CNPD (Luxembourg) - Délibération n° 24FR/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Luxembourg |DPA-BG-Color= |DPAlogo=LogoLU.png |DPA_Abbrevation=CNPD |DPA_With_Country=CNPD (Luxembourg) |Case_Number_Name=24FR/2022 |ECLI= |O...") |
No edit summary |
||
Line 70: | Line 70: | ||
=== Facts === | === Facts === | ||
On 17 July 2020, the Luxembourg DPA opened an investigation at Company A, operator of a website and mobile application, to verify the compliance of its activities with Articles 12(1), 13 and 14 GDPR. The investigation focused on the users of the website and mobile application and not on the employees. | On 17 July 2020, the Luxembourg DPA opened an investigation at Company A, operator of a website and mobile application, to verify the compliance of its activities with Articles [[Article 12 GDPR|12(1)]], [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR. The investigation focused on the users of the website and mobile application and not on the employees. | ||
The investigation showed that | The investigation showed that | ||
* the privacy policy mentioned processing operations that were not actually carried out; | |||
* the privacy policy was not available on all the pages on which the company collected data; | |||
* regarding the mobile app, no privacy policy was available before the download and once the application was installed, the privacy policy was not easily accessible; | |||
* the privacy policy was only available in two languages, whereas the website was available in three languages; and | |||
* the privacy policy did not mention the length of time for which the data would be kept or the right to restrict processing. | |||
The controller replied that the unavailability of the information was due to the attitude of the service provider who managed his site and application. | The controller replied that the unavailability of the information was due to the attitude of the service provider who managed his site and application. | ||
=== Holding === | === Holding === | ||
The DPA considered that the privacy policy did not reflect reality and that the controller did not provide the required information in a comprehensible manner, in clear and simple terms, in violation of Article 12(1). It also found that the lack of information regarding the length of time the data will be kept and the right to restrict processing constituted a breach of Articles 13(2)(a) and 13(2)(b). | The DPA considered that the privacy policy did not reflect reality and that the controller did not provide the required information in a comprehensible manner, in clear and simple terms, in violation of [[Article 12 GDPR|Article 12(1)]]. It also found that the lack of information regarding the length of time the data will be kept and the right to restrict processing constituted a breach of Articles [[Article 13 GDPR|13(2)(a)]] and [[Article 13 GDPR|13(2)(b).]] | ||
The DPA therefore, in accordance with Article 58(2), imposed a fine of Є3,700 and ordered the controller to update its privacy policy to comply with the requirements of Article 12(1). | The DPA therefore, in accordance with [[Article 58 GDPR|Article 58(2)]], imposed a fine of Є3,700 and ordered the controller to update its privacy policy to comply with the requirements of [[Article 12 GDPR|Article 12(1)]]. | ||
== Comment == | == Comment == |
Revision as of 11:58, 29 March 2023
CNPD - 24FR/2022 | |
---|---|
Authority: | CNPD (Luxembourg) |
Jurisdiction: | Luxembourg |
Relevant Law: | Article 12(1) GDPR Article 13(2)(a) GDPR Article 13(2)(b) GDPR Article 58(2) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 17.07.2020 |
Decided: | 13.12.2022 |
Published: | |
Fine: | 3,700 EUR |
Parties: | n/a |
National Case Number/Name: | 24FR/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | CNPD (in FR) |
Initial Contributor: | ls |
The Luxemburg DPA fined Є3,700 to a company running a website and a mobile app for not providing sufficient information about the processing of data and for using a privacy policy that did not reflect reality.
English Summary
Facts
On 17 July 2020, the Luxembourg DPA opened an investigation at Company A, operator of a website and mobile application, to verify the compliance of its activities with Articles 12(1), 13 and 14 GDPR. The investigation focused on the users of the website and mobile application and not on the employees.
The investigation showed that
- the privacy policy mentioned processing operations that were not actually carried out;
- the privacy policy was not available on all the pages on which the company collected data;
- regarding the mobile app, no privacy policy was available before the download and once the application was installed, the privacy policy was not easily accessible;
- the privacy policy was only available in two languages, whereas the website was available in three languages; and
- the privacy policy did not mention the length of time for which the data would be kept or the right to restrict processing.
The controller replied that the unavailability of the information was due to the attitude of the service provider who managed his site and application.
Holding
The DPA considered that the privacy policy did not reflect reality and that the controller did not provide the required information in a comprehensible manner, in clear and simple terms, in violation of Article 12(1). It also found that the lack of information regarding the length of time the data will be kept and the right to restrict processing constituted a breach of Articles 13(2)(a) and 13(2)(b).
The DPA therefore, in accordance with Article 58(2), imposed a fine of Є3,700 and ordered the controller to update its privacy policy to comply with the requirements of Article 12(1).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A Deliberation no. 24FR/2022 of December 13, 2022 The National Commission for Data Protection sitting in restricted formation, composed of Mrs. Tine A. Larsen, president, and Messrs. Thierry Lallemang and Alain Herrmann, commissioners; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating the protection of natural persons with regard to the processing of personal data personnel and on the free movement of such data, and repealing Directive 95/46/EC; Considering the law of August 1, 2018 on the organization of the National Commission for the protection data and the general data protection regime, in particular its article 41; Having regard to the internal rules of the National Commission for Data Protection adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its article 10.2; Having regard to the regulations of the National Commission for Data Protection relating to the investigation procedure adopted by decision No. 4AD/2020 dated January 22, 2020, in particular its article 9; Considering the following: ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Company A 1/31I. Facts and procedure 1. During its deliberation session of July 17, 2020, the National Commission for data protection sitting in plenary session (hereinafter: the “Plenary Panel”) Plenary”) decided to open an investigation with Company A on the basis of Article 37 er of the law of 1 August 2018 on the organization of the National Commission for the data protection and the general data protection regime (hereinafter: the er “Law of August 1, 2018”) and to appoint Mr. Christophe Buschmann as Chief of investigation. The said decision specified that the investigation carried out by the National Commission for the data protection (hereinafter: the “CNPD” or the “National Commission”) had for the purpose of monitoring the application and compliance with the GDPR and the law of 1 August 2018, and specifically compliance with Articles 12.1, 13 and 14 of the GDPR. 2. Company A is […] registered with the Luxembourg Trade and Companies Register under number [...], with registered office at L - […] (hereinafter: the "controlled"). The controlled [is active in the operation of internet portals and the provision of services via these portals]. 3. The decision of the National Commission sitting in restricted formation (hereafter: the “Restricted Training”) on the outcome of the investigation will be based - on the processing carried out by the controller in relation to the operation of the site internet […] and the mobile application […] (hereinafter: the "website" respectively the “mobile application”), and checked by CNPD agents; And - on the legal and regulatory provisions taken into account by the head of investigation in its statement of objections. 4. By letter dated August 26, 2020, the head of investigation sent a preliminary questionnaire to the control. This moment is later referred to in this decision as "at the beginning of the investigation ". The control responded by mail dated September 13, 2020. After2 an on-site visit which took place on October 6, 2020, the control and the investigation department of 3 the CNPD exchanged letters. 1[...]. 2This letter and its annexes were sent to the CNPD by e-mail on the same day. 3 See Statement of Objections, point 9 for a detailed list of exchanges throughout the investigation. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 2/315. Following this exchange, the head of investigation drew up Investigation Report No.[…] based on the deliberation of July 17, 2020 relating to compliance with Articles 12 point 1, 13 and 14 of the GDPR dated May 10, 2021 (hereinafter: the “Investigation Report”). 4 It appears from the investigation report that in order to structure the investigation work, the chief investigation has defined nine control objectives, namely: 1) ensure that the information is available; 2) ensure that the information is complete; 3) ensure that the absence of information is motivated by a valid exception; 4) ensure that information is transmitted by appropriate means; 5) ensure that the information is concise, transparent, understandable, and conveyed in clear and simple terms; 6) ensure that the information is appropriate for the category of data subjects; 7) ensure that information is free; 8) ensure that information is easily accessible; And 9) ensure that the information is transmitted during the key stages of the processing. It is specified in the investigation report that the CNPD agents did not check “the legality of the processing carried out by the controller”. In this context, it is given the following example: “in the event that the controller informs the persons concerned that their personal data are kept for a period 2 years, CNPD officials will be able to check that the controller does not not retain said data for a different period. On the other hand, the agents of the CNPD will not comment on the legality of this 2-year period applied by the data controller » .5 In addition, the survey focused on users of the website and the application mobile, and did not target other categories of data subjects such as employees of the controlled.6 4 5Investigation report, page 7, point “3.1 Control objectives”. 6Investigation report, page 6, point “2.3 Reservations”. Investigation report, page 6, point “2.2 Scope”. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 3/31 The investigation report has as appendices the documents collected by the investigation department of the CNPD and on which the investigation report is based (appendix 1), as well as the visit in relation to the on-site visit by CNPD agents of October 6, 2020 aforesaid (appendix 2) (hereafter: the "minutes"). 6. During its deliberation of July 23, 2021, the Restricted Panel appointed Mr. Marc Lemmer, commissioner, as head of investigation replacing Mr. Christophe Buschmann, resigned. 7. At the end of his investigation, the head of investigation notified the person inspected on January 13, 2022 a statement of objections detailing the shortcomings he considered constituted in this case in relation to the requirements prescribed by Article 12.1 of the GDPR (transparency obligation) and by Article 13 of the GDPR (right to information). The Head of Investigation proposed to the Restricted Panel to adopt five corrective measures different, as well as to impose on the controlled an administrative fine of an amount of 3,700 euros. The ability to submit written observations on the statement of objections was offered to the control. The latter did not communicate any observations to the head of investigation. 8. The president of the Restricted Formation informed the controller by letter dated May 20, 2022 that his case would be registered for the session of the Restricted Panel of July 13, 2022 and that he was offered the opportunity to be heard there. At the request of checked, the aforementioned session was postponed to the session of the Restricted Formation of September 28, 2022. By email of September 15, 2022, the auditee confirmed his attendance at said meeting. During this session, the head of the investigation and the controller, represented by […], presented their oral submissions in support of their written submissions and responded to questions posed by the Restricted Panel. The Restricted Formation gave the controlled the possibility of sending additional information requested within 2 weeks during that session. The controller spoke last. 9. By email dated October 13, 2022, the auditee provided the information additional information requested from the Restricted Training. 7 Statement of Objections, point 72 et seq. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey no. […] carried out with Company A 4/31II. Place II. 1. On the reasons for the decision A. On the breach related to the obligation of transparency 1. On the principles 10. According to Article 12.1 of the GDPR, the “controller shall take measures appropriate to provide any information referred to in Articles 13 and 14 as well as to carry out any communication under Articles 15 to 22 and Article 34 with regard to concerns processing to the data subject in a concise, transparent, understandable easily accessible, in clear and simple terms, in particular for any information intended specifically for a child. The information is provided by in writing or by other means including, where appropriate, electronically. When the data subject so requests, the information may be provided orally, provided that the identity of the data subject is demonstrated by other means. » 11. Transparency is a fundamental aspect of the principles relating to the treatment of personal data. The obligations in this area have been clarified by the Article 29 Working Party in its guidelines on transparency within the meaning of the Regulation (EU) 2016/679, the revised version of which was adopted on April 11, 2018 (hereinafter: “WP 260 rev.01” or the “transparency guidelines”). These guidelines explain in particular the general rules of transparency established by Article 12 of the GDPR, and which are applicable to the communication of information to data subjects (Articles 13 and 14 of the GDPR), to communications addressed to data subjects regarding the exercise of their rights (Articles 15 to 22 of the GDPR), and communications regarding data breaches (Article 34 of the 9 GDPR). They further underline that a “primary aspect of the principle of transparency put in place light in these provisions is that the data subject should be able to determine in advance what the scope and consequences of the processing encompass in order to 8 9See in particular Articles 5.1.a) and 12 of the GDPR, see also recitals (39), (58) to (60) of the GDPR. WP 260 rev.01, point 7. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 5/31 not to be caught off guard at a later stage as to how his data 10 of a personal nature have been used. 12. It should be noted that the European Data Protection Board (hereinafter: the “EDPS”), which succeeded the Article 29 Working Party on 25 May 2018, took over and reapproved the documents adopted by the said Group between May 25, 2016 and May 25, 2018, as precisely the aforementioned guidelines on transparency . 11 2. In this case 2.1 Regarding the requirement to provide information in a “concise and transparent” manner 12 13. In the context of objective 5, the head of investigation expected, among other things, that “the data protection policy reflects the reality of the processing actually carried out place, that is to say without anticipation of processing that could possibly be put in place by the auditee in the future (cf. Test 5)” .13 CNPD officials then inspected “the data protection policy to check that it reflects the reality of the processing actually implemented, i.e. without anticipation of processing that could possibly be put in place by the controller in the future. To do this, CNPD officials compared the content of the policy of data protection with the explanations obtained from the controller during the interview of 06/10/2020”. 14 14. It is apparent from the statement of objections that “the CNPD officials noted that certain information contained in the data protection policy of the Company A do not reflect reality" and that "the CNPD agents did not find any trace of the processing operations relating to Platform A or Platform B which are nevertheless 15 mentioned in the data protection policy”. Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to the loyalty and transparency of information" were not respected. 16 10 11WP 260 rev.01, item 10. See EDPS Endorsement Decision 1/2018 of 25 May 2018, available at: https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf. 12“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in clear and simple terms”; Investigation report, page 28 et seq. 13Investigation report, page 29, point 4.4.5.1. 14Investigation report, page 30, point 4.4.5.2.5.1. 15 Statement of Objections, point 18. 16 Statement of Objections, point 20. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 6/3115. The control on his side confirmed in his letter dated May 3, 2021 "the presence description of plugins, which are not used on the website”, specifying that […] this description would be removed “from the declaration”. This was noted in the report of investigation, as well as in the statement of objections. 19 16. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that required information should be provided in a concise and transparent manner. She notes that the Transparency Guidelines state that “the requirement that the provision of information to data subjects and that communications to them are addressed are carried out in a “concise and transparent” manner means that the controllers should present the information/communications in a way effective and succinct in order to avoid overwhelming the persons concerned with information”. 20 17. She notes that the “Privacy Statement” that the control has put in place to inform users of its website of the processing of their personal data staff, and a copy of which was attached to the audit's email of September 13, 2020 21 (hereinafter: the “data protection policy”), mentioned the processing through "Platform A" in the section "[...]" and "Platform B" in the section "[...]". It also notes that the controller did not dispute that these treatments were not carried out. Indeed, he confirmed in his aforementioned letter of May 3, 2021 "the presence of description of plugins, which are not used on the website”. 18. It considers that the provision of information to users which corresponds to processing that is not carried out, such as information on tools […] or unused plugins listed in the data protection policy, obstructs this that the required information is presented to users in an efficient and succinct. 19. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and concludes that at the start of the investigation, the auditee had breached the obligation of transparency 17This letter was sent to the CNPD by email dated May 6, 2021. 18Investigation report, page 31, point 4.4.5.3.3. 19 Statement of Objections, point 19. 20WP 260 rev.01, point 8. 21Document 3 appended to the inspector's email of September 13, 2020 containing a version in language A ("[...]") and a B-language version ("[...]") of said policy. The language A version is part of annex 1 to the report investigation (exhibit 1). ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 7/31 arising from Article 12.1 of the GDPR to provide the required information in a way concise and transparent. 20. As for the measures taken by control after the on-site visit by CNPD officials, the Restricted Training refers to it in point 64, as well as in Chapter II.2, Section 2.2 of this decision. 2.2 Regarding the requirement to provide information in an "easily accessible" way 21. Under objective 8 the lead investigator expected “that: On the website […] a link to the data protection policy is provided to the point of collection of personal data, or that this information is can be consulted on the same page as those where the personal data is collected (see Tests 1 and 2). On the mobile application, information relating to the protection of privacy must be easily accessible, before and after downloading the application 23 (see Tests 3 and 4). » 22. CNPD officers then inspected - “Company A’s data protection policy and website to assess the visibility of information relating to data protection (review for example the choice of colors on the website to make the information relating easily visible data protection, including footer links to the data protection policy)”;24 - “the points of collection of personal data on the website of the Company A to identify the existence of a link to the data protection policy data or the possibility of consulting this information on the same page as that where the personal data is collected”; 25 22“Objective 8 - Ensure that information is easily accessible”; Investigation report, page 34 et seq. 23Investigation report, page 34, point 4.4.8.1. 24Investigation report, page 34, point 4.4.8.2.1.1 25Investigation report, page 34, point 4.4.8.2.2.1 ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 8/31 - "Company A's mobile application for evaluating the ease of access to information relating to the protection of privacy, once the mobile application has been downloaded”; 26 And - “the mobile application of Company A and checked whether a link to the protection policy data was available before downloading the mobile application, on the Platform C and on Platform D”. 27 23. It is apparent from the statement of objections that “the CNPD officials noted that the data protection policy is not available on the website of the Company A at the personal data collection points, in particular at the level of pages A, B and C. In addition, the data protection policy is not directly accessible on Company A's mobile application. 28 Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to accessibility of information (at the point of information collection)” were not 29 respected. 24. The controller for his part told the CNPD agents during the on-site visit that a privacy statement was on its website, and that said statement was “available on each page of the website [by a link] in the footer of the page, at exception of “interactive” pages”, but that there was no declaration of confidentiality at the level of its mobile application. He clarified that the whole part interactive website as well as its mobile application would be managed by its service provider Company B. The latter would have refused several requests from the controlled to make changes to the relevant pages of the website. THE controlled would however be in discussion with its service provider, in order to study the possibility of adding a link to the data protection policy at the level of the mobile app. The controller included excerpts from the exchanges he had on this subject with its service provider in its letter dated November 2, 2020. 31 32 […] . 26 Investigation report, page 35, point 4.4.8.2.3.1 27Investigation report, page 35, point 4.4.8.2.4.1 28 Statement of Objections, point 24. 29 Statement of Objections, point 26. 30Report, pages 4 and 5. 31Investigation report, page 36, point 4.4.8.3.1. 32 Statement of Objections, point 25. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 9/31 During the Restricted Training session of September 28, 2022, the controller reiterated his above-mentioned remarks […]. Regarding the availability of the policy of data protection on its mobile application, it also specified that a link in the mobile application referred to the privacy statement on its website. 25. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that required information must be provided in an easily accessible manner. She notes that the Transparency Guidelines state that “the criterion "easily accessible" means that the data subject should not have to search for information but should be able to access it immediately: for example, these information could be communicated to the persons concerned directly or to the means of a link which would be addressed to them”, and which they recommend for a context in line that a "link to the privacy statement or notice is provided at the point of collection of the personal data, or that this information is can be viewed on the same page where the personal data is collected » .4 26. With regard to the controlled website, the Restricted Committee notes that the CNPD officials have documented through screenshots that a direct link to the data protection policy appeared on the website of the control at the bottom of page , 35 with the exception of the interactive pages of this site, namely pages A, B and C. For the pages in question, users could not immediately access the information required. 27. With regard to the mobile application of the controlled, the Restricted Panel notes that CNPD agents documented by screenshots for the systems [...] and [...] , that no declaration or opinion on the protection of life privacy was made available to users of said application prior to downloading of it. For the operating system […], they also documented that after the app download, user, from app home screen mobile, had to go through several steps to access the website of the control at the bottom which contained a link to the data protection policy. Not only the 33WP 260 rev.01, point 11. 34 35Idem. 36Annex 1 to the investigation report, exhibit 3. 37Annex 1 to the investigation report, exhibits 4, 5 and 6. Appendix 1 to the investigation report, exhibits 8 and 21. 38 Appendix 1 to the investigation report, exhibit 8. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 10/31 required information was not accessible before downloading the application mobile, they were also not directly accessible once the application was installed. It also notes that the data protection policy only covered the site 39 internet of the controlled and not its mobile application which was not even mentioned in said policy. Indeed, a data protection policy taking into account the controlled mobile application did not exist at the start of the CNPD investigation. 28. In addition, the Restricted Committee considers that the assertion of the controlled that the unavailability of the required information would be due to the negative attitude of its service provider, could irritate its findings as to the unavailability of this information, given that Article 28.1 of the GDPR requires that “where processing is to be carried out for the account of a data controller, the latter only uses subcontractors which provide sufficient guarantees as to the implementation of technical measures and organizational measures so that the processing meets the requirements of this Regulation and guarantees the protection of human rights concerned”. 29. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and concludes that at the start of the investigation, the auditee breached the obligation of transparency arising from Article 12.1 of the GDPR to provide the required information in a way easily accessible. 2.3 As to the requirements to provide information in a way that is “understandable” and “in clear and simple terms” 2.3.1 At the translation level 30. In the context of objective 5 40 the head of investigation expected, among other things, that “the data protection policy is available in the same languages as those offered on the website, i.e. the languages of the customers targeted by the services of the controlled (cf. Test 3)” . 39Cf. first sentence of the first sect[…]”. 40“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in clear and simple terms”; Investigation report, page 28 et seq. 41 Investigation report, page 29, point 4.4.5.1. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 11/31 CNPD officers then inspected “the data protection policy to identify the existence of a translation in the same languages as those for which the site is available » .2 31. In the Statement of Objections, the Head of Investigation noted that “CNPD officials found that Company A's data protection policy is available at language A and language B only while the website is translated into language A, in 43 language B and in language C”. Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to the comprehensibility of the information (at the translation level)" were not respected. 44 32. Control, for its part, told CNPD officials during the on-site visit that it "It was a choice to limit ourselves to languages A and B". 45 He specified in his letter of May 3, 2021 that he intended to translate the policy 46 data protection in language C. This was noted in the investigation report as well as 47 than in the statement of objections. 33. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that required information must be provided in an understandable way. She notes that the Transparency Guidelines state that “the requirement that this information is “understandable” means that it should be able to be understood by the majority of the target audience. Comprehensibility is closely linked to the requirement to use clear and simple terms. A data controller knows the people about whom it collects information and may use such knowledge to determine what that audience would be likely to understand. 48 34. With regard to the above requirement to provide the information requested in Plain and simple terms, the Transparency Guidelines indicate more specifically that a “translation into one or more languages should be provided 42Investigation report, page 30, point 4.4.5.2.3.1. 43 Statement of Objections, point 30. 44 Statement of Objections, point 32. 45Report, page 6. 46Investigation report, page 31, point 4.4.5.3.2. 47 Statement of Objections, point 31. 48 WP 260 rev.01, point 9. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 12/31 where the controller targets data subjects speaking these languages » .9 35. The Restricted Committee notes that at the start of the investigation the policy for the protection of data was only available in language A and language B, although the website was also available in C language. It considers that the fact that a C language version of the website was made available of users by the controlled, shows that the latter was also aimed at a public mastering neither language A nor language B, and who was not likely to understand the data protection policy in one of these languages. It therefore considers that the auditee had not provided users of its website a translation of its data protection policy in all languages in which its website was made available, it had not met the requirements of provide the required information in an understandable manner and in clear and simple. 36. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and concludes that at the start of the investigation, the auditee breached the obligation of transparency arising from Article 12.1 of the GDPR to provide the required information in a way understandable and in clear and simple terms. 2.3.2 At recipient level 50 37. With regard to objective 5, the head of investigation recalled that the information relating to the recipients or categories of recipients who must be provided under the 51 GDPR Articles 13 and 14 according to the Annex to the Transparency Guidelines. 38. From the statement of objections it appears in this respect that the head of investigation did not expected to “a list of recipients but at least [to] information 52 precise on the categories of recipients”. Thus, as "the CNPD agents found that the recipients of the data personal data are not very detailed in the data protection policy of the 49WP 260 rev.01, point 13. 50“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in clear and simple terms”; Investigation report, page 28 et seq. 51Investigation report, pages 28 to 29, point 4.4.5. 52 Statement of Objections, point 36. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 13/31 Company A which mentions “the category of persons A” while the register of processing is more complete and precise by indicating as recipient "[...]", the head of the investigation held that the conditions of article 12.1 of the GDPR "as to the nature 54 comprehensible information (at the level of the recipients)" were not respected. 39. The controller for his part indicated in his letter of May 3, 2021 that he intended to add the point "[...]" to the data protection policy "so that users see 55 […] all possible recipients […]”. This was noted in the investigation report. 40. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that required information must be provided in an understandable way. Under the Transparency Guidelines, “the requirement that such information be “understandable” means that they should be able to be understood by the majority of the target audience. Comprehensibility is closely linked to the requirement to use plain and simple terms. A controller knows the people about from which it collects information and can use this knowledge to determine what this audience would be likely to understand”. 56 It also recalls that, in accordance with Article 4.9) of the GDPR, the term ““recipient”, the natural or legal person, public authority, service or any other organization which receives communication of personal data, whether or not from a third party. […]”. It also notes that under the terms of Article 13.1.e) of the GDPR the control must, where appropriate, provide information on the recipients or information on the categories of recipients of personal data. 41. The Restricted Committee notes that the data protection policy indicated in the section "[...]" that the personal data of users were transferred to a category of recipients, namely […]. It considers that the information met an acceptable degree of accuracy for allow users of the controlled website to understand to whom their data of a personal nature were transferred. 42. In view of the foregoing, the Restricted Panel does not agree with the opinion of the Head of Investigation and concludes that at the start of the investigation, the controlled person did not fail in the obligation to 53 Statement of Objections, point 37. 54 Statement of Objections, point 39. 55Investigation report, page 22, point 4.4.2.3.1. 56 WP 260 rev.01, point 9. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 14/31 transparency arising from Article 12.1 of the GDPR to provide the information in a way understandable. 2.4 As to taking “appropriate measures” to provide the information 43. Given that the control of the processing carried out by the controlled in relation to activity A was not within the scope of the investigation in question, the Restricted Training does not rule in this decision on the grievance upheld in this regard by the head of investigation. B. On the breach of the obligation to inform the persons concerned 1. On the principles 44. Article 13 of the GDPR provides the following: “1. Where personal data relating to a data subject is collected from this person, the data controller provides him, at the time where the data in question is obtained, all of the following information: a) the identity and contact details of the controller and, where applicable, of the representative of the controller; b) where applicable, the contact details of the data protection officer; c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; d) where the processing is based on Article 6(1)(f), the legitimate interests sued by the controller or by a third party; e) the recipients or categories of recipients of the personal data, if they exist; And (f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a third country or to an organization international community, and the existence or absence of an adequacy decision issued by the Commission or, in the case of transfers referred to in Article 46 or 47, or Article 49, paragraph 1, second subparagraph, the reference to the appropriate or suitable safeguards and the means of obtaining a copy or where they have been made available; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 15/312. In addition to the information referred to in paragraph 1, the controller shall provide the the data subject, at the time the personal data is obtained, the following additional information which is necessary to guarantee a fair and transparent treatment: a) the retention period of the personal data or, where this is not possible, the criteria used to determine this duration; b) the existence of the right to request from the controller access to the data to personal character, the rectification or erasure of these, or a limitation of the processing relating to the data subject, or the right to oppose the processing and right to data portability; c) where the processing is based on point (a) of Article 6(1) or on Article 9, paragraph 2(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the processing based on the consent made before the withdrawal thereof; d) the right to lodge a complaint with a supervisory authority; (e) information on whether the requirement to provide data to personal nature has a regulatory or contractual nature or if it conditions the conclusion of a contract and whether the data subject is obliged to provide the data to personal character, as well as on the possible consequences of the non-provision of those data ; f) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the underlying logic, as well as the significance and intended consequences of such processing for the person concerned. 3. When he intends to carry out further processing of personal data personal data for a purpose other than that for which the personal data have been collected, the data controller provides the data subject beforehand concerned information about this other purpose and any other information relevant referred to in paragraph 2. 4. Paragraphs 1, 2 and 3 do not apply where and to the extent that the person concerned already has this information. » ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 16/3145. The communication to data subjects of information relating to the processing of their data is an essential element in the context of compliance with the general obligations of transparency within the meaning of the GDPR. These obligations have been clarified by the Group of Article 29 in its guidelines on transparency which have been taken up and 58 re-approved by the EDPS. 46. For the rest, the Restricted Panel refers to points 10 to 12 of this decision with regard to the principles to be observed under the obligation to transparency in accordance with Article 12.1 of the GDPR. 2. In this case 2.1 Regarding the retention period of personal data 59 47. In the context of objective 2, the head of investigation expected, among other things, that “the following information is accessible through the data protection policy, in accordance with the annex of the G29 guidance relating to the information to be communicated to a data subject under Article 13 or Article 14: […] ● The data retention period or, when this is not possible, the criteria 60 used to determine this period […]”. CNPD officials then inspected “the data protection policy to identify the presence of information relating to data retention periods processed, and that each retention period has been mentioned for the different categories of personal data and/or the different purposes of the treatment » .1 48. From the statement of objections it is apparent in this context that an analysis of the policy data protection revealed that the data retention periods at personal nature were not indicated for certain treatments. 62 The head of investigation noted that "the CNPD agents did not find any information 63 on the retention periods for data relating to operations A, B and C”. 57See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR. 58cf. points 11 and 12 of this decision. 59“Objective 2 - Ensure that the information is complete”; Investigation report, page 13 et seq. 60Investigation report, page 13, point 4.4.2.1. 61 Investigation report, page 16, point 4.4.2.2.8.1. 62 Statement of Objections, paragraphs 52 and 53. 63 Statement of Objections, paragraph 55. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 17/31 Thus, it held that the conditions of article 13.2.a) of the GDPR "relating to the information regarding the retention period of the data were not respected at the beginning of 64 investigation " . 49. The controlee for his part indicated in his letter of May 3, 2021 his intention to add the point “[…] […] to the data protection policy which should also mention the retention periods for personal data. This has been noted in investigation report .65 50. The Restricted Committee recalls that Article 13.2.a) of the GDPR requires that information relating to the retention period of personal data or, when this is not possible, the criteria used to determine this duration, be provided to the data subject at the time the personal data is obtained. She notes that the Transparency Guidelines state that "the period of conservation (or the criteria for determining it) can be dictated by different factors such as regulatory requirements or industry guidelines, but it should be formulated in such a way that the data subject can assess, according to the situation in which it finds itself, what will be the retention period with regard to specific data or in case of specific purposes. The controller does not may simply state in a general way that the personal data will be kept for as long as the legitimate purpose of the processing requires. The case where appropriate, different storage periods should be mentioned for the different categories of personal data and/or the different processing purposes, 66 including periods for archival purposes”. 51. The Restricted Committee notes that the data protection policy did not contain no information on the retention periods of data relating to operations A, B and C while information relating to the retention period of the data to be personal character of the users were listed in two sections of the policy of data protection, namely […]. Users therefore could not know for all processing what were the related retention periods. 64 65 Statement of Objections, point 57. 66Investigation report, page 22, point 4.4.2.3.1. WP 260 rev.01, Annex "Information to be communicated to a data subject under Article 13 or section 14”. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 18/3152. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and concludes that at the start of the investigation, the auditee did not provide users of its site internet all the information made mandatory by article 13.2.a) of the GDPR. 2.2 Regarding the exercise of their rights by the persons concerned 67 53. In the context of objective 2, the head of investigation expected, among other things, that “the following information is accessible through the data protection policy, in accordance with the annex of the G29 guidance relating to the information to be communicated to a data subject under Article 13 or Article 14: […] ● The rights of data subjects: access, rectification, erasure, limitation of processing, objection to processing, portability, […]. In addition, information is expected on the means made available to exercise their rights of access (e-mail address or specific contact form allowing the controller to receive the data protection requests) […]”. 68 Thus, CNPD officers inspected the data protection policy to identify “the presence of information relating to the rights of data subjects including a summary of what the rights in question include and the measures that may be taken by the person concerned to exercise them as well as any limitation to said rights”. 54. According to the statement of objections, the analysis of the data protection policy has revealed that some of the rights that may be exercised by data subjects were not 70 not indicated. The head of the investigation specified that in this case "the right of limitation was not mentioned in Company A's data protection policy at the start of the investigation and the 71 right of opposition is mentioned only in the particular case […]”. Thus, it retained that the conditions of article 13.2.b) of the GDPR "as regards information on 72 the exercise of their rights by the persons concerned have not been respected”. 67 “Objective 2 - Ensure that the information is complete”; Investigation report, page 13 et seq. 68 69Investigation report, page 13, point 4.4.2.1. 70Investigation report, page 17, point 4.4.2.2.9.1. 71 Statement of Objections, point 58. Statement of Objections, point 60. 72 Statement of Objections, point 62. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 19/3155. The controlee for his part indicated in his letter of May 3, 2021, that he was of the opinion that the right to restriction of processing would already be mentioned in the privacy policy. data protection at "point "[...]". However, he stated his intention to add a reference to this right “under point […]” of the data protection policy and 73 provided a suggested text. This was noted in the investigation report. 56. The Restricted Committee recalls that Article 13.2.b) of the GDPR requires that information on the existence of the right to request from the controller access to the data to personal character, the rectification or erasure of these, or a limitation of the processing relating to the data subject, or the right to oppose the processing and right to data portability are provided to the data subject, at the time when personal data is obtained. She notes that the Transparency Guidelines state that "such information should be specific to the treatment scenario and include a summary of what understands the right in question and actions that can be taken by the person concerned to exercise it, as well as any limitation of said right […]. In particular, the right to object to the processing must be explicitly brought to the attention of the person concerned at the latest at the time of the first communication with the person concerned and must be presented clearly and separately from any other information […] » .4 57. With regard to the right to restriction of processing, it notes that the existence of this right was not mentioned in the data protection policy. In particular, it considers that this right did not appear in section "[...]" (in "point "[...]") of said policy, as the term "[...]" used therein only meant a method that could be used in order to put into practice the right to restriction of processing and not the right to limitation as such. 58. With regard to the right to object, she noted that in the protection policy data, the existence of this right was first mentioned in the section “[…]” (at point "[...]") [...], and that the existence of this right was then recalled for some of the processing for which it was indicated that it was based on Article 6.1.f) of the GDPR, but not for all processing based on this article. […] 73 74Investigation report, page 22, point 4.4.2.3.3. WP 260 rev.01, Annex "Information to be communicated to a data subject under Article 75 or section 14”. Recital (67) GDPR. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 20/3159. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and concludes that at the start of the investigation, the auditee did not provide users of its site internet all the information made mandatory by article 13.2.b) of the GDPR. II. 2. On the fine and corrective measures 1. On the principles er 60. In accordance with article 12 of the law of 1 August 2018, the National Commission has the powers provided for in Article 58.2 of the GDPR: "(a) notify a controller or processor of the fact that the operations of the envisaged processing are likely to violate the provisions of this Regulation; (b) call a controller or processor to order when the processing operations have resulted in a breach of the provisions of this Regulation; (c) order the controller or processor to comply with requests submitted by the data subject with a view to exercising their rights under this this Regulation; d) order the controller or the processor to put the operations of processing in accordance with the provisions of this Regulation, where applicable, of specific manner and within a specified time; (e) order the controller to communicate to the data subject a personal data breach; (f) impose a temporary or permanent restriction, including prohibition, of the processing; g) order the rectification or erasure of personal data or the limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these measures to the recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19; (h) withdraw a certification or order the certification body to withdraw a certification issued pursuant to Articles 42 and 43, or order the body to certification not to issue certification if the requirements applicable to the certification are not or no longer satisfied; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Investigation No. […] conducted at Company A 21/31 i) impose an administrative fine pursuant to Article 83, in addition to or in addition to instead of the measures referred to in this paragraph, depending on the characteristics specific to each case; j) order the suspension of data flows addressed to a recipient located in a third country or an international organisation. » 61. In accordance with article 48 of the law of 1 August 2018, the CNPD may impose fines administrative as provided for in Article 83 of the GDPR, except against the State or of the municipalities. 62. Article 83 of the GDPR provides that each supervisory authority shall ensure that fines administrative measures imposed are, in each case, effective, proportionate and deterrents, before specifying the elements that must be taken into account to decide whether an administrative fine should be imposed and to decide on the amount of this fine : “(a) the nature, gravity and duration of the breach, taking into account the nature, scope or the purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; b) whether the breach was committed willfully or negligently; c) any action taken by the controller or processor to mitigate the damage suffered by the persons concerned; d) the degree of responsibility of the controller or processor, account given the technical and organizational measures they have implemented under the sections 25 and 32; e) any relevant breach previously committed by the controller or the subcontractor ; f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and to mitigate any negative effects; g) the categories of personal data affected by the breach; h) the manner in which the supervisory authority became aware of the breach, in particular whether, and the extent to which the controller or processor notified the breach ; ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 22/31 i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with these measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved under Article 42; And k) any other aggravating or mitigating circumstance applicable to the circumstances of the species, such as the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the breach”. 63. The Restricted Committee would like to point out that the facts taken into account in the context of the this Decision are those found at the start of the investigation. The possible changes relating to the data processing under investigation subsequently, even if they make it possible to establish in whole or in part the conformity, do not make it possible to retroactively cancel a breach noted. 64. Nevertheless, the steps taken by the control to comply with the the GDPR during the investigation procedure or to remedy the shortcomings identified by the head of investigation in the statement of objections, are taken into account by the Restricted training as part of any corrective measures to be taken and/or setting the amount of any administrative fine to be imposed. 2. In this case 2.1 Regarding the imposition of an administrative fine 65. In the statement of objections, the head of investigation proposes to the Restricted Panel to pronounce against the controlled an administrative fine relating to the amount of 76 3,700 euros. 66. In order to decide whether to impose an administrative fine and to decide, if applicable, of the amount of this fine, the Restricted Panel analyzes the criteria set by article 83.2 of the GDPR: - As for the nature and seriousness of the violation (article 83.2 a) of the GDPR), it recalls in with regard to breaches of Articles 12 and 13 of the GDPR that transparency applicable to the processing of personal data and information relating to 76 Statement of Objections, point 68. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of survey No. […] conducted with Company A 23/31 this processing are essential obligations incumbent on those responsible for treatment, so that people are fully aware of the use that will be made of their personal data, once collected. A breach of these articles of the GDPR thus constitutes an infringement of the rights of persons concerned. The right to transparency and the right to information have have been reinforced under the GDPR, which demonstrates their very importance. particular. - As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Panel finds that these shortcomings have lasted over time, at least since the beginning of the investigation and until, if necessary, a possible modification of the policy of Data protection. It recalls that guidance relating to the principles and obligations provided for by the GDPR was available from the CNPD, in particular on its website. - As to the number of data subjects (article 83.2 a) of the GDPR), the Training Restricted finds that these are all users of the website of the controlled and the mobile app. It takes into account the assertion of the head of investigation that “Company A has a significant number of customers (approximately […] based on the figures 77 communicated in December 2020)”. - As to whether the breaches were committed deliberately or not (by negligence) (article 83.2.b) of the GDPR), the Restricted Panel recalls that "no deliberately” means that there was no intention to commit the violation, although the controller or the processor has not complied with the obligation to due diligence required by law. In this case, the Restricted Committee is of the opinion that the facts and breaches observed do not reflect a deliberate intention to violate the GDPR on the part of the control. - As to the degree of cooperation established with the supervisory authority (Article 83.2 f) of the GDPR), the Restricted Panel takes into account the statement of the head of investigation according to which the auditee has shown constructive participation throughout 78 investigation . 77 Statement of Objections, point 66.b). 78 Statement of Objections, point 66.d). ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Investigation No. […] carried out with Company A 24/31 - As to the measures taken by the inspected party to mitigate the damage suffered by the persons concerned (article 83.2.c), the Restricted Training takes into account the measures taken by the controlled and refers to Chapter II.2, Section 2.2 of this decision for the related explanations. 67. The Restricted Committee notes that the other criteria of Article 83.2 of the GDPR are not neither relevant nor likely to influence its decision on the imposition of a fine administrative and its amount. 68. It also notes that while several measures have been put in place by the control in order to remedy in whole or in part certain shortcomings, these were only adopted following the launch of the investigation by CNPD agents on August 26, 2020 79 (see also point 63 of this decision). 69. Therefore, the Restricted Panel considers that the imposition of an administrative fine is justified with regard to the criteria set out in Article 83.2 of the GDPR for breach of the articles 12.1 and 13 of the GDPR. 70. With regard to the amount of the administrative fine, the Restricted Panel recalls that Article 83.3 of the GDPR provides that in the event of multiple infringements, as is the case in case, the total amount of the fine may not exceed the amount fixed for the violation the worse. To the extent that a breach of Articles 12.1 and 13 of the GDPR is accused of the controlled, the maximum amount of the fine that can be withheld is 20 million euros or 4% of worldwide annual revenue, whichever is greater retained. 71. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the Training Restricted considers that the imposition of a fine of two thousand one hundred (2,100) euros appears to be both effective, proportionate and dissuasive, in accordance with the requirements of GDPR Article 83.1. 2.2 Regarding the taking of corrective measures 72. In the statement of objections, the head of investigation proposes to the Restricted Panel to adopt the following corrective measures: “within a period of 1 month from the notification to Control of the decision taken by the Restricted Training: 79Sending of the preliminary questionnaire. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of investigation No. […] carried out with Company A 25/31 Order, pursuant to Article 58 (2) d) of the GDPR, the Controlled being brought into compliance with Article 12 (1) of the GDPR by making the following changes: a) Update the data protection policy ensuring that the information contained in Company A's data protection policy reflect reality, especially in terms of the use of plugins and tools […] described in the policy; b) Add a redirect link to the data protection policy to the information collection points; c) Translate the data protection policy into the same languages as those proposed for the website; d) Provide information relating to data protection at the level of activity a. Order, pursuant to Article 58 (2) d) of the GDPR, the Controlled to comply with Article 13, paragraph 2, letter b) of the GDPR, supplementing, in the protection policy data, the following information - Information on the exercise of the right of opposition by persons 80 concerned”. 73. The Restricted Committee also observes that the head of investigation noted in the communication of grievances that at the date of writing this document, the auditee had added to the data protection policy information on the recipients of the data of a personal nature, the retention periods of this data as well as the right to restriction of processing. Therefore, the head of investigation did not propose to the Panel Restricted from adopting corrective measures in these respects. 74. As for the corrective measures proposed by the head of investigation and by reference to the point 64 of this decision, the Restricted Panel takes into account the procedures carried out by the control in order to comply with the provisions of articles 12.1 and 13 of the GDPR, as detailed in its letter of May 3, 2021. More specifically, it takes note of the following facts: 80 Statement of Objections, paragraph 64. 81 Statement of Objections, point 38. 82 Statement of Objections, point 56. 83 Statement of Objections, point 61. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 26/31 - As for the corrective measure proposed by the head of investigation mentioned under a) of the point 72 of this decision concerning the compliance of the audit with article 12.1 of the GDPR by updating the data protection policy by ensuring that the information contained in it reflects reality, in particular at the level of the use of plugins and tools […] described in the policy, the controlled indicated in his letter of May 3, 2021 that the plugins that are not used on the site internet would be removed from the data protection policy. The Restricted Committee notes, however, that the processing for 84 85 "Platform A" and "Platform B" are always mentioned in the version modified from the "Privacy Statement" in language A that the control has transmitted to her by email dated October 13, 2022 (hereinafter: the “Data Protection Policy” modified data”), and which bears the handwritten mention “PUTTING ONLINE […] 2021”. It also observes that it appears from the information contained in the header as well as in the footer of this document, that it was extracted from the website of the controlled in date of October 13, 2022. In addition, no documentation submitted to the Formation Restricted does not contain evidence that the audited now performs these treatments. In view of the insufficient compliance measures taken by the control in this case and point 64 of this decision, the Restricted Panel considers as of when there is reason to pronounce the corrective measure proposed by the head of investigation to this regard and taken up in point 72 of this Decision under (a). - As for the corrective measure proposed by the head of investigation mentioned under b) of the point 72 of this decision concerning the compliance of the audit with article 12.1 of the GDPR by adding a redirect link to the data protection policy data at the information collection points, the auditee confirmed in his letter of May 3, 2021, that […] he had decided to change service provider. During the Restricted Training session of September 28, 2022, the controller reiterated his words. However, no documentation submitted to the Restricted Training contains proof that the audited has changed service provider and/or that additional information, such as a redirect link to the protection policy 84 Modified data protection policy, se[…]o”.“ 85 Amended Data Protection Policy, se[…]o”.“ ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 27/31 modified data has been added to the interactive pages of its website, at namely pages A, B and C. In view of the insufficient compliance measures taken by the control in this case and point 64 of this decision, the Restricted Panel considers as of when there is reason to pronounce the corrective measure proposed by the head of investigation to this regard and taken up in point 72 of this decision under b). - As for the corrective measure proposed by the head of investigation mentioned under c) of the point 72 of this decision concerning the compliance of the audit with article 12.1 of the GDPR by translating the data protection policy into the same languages than those proposed for the website, the controller indicated in his letter of May 3, 2021 that he intends to translate the data protection policy data in C language. However, it has only annexed the language A version of its data protection policy. modified data to his email of October 13, 2022 to the Restricted Training. No documentation submitted to the Restricted Training contains evidence certifying that the data protection policy has been translated into C language and updated available to users of the C language version of the controlled website. THE also failed to provide evidence that the language B version of the policy data protection has been updated and is made available to users of its website. In view of the insufficient compliance measures taken by the control in this case and point 64 of this decision, the Restricted Panel considers as of when there is reason to pronounce the corrective measure proposed by the head of investigation to this regard and taken up in point 72 of this Decision under (c). - As for the corrective measure proposed by the head of investigation mentioned under d) of the point 72 of this decision concerning the compliance of the audit with article 12.1 GDPR by providing data protection information at the level of activity A, the Restricted Formation, after observing that the control of the processing carried out in connection with the operation of activity A was not in the scope of the investigation in question (see point 43 of this decision), does not rule nor on the proposal for corrective action by the head of investigation in this regard to the point 72 of this decision under d). ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 28/31 - As for the corrective measure proposed by the head of investigation mentioned in point 72 of the this decision concerning compliance of the audit with Article 13.2.b) of the GDPR by completing, in the data protection policy, the information about to the exercise of the right of opposition by the persons concerned, the Restricted takes note that the auditee has added a reference to the right of opposition in the section 86 " […] " on point " […] " . Although this clarification has been added […], the Restricted Panel considers that it did not lend itself to informing users of the website that they have the right to object at any time, for reasons relating to their particular situation, to a processing of personal data concerning them based on Article 6.1.f) of the GDPR. In view of the insufficient compliance measures taken by the control in this case and point 64 of this decision, the Restricted Panel considers as of when there is reason to pronounce the corrective measure proposed by the head of investigation to this regard and taken up at the end of point 72 of this Decision. 75. Finally, as it was noted that at the beginning of the investigation, no policy of data protection intended to inform users of the mobile application was not provision of the latter (see point 27 of this decision) and as the Formation Restreinte also does not have evidence that information relating to to the protection of personal data are now made available to users of the mobile application (at the download points or on the pages of this ci), it considers that corrective action should be taken in this regard. In view of the foregoing developments, the National Commission sitting in restricted formation, after having deliberated, decides: - to retain breaches of Articles 12.1 and 13 of the GDPR; - impose an administrative fine on Company A in the amount of two thousand one hundred (2,100) euros with regard to breaches of Articles 12.1 and 13 of the GDPR; 86[…]. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Investigation No. […] carried out with Company A 29/31- to issue against Company A an injunction to bring the processing with the obligations resulting from Article 12.1 of the GDPR, within two months following the notification of the decision of the Restricted Committee, and, in particular, o ensure that the information contained in the data protection policy of the website reflect the reality of processing in terms of the use of plugins, tools […] described in said policy; o add a redirect link to the data protection policy to all information collection points; o translate the data protection policy into the same languages as those proposed for the website; o provide information relating to data protection at the level of the mobile application; - issue against Company A an injunction to bring the processing with the obligations resulting from Article 13 of the GDPR, within two months following the notification of the decision of the Restricted Committee, and, in particular, inform users of the website in a clear and precise manner of the existence of the right of opposition. Belvaux, December 13, 2022. For the National Commission for Data Protection sitting in restricted formation Tine A. Larsen Thierry Lallemang Alain Herrmann President Commissioner Commissioner ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 30/31 Indication of remedies This administrative decision may be subject to an appeal for review within three months following its notification. This appeal is to be brought before the administrative court and must must be introduced through a lawyer at the Court of one of the Bar Associations. ________________________________________________________________________ Decision of the National Commission sitting in restricted formation on the outcome of Survey No. […] conducted with Company A 31/31