DPC (Ireland) - LinkedIn inquiry: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 71: Line 71:
}}
}}


A DPA issued LinkedIn with a fine of €310,000,000 for the unlawful processing of personal data for the purposes of behavioural analysis and targeted advertising.
The DPA fined LinkedIn €310,000,000 for the unlawful processing of personal data for the purposes of behavioural analysis and targeted advertising.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA (CNIL) and was later taken over by the Irish DPA (DPC) as the lead supervisory authority for LinkedIn.  
On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA ([[CNIL (France)|CNIL]]) and was later taken over by the Irish DPA ([[DPC (Ireland)|DPC]]) as the lead supervisory authority for LinkedIn.  


The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users.  
The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users. It focussed on the obligation to provide information to data subjects and whether LinkedIn could rely on a legal basis for under Article 6 GDPR for this processing. 


The inquiry found that non of the legal bases invoked by LinkedIn justified the data processing at hand. Specifically, the consent of the LinkedIn users to this processing had not been freely given, sufficiently informed or specific or unambiguous. Further, LinkedIn’s legitimate interests were overridden by the interests and fundamental rights and freedoms of data subjects and LinkedIn could not rely on contractual necessity for the processing.  
=== Holding ===
In a press realease, the DPC highlighted that LinkedIn had breached the overarching principles of fairness and transparency ([[Article 5 GDPR|Article 5(1)(a) GDPR]]) all throughout the course of the processing.  


In addition, the inquiry showed that the information provided to data subjects by LinkedIn regarding the lawful basis it claimed to rely on, namely Article 6(1)(a), 6(1)(b) and 6(1)(f) GDPR was insufficient.
The inquiry found that none of the legal basis invoked by LinkedIn justified the data processing at hand. Specifically, the consent of the LinkedIn users to this processing had not been freely given, sufficiently informed, specific or unambiguous. Further, LinkedIn’s legitimate interests were overridden by the interests and fundamental rights and freedoms of data subjects and LinkedIn could not rely on contractual necessity for the processing.  


=== Holding ===
In addition, the inquiry showed that the information provided to data subjects by LinkedIn regarding the lawful basis it claimed to rely on, namely [[Article 6 GDPR|Article 6(1)(a), 6(1)(b) and 6(1)(f) GDPR]] was insufficient.
In a press realease, the DPC highlighted that LinkedIn had breached the overarching principles of fairness and transparency (Article 5(1)(a) GDPR) all throughout the course of the processing.  


The DPC held that LinkedIn could not rely on consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] nor contractual necessity under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for its processing. In addition to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the DPC held that the information provided to data subjects violated Articles 13(1)(c) and 14(1)(c) GDPR.  
The DPC held that LinkedIn could not rely on consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] nor contractual necessity under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for its processing. In addition to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the DPC held that the information provided to data subjects violated Articles [[Article 13 GDPR|13(1)(c)]] and [[Article 14 GDPR|14(1)(c) GDPR]].  


Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of Articles 5(1)(a), 6(1)(a), 6(1)(f), 6(1)(b), 13(1)(c) and 14(1)(c) GDPR. In addition to the fine, the DPC issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and ordered LinkedIn to bring its processing into compliance as per [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]].
Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of [[Article 5 GDPR|Articles 5(1)(a)]], [[Article 6 GDPR|6(1)(a)]], [[Article 6 GDPR|6(1)(f)]], [[Article 6 GDPR|6(1)(b)]], [[Article 13 GDPR|13(1)(c)]] and [[Article 14 GDPR|14(1)(c) GDPR]]. In addition to the fine, the DPC issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and ordered LinkedIn to bring its processing into compliance as per [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]].


== Comment ==
== Comment ==

Latest revision as of 09:43, 4 November 2024

DPC - LinkedIn inquiry
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
Article 14(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 20.08.2018
Decided: 22.10.2024
Published: 24.10.2024
Fine: 310,000,000 EUR
Parties: LinkedIn
National Case Number/Name: LinkedIn inquiry
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: Ao

The DPA fined LinkedIn €310,000,000 for the unlawful processing of personal data for the purposes of behavioural analysis and targeted advertising.

English Summary

Facts

On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA (CNIL) and was later taken over by the Irish DPA (DPC) as the lead supervisory authority for LinkedIn.

The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users. It focussed on the obligation to provide information to data subjects and whether LinkedIn could rely on a legal basis for under Article 6 GDPR for this processing.

Holding

In a press realease, the DPC highlighted that LinkedIn had breached the overarching principles of fairness and transparency (Article 5(1)(a) GDPR) all throughout the course of the processing.

The inquiry found that none of the legal basis invoked by LinkedIn justified the data processing at hand. Specifically, the consent of the LinkedIn users to this processing had not been freely given, sufficiently informed, specific or unambiguous. Further, LinkedIn’s legitimate interests were overridden by the interests and fundamental rights and freedoms of data subjects and LinkedIn could not rely on contractual necessity for the processing.

In addition, the inquiry showed that the information provided to data subjects by LinkedIn regarding the lawful basis it claimed to rely on, namely Article 6(1)(a), 6(1)(b) and 6(1)(f) GDPR was insufficient.

The DPC held that LinkedIn could not rely on consent under Article 6(1)(a) GDPR, legitimate interests under Article 6(1)(f) GDPR nor contractual necessity under Article 6(1)(b) GDPR for its processing. In addition to Article 5(1)(a) GDPR, the DPC held that the information provided to data subjects violated Articles 13(1)(c) and 14(1)(c) GDPR.

Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of Articles 5(1)(a), 6(1)(a), 6(1)(f), 6(1)(b), 13(1)(c) and 14(1)(c) GDPR. In addition to the fine, the DPC issued a reprimand under Article 58(2)(b) GDPR and ordered LinkedIn to bring its processing into compliance as per Article 58(2)(d) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.