UODO (Poland) - ZSPR.440.331.2019.PR.PAM: Difference between revisions
No edit summary |
No edit summary |
||
Line 73: | Line 73: | ||
The supervisory authority considered that the controller did not provide the data subject with complete information pursuant to [[Article 15 GDPR#1|Article 15(1) GDPR]]. Indeed, the controller's response lacked information on the marketing categories (behavioural profile) that were assigned to the data subject on the basis of the cookies and with which other information about her the information resulting from the cookies was combined. | The supervisory authority considered that the controller did not provide the data subject with complete information pursuant to [[Article 15 GDPR#1|Article 15(1) GDPR]]. Indeed, the controller's response lacked information on the marketing categories (behavioural profile) that were assigned to the data subject on the basis of the cookies and with which other information about her the information resulting from the cookies was combined. | ||
== Comment == | == Comment == | ||
== Further Resources == | == Further Resources == | ||
https://panoptykon.org/uodo-mamy-prawo-poznac-swoj-profil-marketingowy | https://panoptykon.org/uodo-mamy-prawo-poznac-swoj-profil-marketingowy |
Revision as of 14:30, 6 December 2021
UODO (Poland) - ZSPR.440.331.2019.PR.PAM | |
---|---|
Authority: | UODO (Poland) |
Jurisdiction: | Poland |
Relevant Law: | Article 15(1) GDPR Article 58(2)(c) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 07.10.2021 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | ZSPR.440.331.2019.PR.PAM |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Polish |
Original Source: | KLM Law (in PL) |
Initial Contributor: | Agnieszka Rapcewicz |
The Polish DPA (UODO) ordered the controller to provide the data subject with information on the marketing categories attributed to her on the basis of cookies, and to indicate which information concerning her was linked to the cookie information. The information must be clear, understandable and sufficiently precise to enable the user to understand the functioning of the cookies that are used.
English Summary
Facts
Controller is a company that enables third parties to embed cookies in its domain to provide specific functionalities to users. It obtained data subject's personal data via cookies. Controller processes personal data for the functionality of the website, inter alia "to provide services of access to the resources of the web portal, services and applications". However, it also processes personal data for its legitimate interest of detection and prevention of abuse of the telecommunications network, for analytical purposes, and for online advertising. Lastly, it is important to mention that the controller has no knowledge and influence on the operation of the (embedded) cookies of third party entities.
The data subject filed a complaint with the DPA about irregularities in the processing of her personal data consisting of a failure to comply with the obligation under Article 15(1) GDPR towards her. The controller obtained the data subject's personal data, stored in cookies, by means of a terminal device of which the data subject was a user, in connection with browsing the website. The controller processes the data subject's personal data in order to provide services of access to the resources of the web portal, services and applications, as well as to pursue legitimate interests in the detection and prevention of abuse of the telecommunications network, for analytical purposes and the adjustment of online advertising. The controller does not make cookies available to other entities, but enables such entities (with which it has concluded agreements) to embed cookies in its domain by providing it with specific functionalities.
The data subject in July 2018 requested a copy of her personal data from the controller, as well as information on the processing of: which of her personal data is processed, the legal basis and the purposes of the processing in the context of the different groups of cookies (if this is also the case for other of her data), the sources of acquisition of her data, the recipients of her personal data, information on profiling and automated decision-making in the context of the content displayed to her based on the controller's collection, and concerning the content of her personal data, in particular what marketing categories (behavioural profile) have been attributed to her on the basis of cookies and with which other information about the data subject the information resulting from cookies has been combined.
The controller provided information, but the data subject stated that it was not complete and requested again information about what marketing categories (behavioural profile) have been attributed to her on the basis of cookies and with which other information about the data subject the information resulting from cookies has been combined. The controller indicated that he had provided complete information. The data subject lodged a complaint with the DPA.
Holding
The Polish supervisory authority ordered the controller to provide the data subject with information on the marketing categories (behavioural profile) attributed to him/her on the basis of cookies, and to indicate what information concerning him/her has been linked to the cookie information.
The supervisory authority pointed out that behavioural profiling involves tailoring advertising to topics of interest to the internet user, and this process is based on the internet user's behaviour and then displaying advertising on topics to which the user spends a large amount of time while surfing the internet. The collection of information about an internet user is inextricably linked to profiling, the key aim of which is to match relevant advertising to a specific person, based on inferences about that person's expected characteristics and needs.
The supervisory authority pointed out that the controller creates a state of uncertainty for the data subject by failing to take a uniform, transparent and reliable view of the content of the data being processed, in particular what marketing categories (behavioural profile) have been attributed to the data subject on the basis of cookies and with what other information about a specific natural person the information resulting from those cookies has been combined. The information provided must be clear, understandable and sufficiently precise to enable the user to understand the functioning of the cookies that are used.
The supervisory authority considered that the controller did not provide the data subject with complete information pursuant to Article 15(1) GDPR. Indeed, the controller's response lacked information on the marketing categories (behavioural profile) that were assigned to the data subject on the basis of the cookies and with which other information about her the information resulting from the cookies was combined.
Comment
Further Resources
https://panoptykon.org/uodo-mamy-prawo-poznac-swoj-profil-marketingowy
English Machine Translation of the Decision
The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.
Warsaw, 7 October 2021. ZSPR.440.331.2019.PR.PAM DECISION Pursuant to Article 104 § 1 of the Act of 14 June 1960 Code of Administrative Procedure (Journal of Laws of 2021, item 735 i.e.) in connection with Article 7 (1) of the Act on Personal Data Protection of 10 May 2018 (Journal of Laws of 2019, item 1781), Article 15 (1) and Article 58 (2) (c) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (Official Journal of the European Union L 119 of 4.05.2016, p. 1, Official Journal of the European Union L 127 of 23.05.2018, p. 2 and Official Journal of the European Union L 74 of 4.03.2021, p. 35), having conducted administrative proceedings concerning the complaint of Ms K. I., of irregularities in the processing of her personal data consisting in a failure to comply with the obligation imposed on her by Article 15(I) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC ( General Data Protection Regulation), (Official Journal of the European Union L 119 of 4.05.2016, page 1, Official Journal of the European Union L 127 of 23.05.2018, page 2 and Official Journal of the European Union L 74 of 4.03.2021, page 35) by G. I. Sp. z o.o. sp. k, The President of the Office for Personal Data Protection 1. orders G. I. Sp. z o.o. sp. k. to make available to Ms K. I. information on the marketing categories (behavioural promos) attributed to her on the basis of cookies and to indicate which information concerning her has been combined with the information resulting from the cookies, 2. refuses to grant the remainder of the application. Justification The Office for Personal Data Protection has received a complaint from Ms. K. I., hereinafter referred to as the Complainant, about irregularities in the processing of her personal data consisting in the failure to comply with the obligation imposed on her by Article 15(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free flow of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (Official Journal of the European Union L 119 of 4.05.2016, page 1, Official Journal of the European Union L 127 of 23.05.2018, page 2, and Official Journal of the European Union L 74 of 4.03.2021, page 35), hereinafter referred to as Regulation 2016/679, by G. I. Sp. z o.o. sp. k, hereinafter referred to as: the Company. In the course of the investigation in this case, the President of the Office for Personal Data Protection established the following facts: 1. The Company obtained the Complainant's personal data, stored in cookies, using the Complainant's end device in connection with viewing the pages of the .... website. The data on this terminal device was saved automatically in connection with browsing the pages of the aforementioned portal (evidence: explanations of the Company). 2. The Company processes the Complainant's personal data in order to provide services of access to the resources of the web portal, services and applications, as well as to pursue its legitimate interest in the detection and prevention of abuse of the telecommunications network, for analytical purposes and to adjust the display of online advertising. In its explanations, the Company also indicates that unless the Applicant deleted cookies from her browser, her data in this regard is still processed by the Company. Moreover, the Company stated that the set of cookies provided by the Applicant does not indicate that the Company performed targeting actions with regard to the Applicant (evidence: explanations of the Company). 3. The Company does not make cookies available to other entities; however, it enables such entities (with which it concludes written agreements) to embed cookies in its domain by providing it with specific functionalities. Then, the Company's employees embed the script on websites (directly in the codes of these websites) in the domain ..... The embedded files are an internal mechanism of the respective partner and are under its control. Specific entities are responsible for providing specific functionalities to users according to their needs (evidence: letter of the Company dated ... February 2020). 4. The Company has no control over the process established by the specific entities (with which it contracts) for the use of cookies and similar technologies, which takes place on the basis of the script's communication with the end devices and websites on which it is embedded. Using JavaScript, the Company can create, modify cookies from other entities. The Company has a view of the cookies of other entities in the same form as the end users (i.e. string of characters) and, regardless of any changes it makes here, it has no knowledge or influence on the operation and induced changes by these cookies (evidence: letter of the Company dated ... February 2020). 5. The applicant on ... July 2018 requested the Company to provide a copy of her personal data, as well as information about its processing in terms of: which of her personal data are processed, the legal basis and purposes of the processing in the context of each group of cookies (if this is also the case for other of her data), the sources of obtaining her data, the recipients of her personal data, information on profiling and automated decision-making in the context of the content displayed to her based on the information collected by the Company and concerning the content of her personal data, in particular which marketing categories (behavioural profile) have been assigned to her on the basis of cookies and with which other information about the Complainant has been combined the information resulting from these cookies. The Company, after verifying the Complainant's identity (i.e. after the Complainant had sent, "under penalty of perjury", a statement concerning the non-interference with the resources of the cookies sent to the Company) and after being informed by the Complainant that she was not using a blocking program, provided her on ... September 2018 information on: • the controller of her personal data, • the purpose of the processing of personal data (provision of services of access to the resources of the web portal, services and applications, as well as detection and prevention of abuse of the telecommunications network, for analytical purposes and adjustment of the display of online advertising), • the source of acquisition of personal data (user/end device), • the categories of personal data processed (identifiers stored in cookies technology), • the recipients of her personal data( ... ), • the duration of storage of personal data (depending on the lifetime of cookies), • information on rights (to request access, rectification, erasure, restriction of data processing, to object to data processing, to data portability to another controller and to lodge a complaint with a supervisory authority), • automated decision-making, including profiling (no such processing), • transfer of personal data to a third country [IP address is transferred to ... by ... on behalf of . . . will use this data to analyse site usage, compile reports on site activity and provide other services relating to site usage and internet usage. The data collected will not be combined by ... with other data] (evidence: explanations of the Company and annexes to these explanations, and contents of the complaint and annexes to these explanations). 6. The Complainant questioned the completeness of the information provided by the Company and on ... September 2018, she again requested it to provide her with information about the marketing categories (behavioural profile) that had been attributed to her on the basis of the cookies and with which other information about the Complainant the information resulting from the cookies had been combined. In a response dated ... September 2018. The Company indicated to the Complainant that the contents of the aforementioned file sent to her on ... September 2018, contained all the information she requested, in particular about the source of her personal data, about the recipients of this data and about the use or non-use of profiling (evidence: explanations of the Company and content of the complaint and annexes to these explanations). Having considered the evidence gathered in the case, the President of the Office for the Protection of Personal Data stated as follows: According to Article 15(1) of Regulation 2016/679, the data subject is entitled to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, if this is the case, he or she is entitled to obtain access to them and to be informed of: the purposes of their processing (lit. a), the categories of personal data concerned (lit. b ), the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (lit. c), as far as possible the intended period of storage of the personal data and, where this is not possible, the criteria for determining this period (lit. d), the right to request from the controller rectification, erasure or restriction of processing of personal data concerning the data subject and to object to such processing (lit. e ), the right to lodge a complaint to the supervisory authority (point f), where the personal data have not been collected from the data subject all available information on their source (point g), automated decision-making, including profiling as referred to in Article 22(1) and (4) and, at least in these cases, relevant information on the modalities of such decision-making, as well as on the significance and the envisaged consequences of such processing for the data subject (point h). In turn, according to Article 12(1) of Regulation 2016/679, the controller shall take appropriate measures to provide the data subject with all the information referred to in Articles 13 and 14 in a concise, transparent, intelligible and easily accessible form in clear and plain language, in particular when the information is addressed to a child, and to conduct any communication with the data subject pursuant to Articles 15 to 22 and 34 on the processing. Article 15(1) of Regulation 2016/679 does not impose any formal limitations on the amount of information made available under the right of access, nor on the limits of requests or enquiries, and it concerns the provision of information on all categories of data and does not restrict the data subject's right of access to specific categories of data. On ... July 2018. The Complainant requested the Company, pursuant to Article 15 of Regulation 2016/679, to provide her with a copy of her personal data, as well as to provide information on the processing of her data, concerning, inter alia, the marketing categories (behavioural profile) attributed to her on the basis of cookies and with which other information about her the information resulting from these cookies was combined. At this point, it should be pointed out that a behavioural profile is created by adjusting an advertisement to a subject of interest to an Internet user, a process based on the Internet user's behaviour and then displaying advertisements on subjects to which the user devotes a large proportion of his or her time while surfing the Internet. The collection of information about the user is inextricably linked to profiling, the key objective of which is to tailor appropriate advertising to a specific person, based on inferences about the expected characteristics and needs of that person. Pursuant to Article 12(3) of Regulation 2016/679, the controller shall, without undue delay - and in any event within one month of receipt of the request - provide the data subject with information on the action taken in response to the request pursuant to Articles 15 to 22. If necessary, this period may be extended by a further two months due to the complexity of the request or the number of requests. Within one month after receipt of the request, the controller shall inform the data subject of such extension, stating the reasons for the delay. At the same time, it should be pointed out that paragraph 1 of the above provision stipulates that information shall be provided in writing or by other means, including, where appropriate, by electronic means. Moreover, pursuant to Article 5(1)(a) of Regulation 2016/679, personal data must be processed lawfully, fairly and in a transparent manner for the data subject. Thus, when implementing the obligation to provide access to and information about data, the controller should be guided, inter alia, by the principle of fairness and transparency, above all when providing information about the personal data being processed. Moreover, one has to agree with the opinion expressed in the literature that: ,,[p]roviding information about the circumstances of personal data processing reduces the data subject's uncertainty as to how a particular controller disposes of its information sphere" (M. Sakowska-Baryła, General Regulation on the Protection of Personal Data. Commentary, Warsaw 2018, p. 230). The lack of a uniform, transparent and reliable position of the Company as to the content of the processed personal data, in particular what marketing categories (behavioural profile) have been assigned on the basis of cookies and with what other information about a specific person the information resulting from these cookies has been combined, creates such uncertainty. Indeed, as pointed out in the CJEU judgment of 1 October 2019, in Case C-673/17, the information provided must be clear, comprehensible and sufficiently precise to enable the user to understand the functioning of the cookies that are used. The Company replied to the Complainant's request in question on ... September 2018, the content of which indicated, inter alia, that it was processing the Complainant's personal data in order to tailor the display of online advertising and informed the Complainant of the category of personal data processed (identifiers stored in the cookie technology), as well as that no automated decision would be taken with respect to her personal data, including the non-application of profiling to such data. However, in the opinion of the supervisory authority, the Company did not provide the Complainant with complete information pursuant to Article 15 (1) of Regulation 2016/679. Indeed, the response to her request lacks information on the marketing categories (behavioural profile) that were assigned to her on the basis of cookies and with which other information about her was combined the information resulting from these cookies. In its explanations submitted in the course of the proceedings, the Company indicates that it processes the Complainant's personal data, inter alia, in order to adjust the display of online advertising. In the same explanations, the Company points to the fact that (at the same time) the set of cookies submitted by the Applicant does not indicate that the Company performs actions in respect of the Applicant related to targeting of advertising materials. Thus, in the opinion of the President of the Office for Harmonisation in the Internal Market (OCCP), the Company does not deny that the Applicant's personal data are used to create a behavioural profile in order to personalise advertising on the portal it administers. In the opinion of the President of the Office for Harmonisation in the Internal Market (OCCP), such statements oblige the President of the Office for Harmonisation in the Internal Market to conclude that the processing of personal data questioned by the Applicant does exist and the Company is not able to identify it unambiguously, which excludes the obligation to fulfil the information obligation requested by the Applicant. The Company did not provide information to the Complainant in this respect. In view of the above findings, it must be concluded that there was a prerequisite for the supervisory authority to apply the power referred to in Article 58(2)(c) of Regulation 2016/679 and to order the Company to provide the Complainant with information concerning the marketing categories (behavioural profile) that were assigned to her by the cookies obtained and with which other information about her the information resulting from the cookies was combined. Furthermore, it should be noted that the information addressed to the Complainant should be provided in a concise, transparent, intelligible and easily accessible form, in clear and simple language. In its information, the Company should accurately describe the behavioural profile of the Complainant created by the Company on the basis of her Internet activity, specifically indicating the marketing categories assigned to her on the basis of the cookies obtained and what information about her has been combined with the information resulting from these cookies. If, on the other hand, the Company does not process the Complainant's personal data in the manner described above, i.e. it has not created a behavioural profile in respect of the Complainant on the basis of the cookies obtained in order to display advertisements tailored to her needs, it should clearly inform the Complainant of this fact, indicating how her personal data obtained in the form of identifiers stored in the cookie technology are processed and what the processing of her personal data consists in in order to tailor the display of online advertising. At the same time, in the opinion of the supervisory authority, within the framework of the aforementioned principle of providing information in an understandable and transparent manner, the Company, while answering the Complainant's questions, should indicate the principles of possibility of creating behavioural profiles of the Complainant by entities with which the Company concludes agreements (partners of the Company), by means of scripts placed in codes of websites located in the domain of the Company. The information provided by the Company should be fully comprehensible to the Complainant and should not create doubts as to the purpose and manner of processing her personal data collected in the form of cookies. It should further be noted that the Complainant's request of ... July 2018, also concerned providing her with other information on the processing of her data, i.e. which of her personal data are processed, the legal basis and purposes of the processing in the context of particular groups of cookies If this is also the case with other of her data), the sources of obtaining her data, the recipients of her personal data, information on profiling and automated decision-making in the context of the content displayed to her based on the information collected by the Company. In response, the Company, on ... September 2018, provided the Complainant with information on the controller of her personal data, the source of her personal data, the recipients of her personal data, the transfer of her personal data to a third country, the storage period of her personal data, the rights of persons whose personal data are processed, automated decision-making, including profiling, the categories of personal data processed (identifiers stored in cookie technology), as well as the purpose of the processing of her personal data (provision of services of access to the resources of the web portal, services and applications, as well as detection and prevention of abuse of the telecommunications network, for analytical purposes and adjustment of the display of online advertising). The information in question was presented to the Applicant in a concise, transparent, comprehensible and easily accessible form, in clear and simple language. Thus, it should be concluded that the Company has duly complied with its obligation under Article 15(1) of Regulation 2016/679 towards the Complainant in the aforementioned respect, and thus it would be unjustified to order the Company to comply with the Complainant's request in this respect. In this factual and legal state, the President of the Office for Personal Data Protection decided as in the operative part. The decision is final. Pursuant to Article 7(2) of the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, item 1781, as amended) in conjunction with Article 13 § 2, Article 53 § 1 and Article 54 of the Act of 30 August 2002. Law on Proceedings before Administrative Courts (Journal of Laws of 2019, item 2325, as amended), a party dissatisfied with this decision has the right to lodge a complaint with the Provincial Administrative Court in Warsaw within 30 days of its delivery to the party. The complaint is lodged through the President of the Office for Personal Data Protection (address: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw). The entry fee for the complaint amounts to PLN 200. The party has the right to apply for the right of assistance including exemption from court costs.