DPC (Ireland) - LinkedIn inquiry: Difference between revisions
m (→Facts) |
No edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 71: | Line 71: | ||
}} | }} | ||
The DPA fined LinkedIn €310,000,000 for the unlawful processing of personal data for the purposes of behavioural analysis and targeted advertising. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA (CNIL) and was later taken over by the Irish DPA (DPC) as the lead supervisory authority for LinkedIn. | On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA ([[CNIL (France)|CNIL]]) and was later taken over by the Irish DPA ([[DPC (Ireland)|DPC]]) as the lead supervisory authority for LinkedIn. | ||
The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users. | The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users. It focussed on the obligation to provide information to data subjects and whether LinkedIn could rely on a legal basis for under Article 6 GDPR for this processing. | ||
=== Holding === | |||
In a press realease, the DPC highlighted that LinkedIn had breached the overarching principles of fairness and transparency ([[Article 5 GDPR|Article 5(1)(a) GDPR]]) all throughout the course of the processing. | |||
The inquiry found that none of the legal basis invoked by LinkedIn justified the data processing at hand. Specifically, the consent of the LinkedIn users to this processing had not been freely given, sufficiently informed, specific or unambiguous. Further, LinkedIn’s legitimate interests were overridden by the interests and fundamental rights and freedoms of data subjects and LinkedIn could not rely on contractual necessity for the processing. | |||
In addition, the inquiry showed that the information provided to data subjects by LinkedIn regarding the lawful basis it claimed to rely on, namely [[Article 6 GDPR|Article 6(1)(a), 6(1)(b) and 6(1)(f) GDPR]] was insufficient. | |||
In | |||
The DPC held that LinkedIn could not rely on consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] nor contractual necessity under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for its processing. In addition to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the DPC held that the information provided to data subjects violated Articles 13(1)(c) and 14(1)(c) GDPR. | The DPC held that LinkedIn could not rely on consent under [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], legitimate interests under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] nor contractual necessity under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] for its processing. In addition to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], the DPC held that the information provided to data subjects violated Articles [[Article 13 GDPR|13(1)(c)]] and [[Article 14 GDPR|14(1)(c) GDPR]]. | ||
Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of Articles 5(1)(a), 6(1)(a), 6(1)(f), 6(1)(b), 13(1)(c) and 14(1)(c) GDPR. In addition to the fine, the DPC issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and ordered LinkedIn to bring its processing into compliance as per [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]. | Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of [[Article 5 GDPR|Articles 5(1)(a)]], [[Article 6 GDPR|6(1)(a)]], [[Article 6 GDPR|6(1)(f)]], [[Article 6 GDPR|6(1)(b)]], [[Article 13 GDPR|13(1)(c)]] and [[Article 14 GDPR|14(1)(c) GDPR]]. In addition to the fine, the DPC issued a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and ordered LinkedIn to bring its processing into compliance as per [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]. | ||
== Comment == | == Comment == | ||
Latest revision as of 09:43, 4 November 2024
| DPC - LinkedIn inquiry | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 13(1)(c) GDPR Article 14(1)(c) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 20.08.2018 |
| Decided: | 22.10.2024 |
| Published: | 24.10.2024 |
| Fine: | 310,000,000 EUR |
| Parties: | |
| National Case Number/Name: | LinkedIn inquiry |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | DPC (in EN) |
| Initial Contributor: | Ao |
The DPA fined LinkedIn €310,000,000 for the unlawful processing of personal data for the purposes of behavioural analysis and targeted advertising.
English Summary
Facts
On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA (CNIL) and was later taken over by the Irish DPA (DPC) as the lead supervisory authority for LinkedIn.
The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users. It focussed on the obligation to provide information to data subjects and whether LinkedIn could rely on a legal basis for under Article 6 GDPR for this processing.
Holding
In a press realease, the DPC highlighted that LinkedIn had breached the overarching principles of fairness and transparency (Article 5(1)(a) GDPR) all throughout the course of the processing.
The inquiry found that none of the legal basis invoked by LinkedIn justified the data processing at hand. Specifically, the consent of the LinkedIn users to this processing had not been freely given, sufficiently informed, specific or unambiguous. Further, LinkedIn’s legitimate interests were overridden by the interests and fundamental rights and freedoms of data subjects and LinkedIn could not rely on contractual necessity for the processing.
In addition, the inquiry showed that the information provided to data subjects by LinkedIn regarding the lawful basis it claimed to rely on, namely Article 6(1)(a), 6(1)(b) and 6(1)(f) GDPR was insufficient.
The DPC held that LinkedIn could not rely on consent under Article 6(1)(a) GDPR, legitimate interests under Article 6(1)(f) GDPR nor contractual necessity under Article 6(1)(b) GDPR for its processing. In addition to Article 5(1)(a) GDPR, the DPC held that the information provided to data subjects violated Articles 13(1)(c) and 14(1)(c) GDPR.
Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of Articles 5(1)(a), 6(1)(a), 6(1)(f), 6(1)(b), 13(1)(c) and 14(1)(c) GDPR. In addition to the fine, the DPC issued a reprimand under Article 58(2)(b) GDPR and ordered LinkedIn to bring its processing into compliance as per Article 58(2)(d) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
