates an economic unit, even if from a legal point of view it is an economic unit
composed of several natural or legal persons/ This economic unit is formed
a unified organization of personal, material and immaterial elements that it follows for a long time
certain economic objective (judgment of 6 October 2021, Sumal, C-882/19, EU:C:2021:800, point 41
and cited case law). From Article 83, paragraphs 4 to 6 of the GDPR regulation, which refers to the calculation of administrative fees
30 Available here.https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-
announces-decision-whatsapp-inquiry.
31 Available here.https://www.dataprotection.ie/en/news-media/press-releases/data-protection-commission-
announces-decision-instagram-inquiry.
32Available herehttps://edpb.europa.eu/system/files/2024-
01/edpb_guidelines_042022_calculationofadministrativefines_cs.pdf.
41/57 fines for violations listed in these paragraphs, in this context it follows that if the entity,
by which the administrative fine is imposed, by the enterprise or part of the enterprise within the meaning of Articles 101
and 102 TFEU, the maximum amount of the administrative fine is calculated on the basis of a percentage
of the total worldwide annual turnover of the company in question for the previous financial year."/If
would the appellate body, when calculating the fine, be based on the company's turnover, as defined by the Court
court, the imposed fine would be significantly higher, which would, however, be contrary to the prohibition principle
reformatioinpeius. Change for the worse is prohibited by national law, therefore the appeal body
did not act in a way that would lead to an increase in the imposed fine/
[130] The imposed penalty cannot be considered exemplary/As stated further, the Authority imposed
in accordance with Article 82 of Regulation (EU) 2016/679, the punishment it considers to be effective, proportionate
and deterrent, both with regard to all the circumstances of the case and the turn of the accused/ Above
according to the appeal body, the imposed fine is also fully in accordance with Instructions No. 4/2022.
[131] In her statement dated December 4, 2023, the accused objected that the Office's statement that
the fine was issued in accordance with Instruction/4/2022 does not stand, or at the time of issuing the challenged
decision, these instructions have not yet been issued, although according to the accused it is clear that the Office with them
was notified at the time of issuing the contested decision/ So if the Office proceeded with
determining the fine according to the mentioned instructions, it was, according to the accused, a breach of principles
fair trial and inadmissible retroactive application/ The Appellate Body considers
it is necessary to emphasize at this point that the instructions of the Board serve to ensure that Regulation (EU)
2016/679 was interpreted uniformly/ If the Office states that the fine was imposed on the accused
in accordance with Instructions No. 4/2022, this does not mean any change in the procedure for imposing fines,
but only that the fine was imposed in accordance with Regulation (EU) 2016/679, with the correct
the application of the individual criteria is also confirmed by the subsequently issued instructions/ The fine was therefore imposed
according to Regulation (EU) 2016/679, not according to the instructions of the Board for its interpretation, therefore
cannot act on the inadmissible retroactive application of legal regulations/ If the appeal
the authority came to the conclusion that the subsequently issued Instructions No. 4/2022 interpret Regulation (EU)
2016/679 more favorably for the accused, which did not happen in the case under consideration, the conclusions of the administrative
of the first-instance authority, the appellate authority would correct (it could reduce the fine).
[132] As it was possible to reveal from the "anonymized" data that a particular German judge
is interested in pornography, even in the case under consideration they could be about specific subjects
data, information (even of a very sensitive nature) that can be used is found
(also in the future), and only for targeted advertising and offering relevant products, but
perhaps also for targeted action on specific natural persons/ The Appellate Body is convinced that
the transmission of browsing history (byu incomplete) to third parties may constitute a sensitive
interference with the privacy of data subjects and, in the case of a targeted focus on specific subjects
data may cause them irreparable harm/ The opinion of the accused that she committed only
formal violation of Regulation (EU) 2016/679 without any impact on data subjects, therefore
the appeal body resolutely refuses/
B. Seriousness of Conduct
[133] Here, the accused primarily points to the difference between typical and specific (individual)
the seriousness of the action, while the decision of the administrative body of the first instance is incorrect
33
Compare the article referred to in footnote 12, which the accused referred to in her post on the social network
Twitter.
42/57 take into account the type seriousness as the seriousness of the offence/ On the other hand, the administrative authority
of the first instance, according to the accused, did not evaluate the specific seriousness of the act in question/
However, according to the accused, the purpose of evaluating the seriousness of the conduct is not to assess how it is in general
the given action is typically serious (the legislator has already carried it out), but on the contrary, assess how a given act
(specific conduct) serious in comparison with other violations of the given provision/ Pursuant to
in her opinion, on the contrary, the concrete seriousness of her actions can be assessed as very low, or not
the alleged breach should have lasted only two months and the data subjects were not affected by
rights, because the alleged potential connection of the data sets never happened and could not happen.
According to the accused, the office is effectively punishing conduct for which there is no threat or violation
protected interest did not occur/ Finally, the Office should also have given up on proving a concrete one
number of allegedly affected entities/
[134] However, the accused can be proved right, that, in general, type severity is not possible
expressed in the sanction part of the norm to be taken into account when determining the penalty, this is clearly not the case/
According to Article 83 paragraph 5 of Regulation (EU) 2016/679, a wide range of breaches of obligations can be sanctioned
arising from Regulation (EU) 2016/679, cannot be passed over without noticing that the violation of some
of them makes the act itself in a particular case more serious than the violation of some others/ Thus
this is typically the case in the event of a violation of legal obligations of such intensity that it occurs
to the violation of the basic principles of personal data processing/ It can be stated, for example, that it exists
the principled difference between the short-term exceeding of the deadline for responding to the data subject's request
and violation of the legality of processing in the absence of a legal title to the processing of personal data
of data, even though the orders by classification correspond to the amount of administrative fines above
20,000,000 EUR, or up to 4% of global annual turnover/
[135] On the contrary, a violation of the principle of legality in the form of the absence of any legal title
the processing of personal data clearly represents the most serious type of behavior of the delinquent,
they are not without it, it cannot be a legal processing of personal data/ In the absence of legal
title is fundamentally irrelevant from the point of view of legality, whether and how the administrator fulfills
any subsequent obligations, otherwise this processing is illegal from the very beginning.
Similarly, also professional commentary literature. "The legal title is a condition without which it is not
processing in no case possible, or/ is illegal from the beginning/ Therefore, there must be existence
of the legal title, in addition to determining the purpose of the processing, is always the first thing that the controller must do before the intended one
resolve by processing/ In the event that the administrator does not have a single valid legal title for processing
will not be, the entire processing is illegal from the beginning/ In the event that such processing will be resolved
supervisory authority, it is very likely that they will order this processing to stop and thus
dispose of unlawfully processed data/ At the same time, it should be kept in mind that even in the event that
the controller does not need to obtain consent and may rely on some other legal title,
must properly fulfill all other obligations arising from the Regulation, for example the obligation to provide information
according to Article 13 or 14 of the Regulation/"
[136] The above is confirmed by iInstructions No. 4/2022 (item 62., example 5a), in which it is stated,
that the supervisory authority “gave significant weight to the nature of the breach, not the provisions breached
(Article 6 GDPR) is the basis of the legality of data processing as a whole/ Failure to comply with this
provision, the legality of the processing as a whole is excluded."
34
NULÍČEK, M/, et al/ Article/6 Legality of processing/ In. NULÍČEK, M/, et al/ General regulation on personal protection
data (GDPR). Practical commentary [The !SPI system\/ Wolters Kluwer [cit/ 20237-12]. ASPI_ID 1<032016R0679CZ.
Available in the !SPI/ ISSN System. 2336-517X.
43/57 [137] The fact that the infringement of individual articles of Regulation (EU) 2016/679 is divided
into two categories (Article 83(4) and (5) of the Regulation) according to severity, does not mean that the severity of all
behavior in one category is the same/On the contrary, the more serious the illegal behavior within one
category, the higher the fine may be imposed by the supervisory authorities/ The existence of a legal title is
according to the appellate body, conditio sine qua non, i.e. a condition without which processing cannot take place
of personal data (legally) take place/ Administrative body of the first instance according to the appeal body
quite correctly assessed that the absence of a legal title to the processing is absolutely essential
non-compliance with the terms of personal data processing/
[138] The objection of the accused cannot be accepted even in relation to the justification of the decision to violate
Art. 13 of Regulation (EU) 2016/679/ It is not possible to express consent with the administrative body of the first
degree that, generally speaking, the information obligation significantly affects the general option
full application of the rights of data subjects/ All the more so when it was the absence of any
relevant information about the processing of personal data, its purpose and the absence of other information, on
on the basis of which data subjects would be able to make themselves truly free and informed
decision of the parties of their personal data as required by Regulation (EU) 2016/679/
[139] The question of duration and the related seriousness of actions is a relative question, not this one
the period must be evaluated with regard to other circumstances of the case/ It can be stated that two months
although they do not represent an extremely long period of time, nevertheless, in the considered matter, they cannot be considered
for a short period of time/ As the administrative authority of the first instance correctly stated, with regard to the intensity
violations and the number of affected subjects, this time cannot be definitely evaluated as mitigating
circumstance, or even a single day would be significant/ It is then undecided whether to real
connection of datasets or other specific identification of data subjects has occurred/ In this context
above all, it is necessary to remind that the legislation on the protection of personal data does not duplicate
ex post protection of personality according to the Civil Code/ Existence of protection legislation
personal data, on the other hand, primarily pursues the purpose of preventing possible misuse of personal data
and for this purpose establishes a number of personal data processing principles, including the requirement
have a valid legal title, data minimization, technical and organizational
measures, etc., in such a way as to minimize the potential risk, perhaps even only
of potential, misuse/ Simply put, to commit an offense under Regulation (EU)
2016/679, it is sufficient that the rights of data subjects have been threatened (threatening delict), i.e. it does not have to
realistically interfere with their rights by unauthorized processing of their data (this would, after all
could be assessed as an aggravating circumstance)/ The Office therefore dealt with the case under consideration
primarily as a result of an offence, which is understood as a threat to an interest protected by law, not
its effect. The appellate body does not blame the accused for having interfered with rights
individual data subjects, but that it cannot be ruled out (it is not certain) that this did not happen,
or the subject data sets containing personal data have been transferred (sold) to a third party/
[140] The administrative body of the first instance stated in its decision that the duration of the offense se
managed to prove to the extent stated in the statement of the decision, he then stated that for the purpose
determination of the seriousness of the act took into account the nature of time limitlessness
the beginning of the accused processing, but not the actual time preceding the proven one
(decisive) period/ It follows from the contested decision that the administrative body of the first instance
he considered that the processing "did not begin limitedly at the beginning of the proven time, but until the time
proved to have entered as 'running'"/ From the contested decision according to the appellate authority
it clearly follows that the accused was found guilty and fined for the violation
obligations of the administrator of personal data in the period "from an unknown day in April 2019 to
44/57 of an unspecified day in July 2019"/ The administrative body of the first instance explicitly stated that when
determination of the seriousness of the conduct was not taken into account earlier processing, but only the character
unlimited time limit for the beginning of the criticized processing/ The appeal body agrees with the administrative one
by the authority of the first instance, that it is impossible to determine the exact date of the beginning or end of the subject matter
processing, therefore the time of the offense is limited by month and year, not exact
date. The accused's activity did not occur before April 2019 or after July
2019 is not the subject of this proceeding, therefore the appeals body did not consider it/
[141] Regarding the counts of specifically (potentially) affected data subjects, the appeal body
it primarily reminds that the legal regulations consider actions that affect the byu to be sanctionable
even a single data subject/ Possible quantification is then important above all in context
with the assessment of the punishment for this action from the point of view of its seriousness — and this is how the number of affected or
of potentially affected subjects of personal data by the actions of the accused reliably ascertained as
enormous, i.e./ making the illegal act serious from a quantitative point of view/ To this
the conclusion can then be cited from the judgment of the Supreme Administrative Court of January 31, 2019, file no. stamp
9 As 380/2017: "It is clear that it would be a disproportionate burden on the defendant if he had to
for the purposes of delimiting the deed accurately to units to enumerate the number of affected data subjects/ That would
of course, it was appropriate in situations where the delict concerns a single or several individuals
of data subjects, or when a more accurate number can be ascertained without incurring disproportionate costs
effort (e.g. if personal data is processed automatically and is therefore accurate
quantified)/ In general, however, it can be expected that precisely in the sphere of compliance supervision
regulations in the field of personal data protection, which are usually processed en masse, will
situations often arise where the affected personal data, data subjects and other circumstances will
defined only by species with a reasonable estimate of their number (and of course also their
of kind)/ The Supreme Administrative Court certifies the reasoning of the contested judgment, in which the
others state that "in relation to the consideration of the seriousness of the plaintiff's illegal conduct, the court does not consider
as necessary that the number of subjects of personal data affected by the actions of the plaintiff is completely accurate
Enumerated 'into one', ordinal determination that there were thousands of subjects - due to the number
units managed or owned by the plaintiff, which are enumerated in the statement of the decision -
is, in the opinion of the court, completely sufficient for consideration of the seriousness and scope of the illegal act"/
As stated above, the transfer of data to the company related to data obtained from
roughly 100,000,000 devices/ One device can be used by multiple users and so can one
a user can use multiple devices, so it's impossible to know exactly how many, according to the appeals body
of customers accused of data transmission/ However, the Appellate Body agrees with the conclusion
administrative authority of the first instance, that the number of affected data subjects was enormous/
[142] As the administrative body of the first instance correctly stated, the processing of personal data was
part of the professional activity of the accused, i.e. in connection with her business activity, while
it was a systematic, not random, activity/ The personal data of the accused customers were
processed through information technology/ About this sophisticated processing
the accused informed her customers only very superficially, moreover in a misleading way/ Pro
it was practically impossible for the data subjects to find out (verify) what data is being transferred and for what purpose
purpose, and thus had to rely on the information of the accused, as a professional in the field,
whose products are used to protect data privacy/Users cannot know that the accused
transmits (sells) data that is not anonymous, nor that it can be identified and thereby
to a fundamental intervention in their privacy / The subject data processing could not customers
the accused to expect and thus could not defend their rights/ The purpose of the illegal in question
the processing was then the support of the business activity of the accused, i.e. making a profit/ Regarding
45/57 scope, the appellate body emphasizes the international, practically global character of the subject matter
processing (the accused offers its products in more than 150 countries of the world)/
[143] Harm caused to data subjects is impossible due to the large number of those affected
examine subjects individually according to the appeal body/ As already stated above,
the actions of the accused have endangered the privacy of data subjects, with impacts on rights
of individual entities may manifest themselves only in the future. After all, it cannot be stated with certainty that
that the users were not identified, nor that they were not or are not based on their knowledge
preferences or behavior however targeted/
C. Additional criteria for determining the amount of the fine specified in Regulation (EU) 2016/679
[144] According to the accused, the Office took into account (often incorrectly) all the circumstances that were in her
disadvantage, but ignored (with one exception) the circumstances that were in her favor or
he did not look at them without justification/
[145]
In January 2020
a number of Czech and foreign media reported that the accused was selling her data
of the company's customers (some of these articles are part of the official record
ref/ UOOU-01025/20-3 dated 27/ February 2020)/ The Office by the mentioned press release only
responded to this media case, with the aim of informing the public that he registered this case, and that
will deal with it/ The appeal body is convinced that it had a negative impact on the accused
publication of information in the media, and not the press release of the Office/ This is evidenced by the fact that
the value of the accused shares on the Prague Stock Exchange fell significantly even before that press release was issued
(for example, on the website of Czech Television in an article entitled
[146] Individual circumstances, the incorrect consideration of which when deciding on the amount of administrative
fines objected by the accused, the appellate body assessed as follows/
a) Fault
[147] As the first relevant criterion, the accused indicated culpability, i.e. whether a violation had occurred
intentionally or negligently [Article 83 paragraph 2 letter b) of Regulation (EU) 2016/679\/ The accused
stated that culpability has two components, namely knowledge and volition/ Decision of the administrative body
the first degree of culpability states that the accused knew what she was doing and therefore acted deliberately/Alone
35
Available here.
.
46/57, however, according to the accused, knowledge means negligent culpability/ Intentional culpability only
the knowledge component is not enough and the free component/ !rgument of the first administrative body is also necessary
degree that the accused acted within the framework of her business activity, she cannot, according to the accused
be sufficient to meet the high evidentiary standard for intentional wrongdoing/ Administrative Authority
at the same time, according to the accused, it does not refer to any fact that would
at least indicated, let alone proved, the accused to violate the provisions in question/ Furthermore
the accused stated that she acted in an excusable legal error (error iuris), which she excludes
culpability, as the accused anonymized the transmitted data and did not know that she was transmitting personal data
data/ In its supplementary opinion of December 21, 2023, the accused is subjective
culpability pages referred to the latest judgments of the Court of Justice of the European Union on the matter
Nacionalinis södertättää centras (C-683/21) and Deutsche Wohnen (C-807/21), both from
on 5/ December 2023/
[148] According to the mentioned recent jurisprudence of the Court of Justice (C-683/21 and C-807/21) it may be
the administrator is fined for violating Regulation (EU) 2016/679 only if this
committed the violation culpably, i.e. intentionally or negligently, while in the case of legal entities
persons, it is not necessary for the violation to be committed by its governing body, or for the latter to be informed of this violation
the authority knew/ In the judgment of the Court of Justice (C-683/21, point 81) it is further stated that
“As regards the question of whether the breach was intentional or negligent, and whether it is therefore possible for
to impose an administrative fine on him according to Article 83 of the GDPR regulation, it is necessary to further specify in this regard,
that the administrator can be sanctioned for actions falling within the scope of the GDPR regulation if
this manager could not have been unaware of the illegal nature of his actions, regardless of whether he knew
whether he did not know that he was violating the provisions of the GDPR"/
[149] No specific definition can be found in European law or in the jurisprudence of the Court of Justice
intention and negligence, while the interpretation of these concepts in the judgments of the Judges is not always complete
consistent and unambiguous/ According to the Corps Instructions (WP 253) for application and determination
of administrative fines for the purposes of Regulation 2016/679 (page 11), "intention" means knowledge and arbitrary
conduct, where "unintentional" means not intended to cause a breach, even if the controller,
or/ the processor, violated the duty of due care required by law/ the Instructions given
expressly state that “deliberate violations that show contempt for the law are more serious than
unintentional, and therefore may rather be grounds for imposing an administrative fine/ /0/ Among the circumstances
indicating the intentionality of the breach could include illegal processing carried out
with the express approval of the trustee's senior management or despite the trustee's recommendation for
protection of personal data or regardless of existing policies, such as the acquisition and processing of data
about the employees of a competitor with the aim of discrediting this competitor in the market/ It can go further
for example by the following. altering personal data in order to create a false (positive)
appearance of meeting goals /0/, trading personal data for the purpose of marketing, i.e./ selling
data in a manner as if it was done with consent, even though the data subject was not asked
as if he should dispose of them, or regardless of his guest's place of residence/" Circumstances suggestive
negligence The WP 253 Guidelines list “for example, failing to study and comply with existing policies,
human factor failure, failure to check personal data in published information,
failure to implement technical updates or policies in a timely manner (rather than their simple
non-implementation)/ Businesses should be responsible for introducing adequate structures and resources
the nature and demands of their business/ Administrators and processors therefore cannot justify
violation of the Personal Data Protection Act by claiming a lack of funds/" Procedures
and documentation of the processing activity follows a compliance risk assessment approach
47/57 with the regulation/ This concept of intent and negligence is also adopted in the following Instructions of the Corps
No. 4/2022 (Chapter 4/2/2/)/
[150] According to § 15 paragraph 2 letter b) of Act No. 250/2016 Coll., the offense is committed intentionally,
if the offender knew that the negotiation could violate or threaten an interest protected by law,
and in case he violates or endangers it, it was understood (intention indirect)/ As it was already
stated above, the accused knew that the data she sold to a third party could be used again
assign to specific data subjects, i.e. that it is personal data/ The accused, however
did not take sufficient steps to ensure that the data subjects could not be identified and did not
to encroach on their privacy/ Contractual prohibition is not possible in the context of an imminent encroachment on the subjects' rights
data as a sufficient measure/ Due to the way personal data is processed
the accused could not verify how the transmitted data is further processed, nor
detect whether the re-identification of data subjects is actually taking place, and it could not
and effectively prevent/Others cannot be overlooked either that the company its customers
on its website, it basically encouraged the linking of data obtained from it
with the customers' own databases, which could have occurred (by these customers
even unintentionally) to identify the users of the anti-virus software of the accused/ As stated by the accused in
in its opinion of December 4, 2023 (item 33), the company had more data
sources/ By combining data from different sources, the Company could data subjects
identify/
[151] Encroachment on the privacy of data subjects (violation or threat to an interest protected by law)
according to the appellate body, he was apparently not the accused's primary target in selling the company's data
I would not necessarily be concerned with the aforementioned adverse impact on the rights of data subjects
occur, according to the appeals body, it should be seen as a side effect of the perpetrator's actions,
while the accused was aware of this consequence/ If the invasion of privacy was the purpose
processing, then it would be a direct intention, which would constitute an even more serious violation
Regulation (EU) 2016/679/ The Appellate Body considers it proven that the accused knew that based on
the data transmitted to the company can be re-identified by the data subjects, and was
with the understanding that users' privacy may be affected/Appeals at this location
emphasizes that any contractual prohibition of re-identification of data subjects does not make them personal
data data anonymous/
[152] The above-mentioned conclusion of the appellate body is also confirmed by a former employee of the accused
in an interview for ze, in which he stated that unpersonalized
the data transmitted by the accused can be personalized relatively quickly, while some
the accused's employees knew about it, warned the accused about it, and some even left because of it/
To the objection of the accused stated in the opinion of 4/ December 2023, that
in said interview, he did not describe the tools needed to re-personalize the data or whether
they were available to the company, the appellate authority states that the statement is
stated only in the context that it confirms the conclusions reached by the appellate body/
On the basis of the said interview, the appellate body does not explain how it could
the company data subjects identify/
[153] In Instructions No. 4/2022 (item 55/, example 4) there is a circumstance indicating an intentional violation
the example given is "trading personal data for the purpose of marketing, i.e. selling data
36
Available here.
.
48/57 as if it were done with consent, although the data subject was not asked how
were to be dealt with, or regardless of his opinion/“/ In the case now under consideration
although it was not primarily a matter of selling personal data for direct marketing purposes, it was nonetheless
on trading with personal data that could be used for marketing purposes (from history
viewing it was possible to find out the interests and behavior of the data subjects, and it was possible to offer them
products and services corresponding to their interests)/ In the case under consideration, they are not according to
of the appellate body decisive marketing purposes, but the fact that it was a sale of personal data,
while the accused completely ignored the opinions of the data subjects/ the accused gave to the subjects
data, the option to choose not to transfer their data (opt-out)/
to insufficient fulfillment of the information obligation (accused by the data subjects in general
did not inform that their personal data was being traded or how their data would be
hereinafter specifically used), it cannot be considered a real choice, since users
decided on the basis of incomplete or misleading information/ The appeals body is therefore
convinced that the conclusion about the intentional conduct of the accused is in accordance with the instructions of the Corps/
[154] Regarding the alleged excusable legal error, the appellate body states,
that the accused acted intentionally and knew that her act was illegal/ Even if this was not the case,
the accused is a privacy protection company whose relationship with its users
of antivirus products is, by its very nature, based on trust, which is assumed to be high
expertise and ethical level of her behavior/ The accused had before the transfer of data
company (i.e./ before starting the processing of personal data in question) very
carefully assess whether it is really anonymous data, as she must have been aware that
that in the case of transferring data that could be assigned to specific users, in addition
to such a large extent, there could be a sensitive principle to the privacy of data subjects/
The accused could thus make the alleged legal mistake if she made sufficient efforts
avoid/ The appellate body therefore states that the accused could not act and did not act
in an excusable legal error/ Moreover, according to § 17 paragraph/ 1 of Act No. 250/2016 Coll./ it does not act
culpably, the one who, when committing the offense, did not know that his act was illegal, if he could not have made a mistake
to avoid/ The cited § 17 is included in Chapter II/Act No. 250/2016 Coll. regulating liability
natural person for a misdemeanor/ Title III/ regarding the liability of a legal entity for a misdemeanor
does not mention the institute of legal error/ The institute of legal error is therefore in Act No. 250/2016 Coll.
explicitly addressed only in relation to natural persons, not legal entities/
[155] At this point, the appellate body considers it necessary to remind that the accused
provides software intended to protect the privacy of its users/ From the accused, as
from an expert in the information and cyber field, an extremely high level of orientation is thus expected
in the area of personal data protection/ The accused was aware of the risk of data processing, or/
difficult to achieve complete anonymization of data (especially in a very rapidly developing
technological environment), nevertheless decided to monetize the data about its users above
in the manner described/
b) The level of responsibility of the administrator, taking into account the technical and organizational ones introduced by him
measure
[156] According to the accused, the administrative body of the first instance should have taken into account when evaluating the case according to
Article 83 paragraph 2 letter d) of Regulation (EU) 2016/679 introduced technical and organizational
measures/ The accused has at least pseudonymised the transmitted data (in her opinion, it is
anonymized)/Pseudonymization is listed in Article 32 of Regulation (EU) 2016/679 as one
49/57 of the methods of securing personal data, that is why the administrative body of the former had a pseudonym
grade as a mitigating circumstance/
[157] The appellate body agrees with the accused that the administrative body of the first instance should have evaluated her
adopted technical and organizational measures, although the subject of this procedure is not a violation
obligations arising from Articles 25 and 32 of Regulation (EU) 2016/679/ As already mentioned above,
the accused did take certain measures, consisting in removing some identifiers from the URL
addresses (name, surname, e-mail address, etc.), or in a contractually prohibited re-use
identification of data subjects, however, these measures were not sufficient to make it possible
to consider the transmitted data as anonymous/ The accused at the same time even at the request of the appeals body
did not provide information from which the appellate body could draw the conclusion that the measures taken
was sufficient/ As follows from Instructions No. 4/2022 (item 81.), the adoption of technical and organizational
the measure should be considered a mitigating circumstance only in exceptional cases when
the manager goes beyond his duties/ In general, however, the level of responsibility of the manager will be
considered an aggravating or neutral factor/ In the considered case according to the appellant
body, the accused took certain measures, which could make it difficult (but not impossible) to re-offend
identification of data subjects, therefore the degree of responsibility of the administrator is considered by the appeals body
as a neutral factor/ The Appellate Body, like the administrative body of the first instance, did not evaluate it
the degree of responsibility charged as an aggravating or mitigating circumstance/
c) Prior Violation
[158] According to the accused, it should have been taken into account that the accused had not yet been punished
for illegal conduct in connection with the processing of personal data/ According to the accused
by default, in the case of the offender's first illegal act, punishment is waived or imposed
penalty at the lower limit of the legal rate, or can it be expected that the warning itself (or minimal
punishment) will deter the offender from future wrongdoing.
[159] Even on this point, the appellate body did not find the accused statement relevant/ If it turns out
appeals body from the diction of Article 83 paragraph 2 letter e) of Regulation (EU) 2016/679, then this stipulates
the obligation to take into account all relevant previous violations by the administrator or processor.
The European legislator only reflects here that recidivism in general in itself is objectionable
aspect of the offender's personality and testifies to the insufficient corrective effect of the previous one
measure, which must be taken into account in the amount of the penalty. Absence of prior violation is not
envisaged by the said provision as a mitigating circumstance, while neither the appellate authority
he did not come to the conclusion that in such a serious and socially harmful act, there should be
fundamentally taking into account that this is the first administrative penalty imposed on a specific administrator or
to the processor within the competence of the administrative authority/Regulation (EU) 2016/679 (as well as any
other generally binding legislation) is based on the assumption that its addressees, i.e. in this
administrators and processors, if applicable, will comply with their obligations arising from it. That's why it would
the fact that he has not yet been punished for his violation should not be considered mitigating
circumstance.
[160] The above-mentioned conclusion also follows from Instructions No. 4/2022 (point No. 94), in which it is stated that
the existence of previous illegal acts can be considered aggravating when calculating the fine
circumstance/ However, the absence of previous violations cannot be considered a mitigating circumstance,
or compliance with Regulation (EU) 2016/679 is the norm/
50/57d) Category of personal data
[161] According to the accused, the administrative body of the first instance should also have taken into account the fact that
the unauthorized processing did not concern a special category of personal data/ According to the accused, it is not possible
to claim that the action in question is as serious as if there was special processing
data category/
[162] The appellate body of the accused disagrees with this conclusion/ Prohibition of processing without
of the relevant legal title, or proper notification of this processing, applies
generally to any personal data/ Other (stricter) conditions set by regulation (EU)
2016/679 for the processing of special categories of data represent a specific superstructure
processing of "standard" personal data/ Processing of special categories of data would s
considering their sensitive nature was undoubtedly a criterion that fundamentally increased the harmfulness
of the conduct under consideration/ This does not mean, however, that illegal processing "only
of standard" data without these characteristics was a mitigating circumstance/ It would be
found only as not an aggravating circumstance, as the administrative authority of the first instance correctly
evaluated.
[163] The same conclusion follows from Instructions No. 4/2022 (point 57), in which it is regarding the requirement
to take into account the category of personal data concerned [Article 83 paragraph 2 letter g) of Regulation (EU)
2016/679\ stated that the regulation clearly emphasizes the types of data (data covered by art. 9
and 10 of the said regulation) which deserves special protection and therefore a stricter response, as far as it goes
for fines. According to the appellate authority, it cannot be inferred from the above instructions that they were unjustified
the processing of only "standard" personal data should have been extenuating circumstances/ On the contrary,
illegal processing of a special category of personal data is assessed more strictly/
e) The manner in which the Office became aware of the meeting
[164] The administrative body of the first instance states in the contested decision that the subject matter
The Office found out about the meeting from the media/ According to the accused, this is not true, as all his data
operations, including the transfer of anonymized data to the company for the purpose
statistical analysis, she notified the Office already on August 1, 2018. According to her statement, the accused
she could not report that she was committing an offense because she did not know about it (and still with this conclusion
does not agree)/Accused deleted because they have notified the Office of all relevant factual information yet
before the start of the local administrative proceedings/ Reports on the case in the media then according to
the accused only drew attention to the whole matter and induced the Office to take certain action/ The fact that
the Office learned relevant information about the transfer of data to the company from the accused, by
according to her, he should have taken into account as a mitigating circumstance/
[165] When assessing the circumstances according to Article 83 paragraph 2 letter h) of Regulation (EU) 2016/679, it is possible
take into account how the supervisory authority became aware of the violation, in particular whether the administrator or
the processor reported the violation, and if so, to what extent/ As the accused states in the breakdown,
She did not report the violation of Regulation (EU) 2016/679 to the Office/ It is true that the accused as part of the control
maintained under sp/ stamp/ UOOU-07166/18 with a note dated August 1, 2018, informed the Office that it was handing over
the company's data, however, it stated (in fact, as it claims so far) that it is data
anonymized/ The Authority had no indications at the time that the allegations accused in any way
questioned, that is why he did not deal more closely with the transfer of anonymous data/ !ž on the basis
information from the media and from the complaint dated February 22, 2020, the Office suspected that the accused
transferred personal data to the company, not anonymous data/ Appeals body so
51/57 reached the same conclusion as the administrative body of the first instance, i.e. that the way in which
became aware of the violation, cannot be considered a mitigating circumstance/ In accordance with Instructions No. 4/2022
(point 99.) the appellate body evaluates this circumstance as neutral/
f) Previously ordered measures
[166] The accused further objects in the statement that the administrative body of the first instance in the challenged
the decision did not take into account the criteria set out in Article 83(2)(i) of Regulation (EU) 2016/679, i.e.
fulfillment of the measures that were previously ordered to the accused in connection with the same subject/ !anything
the accused agrees that corrective measures in the sense of Article 58 paragraph 2 of Regulation (EU) 2016/679
against the accused, the Office did not issue, it believes that the administrative body of the first instance neglected the fact,
that the accused completely complied with the Office's requests that it sent to her as part of the "preparatory proceedings" before
by initiating administrative proceedings, which led to the Office of proceedings for the imposition of remedial measures
did not initiate/ According to the accused, the measures were not imposed, but only due to the fact that the accused
cooperated with the Office/ If the fulfillment of previously imposed measures is an extenuating circumstance, by
rather, according to the accused, the mitigating circumstance is the fact that the correction took place even without the deposition
of these measures/
[167] Pursuant to Article 83(2)(i) of Regulation (EU) 2016/679, the supervisory authority shall take into account
fines for the fulfillment of measures that were against the given administrator or processor in connection with the same
subject matter previously ordered/ As the accused herself states, the Office did not take any measures against her
imposed/ According to the appeals body, it is not possible to evaluate the fulfillment of an obligation that was not imposed/
At the same time, as already mentioned above, control under sp/ stamp/ UOOU-07166/18, on the basis of which
the accused voluntarily accepted the legal measures, it was not aimed at the transfer of personal data
company, because the Office did not know that personal data were being transferred/ According to the appellant
for the authority, the condition of the same subject of proceedings is not met/ Administrative authority of the first instance
assessed the circumstance according to Article 83 paragraph 2 letter i) of Regulation (EU) 2016/679 correctly as neutral/
According to the appeal body, this conclusion is fully in accordance with Instructions No. 4/2022 (point 102/),
in which it is stated that compliance with previously ordered measures (which in this case neither
has not been mandated) is mandatory for the controller or processor, and should not be on its own
considered a mitigating circumstance/
g) Character of the company
[168] According to the accused, the drafters of Regulation (EU) 2016/679 apparently did not intend for the amount
fines the relevant nature of the administrator, otherwise they would have stated it in the regulation/ Accused according to their own
statement provides an anti-virus program, while not disguising that its services are connected
with trust from clients, however, this applies to a whole range of other services/ Accused then
emphatically rejects the claim of the administrative body of the first instance that she should have disappointed the trust of her colleagues
customers when, without their knowledge, it transmitted anonymized data for the purpose of analyzing trends/
The accused properly informed her customers, moreover, nothing can be done from trend analysis
illegitimate, as it is a socially beneficial activity (enables to improve services
and general customer comfort) that most internet companies do/
[169] In addition, the appellate body primarily states that according to Article 83 paragraph 2 letter k) of Regulation (EU)
2016/679 the supervisory authority to take into account any other aggravating factors when deciding on fines
or a mitigating circumstance relating to the circumstances of the given case/ Instructions No. 4/2022 (point
109/) state in this context that the aforementioned provision intentionally leaves room for
52/57 discretion of the administrative body regarding the economic and social situation in which the administrator or
processor operates, legal situation and market situation/Assessment of character (business activities)
company (accused) and the products offered by it (i.e. that economic
social and market context) is, according to the appeal body, necessary to include in the assessment
circumstances that may affect the amount of the fine/ The accused creates and offers products that have
to protect the information and privacy of their users, in the considered case in the online environment
(Online Security product)/ Users both from the accused and from a professional in the field
data protection, customers expect, among other things, an above-average level of protection of their personal data
the accused gave her access to their data, as they assumed that their confidentiality would be maintained/
Using the tools, the accused wanted the users to prevent unauthorized use of their access
data, or at least minimize the risk of such misuse or unauthorized access/
However, the accused endangered their privacy in a very dangerous way/
Although the accused allowed users of antivirus software and its Internet expansion
browsers to refuse the transfer of data to the company, insufficiently to the user
informed about what data is being transferred/ The Appellate Body is convinced that the transfer would
far fewer users (if any) would have consented to data if they knew it was being transmitted
their personal (not anonymous) data/ The essential aspect according to the Appellate Authority is that
the accused handed over the personal data of the users, which she obtained precisely in connection with the provision
of antivirus software/Don't even want to overlook the fact that the accused under the Data Order
sold this data to the company, i.e. passed it on for the purpose of making a profit/
[170] The European Board for the Protection of Personal Data also applies in its decision-making practice
provision of Article 83 paragraph 2 letter k) of Regulation (EU) 2016/679 "fundamental importance for adaptation
the amount of the fine to the particular case", while "it should be interpreted as an example of the principle
impartiality and justice applied to a specific case" 37 (unofficial translation)/ Sbor
also stated that Article 83(2) of Regulation (EU) 2016/679 does not represent an exhaustive list
evaluation criteria that the supervisory authority must take into account when determining the amount of the fine, so that the fine
was effective in each individual case in accordance with Article 83 paragraph 1 of the aforementioned regulation,
adequate and dissuasive/ The appeal body is the same as the administrative body of the first instance
evaluates the nature of the accused's conduct as an aggravating circumstance/
h) Duration of proceedings
[171] According to the accused, the administrative body of the first instance should have taken into account the disproportionate length
proceedings/ The consequence of the long administrative proceedings (over two years) is that the sanction lacks a corrective one
and motivational effect, if they are not, the accused cannot project the result of the proceedings into her own in any way
practice/ The accused voluntarily rectified the alleged deficiencies and the imposed fine is thus waived
with the individual preventive purpose of administrative punishment/ The unreasonable length of the proceedings is according to
accused by one of the criteria taken into account in sentencing in criminal proceedings, whereas
the principles of criminal law are also appropriately applied within the framework of administrative punishment/ The length of the proceedings is according to
accused also relevant for decision-making according to Regulation (EU) 2016/679/ The accused points to
37 Binding decision of the Board No. 3/2022 on the dispute submitted by the Irish supervisory authority regarding the company
Meta Platforms Ireland Limited and its Facebook services [Article 65 of Regulation (EU) 2016/679\, point 368/. "The EDPB
considersthisprovision"of fundamentalimportanceforadjustingtheamountofthefinetothespecificcase"and
that "it should be interpreted as an instance of the principle of fairness and justice applied to the individual case"/
The EDPB recalls that Article 83(2) GDPR contains a nonexhaustive list of assessment criteria to be considered, if
appropriate, by the LSA in determining the amount of the fine corresponding to what is necessary to be effective,
proportionate, and dissuasive in accordance with Article 83(1) GDPR."
53/57 decision of the Norwegian Privacy Board (Personvernnemnda), which canceled the fine imposed
by the Norwegian supervisory authority due to the unreasonable length of the proceedings, which lasted almost three years/
At the same time, Personvernnemnda stated that if he did not cancel the fine, he would recommend it to the supervisor
office its reduction/
[172] The Office admits that the administrative procedure took a relatively long time/ Significant influence on the length of the procedure,
both before the administrative body of the first instance and before the appellate body, had complexity
of the entire case/ As the appellate authority has already stated above, the case under consideration is, in terms of method
processing of personal data and its extent in the Office's decision-making practice, completely
unprecedented/ Accused in the proceedings for dissolution of her claims regarding the anonymization of data
(contrary to the principle of responsibility) did not provide evidence in any way and refused to provide
The requested information authority/appeal authority must therefore assess all the circumstances accordingly
of a complicated case without the cooperation of the accused, which led to delays/
[173] It follows from the administrative file that the Office was not inactive in the matter/ The accused applied extensively
her procedural rights (numerous access to the file), she submitted many statements and repeated requests
on the extension of the deadline for individual procedural actions/ The fact that the Office also contributed to the length of the proceedings
in the course of it, he decided on the accused's motion to order an oral hearing (resolution
on the rejection of the motion No./ UOOU-01025/20-43, decision on the rejection of the accused
ref/ UOOU-01025/20-81) and about the accused's request to inspect all records
from the cooperation mechanism according to Article 60 of Regulation (EU) 2016/679 (resolution on non-compliance with the request
ref/ UOOU-01025/20-61, decision on rejection of the decomposition of the accused ref/ UOOU-01025/20-82)/
The length of the proceedings before the administrative body of the first instance and before the appeal body was also
influenced by the cooperation mechanism with other supervisory authorities according to Article 60 of Regulation (EU)
2016/679, as both the draft decision of the administrative body of the first instance and the draft decision
on the breakdown of the accused was submitted to the other concerned supervisory authorities/
[174] The appellate body disagrees with the accused's view that the fine imposed is lacking
individual preventive function of administrative punishment/ The individual preventive function of punishment has
deter the offender from further violations of the law in the future/ In addition
the individual preventive function is not the only function that the administrative punishment is supposed to fulfill/
In the case under consideration, the preventive function cannot be disregarded, especially the individual one
or general, nor from the function of repressive/
[175] On the defendant's argument regarding the decision of the Norwegian Privacy Board, the appeal body
states that he completely agrees with the administrative body of the first instance that the said decision is
irrelevant to the meaning and scope of the accused's conduct, which is the subject of this proceeding/ Appeal
the authority also points out the fact that the Office is not bound by the decision of another supervisory authority
office, which in the proceedings conducted by it in accordance with Regulation (EU) 2016/679 and its national
legal regulations reduced or canceled the fine due to the unreasonable length of the proceedings/
i) Newness of the relevant regulation
[176] According to the accused, the fact that the incriminated conduct should have been taken into account
it took place only one year after the effectiveness of Regulation (EU) 2016/679/ It should have played a significant role
the novelty of the legislation in question and the technical complexity of the relevant processes (necessity
create complicated technical solutions)/ According to the accused, this approach is also confirmed by earlier ones
statement of the Office, which itself emphasized that the goal of its activity in the initial phase of effectiveness
54/57 Regulation (EU) 2016/679 will primarily achieve a compliant state and not a punitive one
progresses.
[177] At this point, the appellate body can only express a certain degree of surprise or even
concern about the possible activity of the accused prior to the applicability of Regulation (EU) 2016/679/
The necessity of having a valid legal title to handle personal data, or theirs
processing, is the very basic principle of the legal regulation of personal data protection and in general
any interference in a person's personal sphere, and this was unconditionally valid in essence
in an unchanged form according to Act No. 101/2000 Coll., on the protection of personal data and on the amendment
of certain laws, which transposed Directive 95/46/EC into the Czech legal order. 38
Similarly to Regulation (EU) 2016/679, Act No. 101/2000 Coll. on the processing of personal data
on the existence of available legal titles on the part of the administrator and related performance
other obligations, including the obligation to provide information/ It is possible to accept eventual discussions about small matters
nuances between dictions of individual legal titles according to § 5 par. 2 enacter/101/2000 Coll.
paragraph 1 of Regulation (EU) 2016/679, however, from the point of view of the context of the matter, the differences are completely
irrelevant/ The same applies in the case of the definition of personal data/ After all, you are the accused yourself
obviously she must have been aware of these obligations, or else in point 200 of the breakdown she explicitly refers to
to and knowledge of personal data protection regulations effective before Regulation (EU) 2016/679
confirms when it is invoked to take into account the absence of any penalty for their violation/
In any case, it is not possible to come to the conclusion that in connection with the criticized conduct
was any new regulation worthy of special attention/
[178] Beyond the breakdown, the appellate authority states that it agrees with the administrative authority of the first
degree assessed as an aggravating circumstance the fact that the accused committed in connection with the same
the subject of personal data processing as well as a violation of another provision of Regulation (EU) 2016/679,
specifically Article 13 paragraph 1 letter c) As an extenuating circumstance in the sense of Article 83 paragraph 2 letter f)
Regulation (EU) 2016/679 the first-instance administrative body and the appeal body took into account the facts,
that the accused voluntarily took steps to correct the illegal situation in July 2019
by introducing direct consent [byu, according to the appellate authority, this consent does not fully comply
requirements according to Article 4 point 11 of Regulation (EU) 2016/679] with the processing of personal data
of users for the purpose of statistical analysis of trends and revision of my privacy policy/
The criteria listed in Article 83(2)(j) of Regulation (EU) 2016/679 are not considered in the case
relevant, the accused shall not declare compliance with the approved code according to Article 40 or
certificate according to Article 42 of Regulation (EU) 2016/679, therefore the appeal body did not evaluate it/
[179] The appeal body also evaluated the circumstances according to Article 83 paragraph 2 letter c) of Regulation (EU)
2016/679, i.e. the steps taken by the accused to mitigate the damage caused to the data subjects/
It follows from Instructions No. 4/2022 (point 76.) that the measures taken by the administrator must be assessed
especially with regard to the element of timeliness and their effectiveness/ Measures that are spontaneous
carried out before the administrator becomes aware of the investigation conducted by the supervisory authority, they will
more likely to be considered a mitigating circumstance than actions taken after that point/
The company ceased its activities in January 2020, which the appeals body perceives
positively, however, this step could not lead to mitigating (or averting) the harm caused
imminent harm) to data subjects whose data has already been transferred to the company which
further processed and made available to third parties/ They are not known to the Appellate Body
any other steps the accused has taken to mitigate the possible consequences of her wrongdoing
38
Directive 95/46/EC of the European Parliament of the Council of 24 October 1995 on the protection of natural persons in the context
with the processing of personal data and the free movement of such data/
55/57 proceedings on data subjects/ On the basis of the above, the appeal body did not evaluate the circumstances
arising from Article 83 paragraph 2 letter c) of Regulation (EU) 2016/679 as mitigating or aggravating/
[180] The appellate body thus completely agrees with the procedure of the administrative body of the first instance at
calculation of the administrative fine and its amount/
[181] In addition to the above, the appellate body states that the administrative body when calculating the fine
was based on the turnover of the accused for the year 2020, which according to the financial statements of the accused published on
of the justice portal/cz amounted to CZK/ When determining the amount of the fine, the supervisory authorities have
based on the turnover of the accused, which he reached at the time of issuing the decision39, not at the time of the commission of the offense
offence/ According to the financial statements of the accused for the year 2022 (the financial statements for the entire year 2023
was not published by the date of this decision) the turnover of the accused reached the above
CZK, which is an amount almost CZK 1 billion higher/ The decision on decomposition can be made according to
§ 152 paragraph 6 letter a) of Act No. 500/2004 Coll. to be amended, if this fully complies with the dissolution
and if no injury can thereby be caused to any of the participants/ For this reason, in accordance
with the principle of the prohibition of reformatio in peius, the appellate body did not rely on the turnover of the accused per year
2022, the fine imposed by the administrative body of the first instance cannot be increased/
[182] For the sake of completeness, the appellate body will also comment on the possibility of submitting an objection of bias against
to the members of the dissolution commission/ The dissolution commission is only an advisory body that does not make decisions in
the same things, and thus one cannot speak of bias in the true sense of the word/ The accused was based on
of her requests for notification of the composition of the decomposition commission, she was repeatedly told that the list of all properly
of the appointed members of the dissolution commission is published on the website of the Office
(https://uoou.gov.cz/urad/povinne-zverejnovane-informace/rozkladova-komise), and in the appendix
communication ref/ UOOU-01025/20-118 dated January 4, 2024 included a list of the members of the dissolution commission
sent. For reasons of preventive protection of the members of the decomposition committee against possible attempts to influence
their opinion on the part of the accused The Office does not communicate information to the accused about whether the case will be
assigned to the plenary session or a specific senate by the chair of the Office for discussion by the dissolution committee,
possibly to a senate expanded by other members of the dissolution commission from other senates/ She was accused
repeatedly informed about the composition of the dissolution committee/ If she thought that one of the members was
biased by the decomposition committee, she could raise a "bias objection" without being informed
about which specific members of the dissolution committee will participate in the discussion of the case/Accused
however, she did not object to any member of the dissolution commission.
III. Conclusion
[183] In view of the above, the accused suggested that the President of the Office be challenged
annulled the decision and stopped the proceedings/ However, if the Chairman of the Office comes to the opinion that the accused
committed the offence, he should, according to the accused, impose a punishment in the form of a warning or imposed
significantly reduce the fine, as its current amount is illegal according to the accused/
[184] In addition, the appellate body summarizes that the reasons for not complying with the dissolution proposal
the accused pretends in detail in the previous parts of the justification. The guilty plea is supported
primarily about indirect evidence, which, according to the appellate body (in accordance with case law, cf.
e.g. the resolution of the Constitutional Court no. I/ ÚS 1875/16 of 19/ December 2016) forms a logical,
an unbroken chain of complementary evidence which, in its entirety, reliably
prove all the circumstances of the act/ Disrespect for privacy and the right to personal protection
39
56/57 of the data represents a violation of the fundamental rights of the European Union guaranteed by the Charter of Fundamental Rights
The European Union, which, above all, the Office is called upon to defend. For all the above reasons
decided by the appeal body as stated in the statement of this decision/
Instruction: Against this decision according to the provisions of Section 152 paragraph 5 of the Act
No. 500/2004 Coll., Administrative Code, cannot be dissolved/
Prague, April 10, 2024
Master/ Jiří Kaucký
chairman
(electronically signed)
57/57
