CNPD (Luxembourg) - Délibération n° 24FR/2022: Difference between revisions
From GDPRhub
No edit summary |
m (Ar moved page CNPD (Luxembourg) - 24FR/2022 to CNPD (Luxembourg) - Délibération n° 24FR/2022) |
Latest revision as of 16:58, 6 December 2023
| CNPD - 24FR/2022 | |
|---|---|
 | |
| Authority: | CNPD (Luxembourg) |
| Jurisdiction: | Luxembourg |
| Relevant Law: | Article 12(1) GDPR Article 13(2)(a) GDPR Article 13(2)(b) GDPR Article 58(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 17.07.2020 |
| Decided: | 13.12.2022 |
| Published: | |
| Fine: | 3,700 EUR |
| Parties: | n/a |
| National Case Number/Name: | 24FR/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | CNPD (in FR) |
| Initial Contributor: | ls |
The Luxemburg DPA fined Є3,700 to a company running a website and a mobile app for not providing sufficient information about the processing of data and for using a privacy policy that did not reflect reality.
English Summary
Facts
On 17 July 2020, the Luxembourg DPA opened an investigation at Company A, operator of a website and mobile application, to verify the compliance of its activities with Articles 12(1), 13 and 14 GDPR. The investigation focused on the users of the website and mobile application and not on the employees.
The investigation showed that
- the privacy policy mentioned processing operations that were not actually carried out;
- the privacy policy was not available on all the pages on which the company collected data;
- regarding the mobile app, no privacy policy was available before the download and once the application was installed, the privacy policy was not easily accessible;
- the privacy policy was only available in two languages, whereas the website was available in three languages; and
- the privacy policy did not mention the length of time for which the data would be kept or the right to restrict processing.
The controller replied that the unavailability of the information was due to the attitude of the service provider who managed his site and application.
Holding
The DPA considered that the privacy policy, by mentionning certain processing operations that were actually not carried out, did not reflect reality and that the controller did not provide the required information in a comprehensible manner, in clear and simple terms, in violation of Article 12(1).
It also found a lack of information, in breach of Articles 13(2)(a) and 13(2)(b): the information regarding the length of time the data will be kept was missing for certain processing activities. Concerning the rights of the data subjects, there was no information about the right to restrict.
The DPA therefore, in accordance with Article 58(2) and taking into account the measures already implemented by the company, imposed a fine of Є3,700 and ordered the controller to update its privacy policy to comply with the requirements of Article 12(1).
Comment
It is interesting to note that this decision is one of few that concern a mobile app.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
Deliberation no. 24FR/2022 of December 13, 2022
The National Commission for Data Protection sitting in restricted formation,
composed of Mrs. Tine A. Larsen, president, and Messrs. Thierry Lallemang and Alain
Herrmann, commissioners;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating
the protection of natural persons with regard to the processing of personal data
personnel and on the free movement of such data, and repealing Directive 95/46/EC;
Considering the law of August 1, 2018 on the organization of the National Commission for the protection
data and the general data protection regime, in particular its article 41;
Having regard to the internal rules of the National Commission for Data Protection
adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its article 10.2;
Having regard to the regulations of the National Commission for Data Protection relating to the
investigation procedure adopted by decision No. 4AD/2020 dated January 22, 2020, in particular
its article 9;
Considering the following:
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Company A 1/31I. Facts and procedure
1. During its deliberation session of July 17, 2020, the National Commission for
data protection sitting in plenary session (hereinafter: the “Plenary Panel”)
Plenary”) decided to open an investigation with Company A on the basis of Article 37
er
of the law of 1 August 2018 on the organization of the National Commission for the
data protection and the general data protection regime (hereinafter: the
er
“Law of August 1, 2018”) and to appoint Mr. Christophe Buschmann as Chief
of investigation.
The said decision specified that the investigation carried out by the National Commission for the
data protection (hereinafter: the “CNPD” or the “National Commission”) had
for the purpose of monitoring the application and compliance with the GDPR and the law of 1 August 2018, and
specifically compliance with Articles 12.1, 13 and 14 of the GDPR.
2. Company A is […] registered with the Luxembourg Trade and Companies Register
under number [...], with registered office at L - […] (hereinafter: the "controlled").
The controlled [is active in the operation of internet portals and the provision of services via these
portals].
3. The decision of the National Commission sitting in restricted formation (hereafter: the
“Restricted Training”) on the outcome of the investigation will be based
- on the processing carried out by the controller in relation to the operation of the site
internet […] and the mobile application […] (hereinafter: the "website" respectively
the “mobile application”), and checked by CNPD agents; And
- on the legal and regulatory provisions taken into account by the head of investigation
in its statement of objections.
4. By letter dated August 26, 2020, the head of investigation sent a preliminary questionnaire to the
control. This moment is later referred to in this decision as "at the beginning
of the investigation ". The control responded by mail dated September 13, 2020. After2
an on-site visit which took place on October 6, 2020, the control and the investigation department of
3
the CNPD exchanged letters.
1[...].
2This letter and its annexes were sent to the CNPD by e-mail on the same day.
3
See Statement of Objections, point 9 for a detailed list of exchanges throughout the investigation.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
2/315. Following this exchange, the head of investigation drew up Investigation Report No.[…] based on the
deliberation of July 17, 2020 relating to compliance with Articles 12 point 1, 13 and 14 of the
GDPR dated May 10, 2021 (hereinafter: the “Investigation Report”).
4
It appears from the investigation report that in order to structure the investigation work, the chief
investigation has defined nine control objectives, namely:
1) ensure that the information is available;
2) ensure that the information is complete;
3) ensure that the absence of information is motivated by a valid exception;
4) ensure that information is transmitted by appropriate means;
5) ensure that the information is concise, transparent, understandable, and
conveyed in clear and simple terms;
6) ensure that the information is appropriate for the category of data subjects;
7) ensure that information is free;
8) ensure that information is easily accessible; And
9) ensure that the information is transmitted during the key stages of the processing.
It is specified in the investigation report that the CNPD agents did not check “the
legality of the processing carried out by the controller”. In this context, it is given
the following example: “in the event that the controller informs the persons
concerned that their personal data are kept for a period
2 years, CNPD officials will be able to check that the controller does not
not retain said data for a different period. On the other hand, the agents of the
CNPD will not comment on the legality of this 2-year period applied by the
data controller » .5
In addition, the survey focused on users of the website and the application
mobile, and did not target other categories of data subjects such as employees
of the controlled.6
4
5Investigation report, page 7, point “3.1 Control objectives”.
6Investigation report, page 6, point “2.3 Reservations”.
Investigation report, page 6, point “2.2 Scope”.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
3/31 The investigation report has as appendices the documents collected by the investigation department of the
CNPD and on which the investigation report is based (appendix 1), as well as the
visit in relation to the on-site visit by CNPD agents of October 6, 2020
aforesaid (appendix 2) (hereafter: the "minutes").
6. During its deliberation of July 23, 2021, the Restricted Panel appointed Mr. Marc
Lemmer, commissioner, as head of investigation replacing Mr. Christophe
Buschmann, resigned.
7. At the end of his investigation, the head of investigation notified the person inspected on
January 13, 2022 a statement of objections detailing the shortcomings he considered
constituted in this case in relation to the requirements prescribed by Article 12.1 of the GDPR
(transparency obligation) and by Article 13 of the GDPR (right to information).
The Head of Investigation proposed to the Restricted Panel to adopt five corrective measures
different, as well as to impose on the controlled an administrative fine of an amount of
3,700 euros.
The ability to submit written observations on the statement of objections was
offered to the control. The latter did not communicate any observations to the head of investigation.
8. The president of the Restricted Formation informed the controller by letter dated
May 20, 2022 that his case would be registered for the session of the Restricted Panel of
July 13, 2022 and that he was offered the opportunity to be heard there. At the request of
checked, the aforementioned session was postponed to the session of the Restricted Formation
of September 28, 2022. By email of September 15, 2022, the auditee confirmed his
attendance at said meeting.
During this session, the head of the investigation and the controller, represented by […], presented their
oral submissions in support of their written submissions and responded to questions
posed by the Restricted Panel. The Restricted Formation gave the controlled the
possibility of sending additional information requested within 2 weeks
during that session. The controller spoke last.
9. By email dated October 13, 2022, the auditee provided the information
additional information requested from the Restricted Training.
7 Statement of Objections, point 72 et seq.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey no. […] carried out with Company A 4/31II. Place
II. 1. On the reasons for the decision
A. On the breach related to the obligation of transparency
1. On the principles
10. According to Article 12.1 of the GDPR, the “controller shall take measures
appropriate to provide any information referred to in Articles 13 and 14 as well as to
carry out any communication under Articles 15 to 22 and Article 34 with regard to
concerns processing to the data subject in a concise, transparent,
understandable easily accessible, in clear and simple terms, in particular for
any information intended specifically for a child. The information is provided by
in writing or by other means including, where appropriate, electronically.
When the data subject so requests, the information may be provided
orally, provided that the identity of the data subject is demonstrated by other
means. »
11. Transparency is a fundamental aspect of the principles relating to the treatment of
personal data. The obligations in this area have been clarified by the
Article 29 Working Party in its guidelines on transparency within the meaning of the
Regulation (EU) 2016/679, the revised version of which was adopted on April 11, 2018 (hereinafter:
“WP 260 rev.01” or the “transparency guidelines”).
These guidelines explain in particular the general rules of transparency
established by Article 12 of the GDPR, and which are applicable to the communication of information
to data subjects (Articles 13 and 14 of the GDPR), to communications addressed
to data subjects regarding the exercise of their rights (Articles 15 to 22 of the
GDPR), and communications regarding data breaches (Article 34 of the
9
GDPR).
They further underline that a “primary aspect of the principle of transparency put in place
light in these provisions is that the data subject should be able to
determine in advance what the scope and consequences of the processing encompass in order to
8
9See in particular Articles 5.1.a) and 12 of the GDPR, see also recitals (39), (58) to (60) of the GDPR.
WP 260 rev.01, point 7.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
5/31 not to be caught off guard at a later stage as to how his data
10
of a personal nature have been used.
12. It should be noted that the European Data Protection Board (hereinafter: the “EDPS”), which
succeeded the Article 29 Working Party on 25 May 2018, took over and reapproved the
documents adopted by the said Group between May 25, 2016 and May 25, 2018, as
precisely the aforementioned guidelines on transparency . 11
2. In this case
2.1 Regarding the requirement to provide information in a “concise and transparent” manner
12
13. In the context of objective 5, the head of investigation expected, among other things, that “the
data protection policy reflects the reality of the processing actually carried out
place, that is to say without anticipation of processing that could possibly be put
in place by the auditee in the future (cf. Test 5)” .13
CNPD officials then inspected “the data protection policy to
check that it reflects the reality of the processing actually implemented, i.e. without
anticipation of processing that could possibly be put in place by the controller
in the future. To do this, CNPD officials compared the content of the policy
of data protection with the explanations obtained from the controller during the interview
of 06/10/2020”. 14
14. It is apparent from the statement of objections that “the CNPD officials noted that
certain information contained in the data protection policy of the
Company A do not reflect reality" and that "the CNPD agents did not find any
trace of the processing operations relating to Platform A or Platform B which are nevertheless
15
mentioned in the data protection policy”.
Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to the
loyalty and transparency of information" were not respected. 16
10
11WP 260 rev.01, item 10.
See EDPS Endorsement Decision 1/2018 of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
12“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in
clear and simple terms”; Investigation report, page 28 et seq.
13Investigation report, page 29, point 4.4.5.1.
14Investigation report, page 30, point 4.4.5.2.5.1.
15 Statement of Objections, point 18.
16 Statement of Objections, point 20.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
6/3115. The control on his side confirmed in his letter dated May 3, 2021 "the presence
description of plugins, which are not used on the website”, specifying that […]
this description would be removed “from the declaration”. This was noted in the report
of investigation, as well as in the statement of objections. 19
16. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that
required information should be provided in a concise and transparent manner.
She notes that the Transparency Guidelines state that “the requirement that the
provision of information to data subjects and that communications to them
are addressed are carried out in a “concise and transparent” manner means that the
controllers should present the information/communications in a way
effective and succinct in order to avoid overwhelming the persons concerned with information”. 20
17. She notes that the “Privacy Statement” that the control has put in place to
inform users of its website of the processing of their personal data
staff, and a copy of which was attached to the audit's email of September 13, 2020 21
(hereinafter: the “data protection policy”), mentioned the processing
through "Platform A" in the section "[...]" and "Platform B" in the section
"[...]".
It also notes that the controller did not dispute that these treatments were not
carried out. Indeed, he confirmed in his aforementioned letter of May 3, 2021 "the presence of
description of plugins, which are not used on the website”.
18. It considers that the provision of information to users which corresponds to
processing that is not carried out, such as information on tools […] or
unused plugins listed in the data protection policy, obstructs this
that the required information is presented to users in an efficient and
succinct.
19. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and
concludes that at the start of the investigation, the auditee had breached the obligation of transparency
17This letter was sent to the CNPD by email dated May 6, 2021.
18Investigation report, page 31, point 4.4.5.3.3.
19 Statement of Objections, point 19.
20WP 260 rev.01, point 8.
21Document 3 appended to the inspector's email of September 13, 2020 containing a version in language A ("[...]")
and a B-language version ("[...]") of said policy. The language A version is part of annex 1 to the report
investigation (exhibit 1).
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
7/31 arising from Article 12.1 of the GDPR to provide the required information in a way
concise and transparent.
20. As for the measures taken by control after the on-site visit by CNPD officials, the
Restricted Training refers to it in point 64, as well as in Chapter II.2, Section 2.2 of this
decision.
2.2 Regarding the requirement to provide information in an "easily accessible" way
21. Under objective 8 the lead investigator expected “that:
On the website […] a link to the data protection policy is provided to the
point of collection of personal data, or that this information is
can be consulted on the same page as those where the personal data is
collected (see Tests 1 and 2).
On the mobile application, information relating to the protection of privacy
must be easily accessible, before and after downloading the application
23
(see Tests 3 and 4). »
22. CNPD officers then inspected
- “Company A’s data protection policy and website to assess
the visibility of information relating to data protection (review for example
the choice of colors on the website to make the information relating
easily visible data protection, including footer links
to the data protection policy)”;24
- “the points of collection of personal data on the website of the
Company A to identify the existence of a link to the data protection policy
data or the possibility of consulting this information on the same page as that
where the personal data is collected”; 25
22“Objective 8 - Ensure that information is easily accessible”; Investigation report, page 34 et seq.
23Investigation report, page 34, point 4.4.8.1.
24Investigation report, page 34, point 4.4.8.2.1.1
25Investigation report, page 34, point 4.4.8.2.2.1
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
8/31 - "Company A's mobile application for evaluating the ease of access to information
relating to the protection of privacy, once the mobile application has been downloaded”; 26
And
- “the mobile application of Company A and checked whether a link to the protection policy
data was available before downloading the mobile application, on the
Platform C and on Platform D”. 27
23. It is apparent from the statement of objections that “the CNPD officials noted that
the data protection policy is not available on the website of the
Company A at the personal data collection points, in particular at the
level of pages A, B and C. In addition, the data protection policy is not
directly accessible on Company A's mobile application. 28
Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to
accessibility of information (at the point of information collection)” were not
29
respected.
24. The controller for his part told the CNPD agents during the on-site visit that a
privacy statement was on its website, and that said statement was
“available on each page of the website [by a link] in the footer of the page, at
exception of “interactive” pages”, but that there was no declaration of
confidentiality at the level of its mobile application. He clarified that the whole part
interactive website as well as its mobile application would be managed by its
service provider Company B. The latter would have refused several requests from the
controlled to make changes to the relevant pages of the website. THE
controlled would however be in discussion with its service provider, in order to study the
possibility of adding a link to the data protection policy at the level of
the mobile app. The controller included excerpts from the exchanges he had on this subject
with its service provider in its letter dated November 2, 2020.
31 32
[…] .
26
Investigation report, page 35, point 4.4.8.2.3.1
27Investigation report, page 35, point 4.4.8.2.4.1
28 Statement of Objections, point 24.
29 Statement of Objections, point 26.
30Report, pages 4 and 5.
31Investigation report, page 36, point 4.4.8.3.1.
32 Statement of Objections, point 25.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
9/31 During the Restricted Training session of September 28, 2022, the controller reiterated
his above-mentioned remarks […]. Regarding the availability of the policy of
data protection on its mobile application, it also specified that a link in
the mobile application referred to the privacy statement on its website.
25. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that
required information must be provided in an easily accessible manner.
She notes that the Transparency Guidelines state that “the criterion
"easily accessible" means that the data subject should not have to
search for information but should be able to access it immediately: for example, these
information could be communicated to the persons concerned directly or to the
means of a link which would be addressed to them”, and which they recommend for a context in
line that a "link to the privacy statement or notice is provided
at the point of collection of the personal data, or that this information is
can be viewed on the same page where the personal data is
collected » .4
26. With regard to the controlled website, the Restricted Committee notes that the
CNPD officials have documented through screenshots that a direct link to the
data protection policy appeared on the website of the control at the bottom of page , 35
with the exception of the interactive pages of this site, namely pages A, B and C. For the
pages in question, users could not immediately access the
information required.
27. With regard to the mobile application of the controlled, the Restricted Panel notes that
CNPD agents documented by screenshots for the systems
[...] and [...] , that no declaration or opinion on the protection of life
privacy was made available to users of said application prior to downloading
of it. For the operating system […], they also documented that after the
app download, user, from app home screen
mobile, had to go through several steps to access the website of the control at the bottom
which contained a link to the data protection policy. Not only the
33WP 260 rev.01, point 11.
34
35Idem.
36Annex 1 to the investigation report, exhibit 3.
37Annex 1 to the investigation report, exhibits 4, 5 and 6.
Appendix 1 to the investigation report, exhibits 8 and 21.
38 Appendix 1 to the investigation report, exhibit 8.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
10/31 required information was not accessible before downloading the application
mobile, they were also not directly accessible once the application was installed.
It also notes that the data protection policy only covered the site
39
internet of the controlled and not its mobile application which was not even mentioned
in said policy. Indeed, a data protection policy taking into account
the controlled mobile application did not exist at the start of the CNPD investigation.
28. In addition, the Restricted Committee considers that the assertion of the controlled that the unavailability
of the required information would be due to the negative attitude of its service provider,
could irritate its findings as to the unavailability of this information, given
that Article 28.1 of the GDPR requires that “where processing is to be carried out for the
account of a data controller, the latter only uses subcontractors
which provide sufficient guarantees as to the implementation of technical measures
and organizational measures so that the processing meets the
requirements of this Regulation and guarantees the protection of human rights
concerned”.
29. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and
concludes that at the start of the investigation, the auditee breached the obligation of transparency
arising from Article 12.1 of the GDPR to provide the required information in a way
easily accessible.
2.3 As to the requirements to provide information in a way that is “understandable” and “in
clear and simple terms”
2.3.1 At the translation level
30. In the context of objective 5 40 the head of investigation expected, among other things, that “the
data protection policy is available in the same languages as those
offered on the website, i.e. the languages of the customers targeted by the services of the
controlled (cf. Test 3)” .
39Cf. first sentence of the first sect[…]”.
40“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in
clear and simple terms”; Investigation report, page 28 et seq.
41 Investigation report, page 29, point 4.4.5.1.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
11/31 CNPD officers then inspected “the data protection policy to
identify the existence of a translation in the same languages as those for which
the site is available » .2
31. In the Statement of Objections, the Head of Investigation noted that “CNPD officials
found that Company A's data protection policy is available at
language A and language B only while the website is translated into language A, in
43
language B and in language C”.
Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to the
comprehensibility of the information (at the translation level)" were not
respected. 44
32. Control, for its part, told CNPD officials during the on-site visit that it
"It was a choice to limit ourselves to languages A and B". 45
He specified in his letter of May 3, 2021 that he intended to translate the policy
46
data protection in language C. This was noted in the investigation report as well as
47
than in the statement of objections.
33. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that
required information must be provided in an understandable way.
She notes that the Transparency Guidelines state that “the requirement that
this information is “understandable” means that it should be able to be
understood by the majority of the target audience. Comprehensibility is closely linked to
the requirement to use clear and simple terms. A data controller knows the
people about whom it collects information and may use such
knowledge to determine what that audience would be likely to understand. 48
34. With regard to the above requirement to provide the information requested in
Plain and simple terms, the Transparency Guidelines indicate more
specifically that a “translation into one or more languages should be provided
42Investigation report, page 30, point 4.4.5.2.3.1.
43 Statement of Objections, point 30.
44 Statement of Objections, point 32.
45Report, page 6.
46Investigation report, page 31, point 4.4.5.3.2.
47 Statement of Objections, point 31.
48
WP 260 rev.01, point 9.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
12/31 where the controller targets data subjects speaking these
languages » .9
35. The Restricted Committee notes that at the start of the investigation the policy for the protection of
data was only available in language A and language B, although the website was
also available in C language.
It considers that the fact that a C language version of the website was made available
of users by the controlled, shows that the latter was also aimed at a public
mastering neither language A nor language B, and who was not likely to understand the
data protection policy in one of these languages.
It therefore considers that the auditee had not provided users of its website
a translation of its data protection policy in all languages in
which its website was made available, it had not met the requirements of
provide the required information in an understandable manner and in clear and
simple.
36. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and
concludes that at the start of the investigation, the auditee breached the obligation of transparency
arising from Article 12.1 of the GDPR to provide the required information in a way
understandable and in clear and simple terms.
2.3.2 At recipient level
50
37. With regard to objective 5, the head of investigation recalled that the information relating
to the recipients or categories of recipients who must be provided under the
51
GDPR Articles 13 and 14 according to the Annex to the Transparency Guidelines.
38. From the statement of objections it appears in this respect that the head of investigation did not
expected to “a list of recipients but at least [to] information
52
precise on the categories of recipients”.
Thus, as "the CNPD agents found that the recipients of the data
personal data are not very detailed in the data protection policy of the
49WP 260 rev.01, point 13.
50“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in
clear and simple terms”; Investigation report, page 28 et seq.
51Investigation report, pages 28 to 29, point 4.4.5.
52 Statement of Objections, point 36.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
13/31 Company A which mentions “the category of persons A” while the register of
processing is more complete and precise by indicating as recipient "[...]", the head
of the investigation held that the conditions of article 12.1 of the GDPR "as to the nature
54
comprehensible information (at the level of the recipients)" were not respected.
39. The controller for his part indicated in his letter of May 3, 2021 that he intended to add
the point "[...]" to the data protection policy "so that users see
55
[…] all possible recipients […]”. This was noted in the investigation report.
40. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that
required information must be provided in an understandable way.
Under the Transparency Guidelines, “the requirement that such information
be “understandable” means that they should be able to be understood by the
majority of the target audience. Comprehensibility is closely linked to the requirement to use
plain and simple terms. A controller knows the people about
from which it collects information and can use this knowledge to
determine what this audience would be likely to understand”. 56
It also recalls that, in accordance with Article 4.9) of the GDPR, the term
““recipient”, the natural or legal person, public authority, service or any
other organization which receives communication of personal data, whether
or not from a third party. […]”. It also notes that under the terms of Article 13.1.e) of the GDPR
the control must, where appropriate, provide information on the recipients or
information on the categories of recipients of personal data.
41. The Restricted Committee notes that the data protection policy indicated in
the section "[...]" that the personal data of users were
transferred to a category of recipients, namely […].
It considers that the information met an acceptable degree of accuracy for
allow users of the controlled website to understand to whom their data
of a personal nature were transferred.
42. In view of the foregoing, the Restricted Panel does not agree with the opinion of the Head of Investigation
and concludes that at the start of the investigation, the controlled person did not fail in the obligation to
53 Statement of Objections, point 37.
54 Statement of Objections, point 39.
55Investigation report, page 22, point 4.4.2.3.1.
56
WP 260 rev.01, point 9.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
14/31 transparency arising from Article 12.1 of the GDPR to provide the information in a way
understandable.
2.4 As to taking “appropriate measures” to provide the information
43. Given that the control of the processing carried out by the controlled in relation to
activity A was not within the scope of the investigation in question, the Restricted Training
does not rule in this decision on the grievance upheld in this regard by the head of investigation.
B. On the breach of the obligation to inform the persons concerned
1. On the principles
44. Article 13 of the GDPR provides the following:
“1. Where personal data relating to a data subject is
collected from this person, the data controller provides him, at the time
where the data in question is obtained, all of the following information:
a) the identity and contact details of the controller and, where applicable, of the
representative of the controller;
b) where applicable, the contact details of the data protection officer;
c) the purposes of the processing for which the personal data are intended as well as
the legal basis for the processing;
d) where the processing is based on Article 6(1)(f), the legitimate interests
sued by the controller or by a third party;
e) the recipients or categories of recipients of the personal data,
if they exist; And
(f) where applicable, the fact that the controller intends to carry out a
transfer of personal data to a third country or to an organization
international community, and the existence or absence of an adequacy decision issued by the
Commission or, in the case of transfers referred to in Article 46 or 47, or Article 49,
paragraph 1, second subparagraph, the reference to the appropriate or suitable safeguards and the
means of obtaining a copy or where they have been made available;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
15/312. In addition to the information referred to in paragraph 1, the controller shall provide the
the data subject, at the time the personal data is obtained,
the following additional information which is necessary to guarantee a
fair and transparent treatment:
a) the retention period of the personal data or, where this is not
possible, the criteria used to determine this duration;
b) the existence of the right to request from the controller access to the data to
personal character, the rectification or erasure of these, or a limitation of the
processing relating to the data subject, or the right to oppose the processing and
right to data portability;
c) where the processing is based on point (a) of Article 6(1) or on Article 9,
paragraph 2(a), the existence of the right to withdraw consent at any time,
without affecting the lawfulness of the processing based on the consent made before the
withdrawal thereof;
d) the right to lodge a complaint with a supervisory authority;
(e) information on whether the requirement to provide data to
personal nature has a regulatory or contractual nature or if it conditions the
conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as on the possible consequences of the non-provision of
those data ;
f) the existence of automated decision-making, including profiling, referred to in Article
22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the
underlying logic, as well as the significance and intended consequences of such processing
for the person concerned.
3. When he intends to carry out further processing of personal data
personal data for a purpose other than that for which the personal data
have been collected, the data controller provides the data subject beforehand
concerned information about this other purpose and any other information
relevant referred to in paragraph 2.
4. Paragraphs 1, 2 and 3 do not apply where and to the extent that the person
concerned already has this information. »
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
16/3145. The communication to data subjects of information relating to the processing of
their data is an essential element in the context of compliance with the general obligations
of transparency within the meaning of the GDPR. These obligations have been clarified by the Group
of Article 29 in its guidelines on transparency which have been taken up and
58
re-approved by the EDPS.
46. For the rest, the Restricted Panel refers to points 10 to 12 of this
decision with regard to the principles to be observed under the obligation to
transparency in accordance with Article 12.1 of the GDPR.
2. In this case
2.1 Regarding the retention period of personal data
59
47. In the context of objective 2, the head of investigation expected, among other things, that “the
following information is accessible through the data protection policy,
in accordance with the annex of the G29 guidance relating to the information to be
communicated to a data subject under Article 13 or Article 14: […]
● The data retention period or, when this is not possible, the criteria
60
used to determine this period […]”.
CNPD officials then inspected “the data protection policy to
identify the presence of information relating to data retention periods
processed, and that each retention period has been mentioned for the different
categories of personal data and/or the different purposes of the
treatment » .1
48. From the statement of objections it is apparent in this context that an analysis of the policy
data protection revealed that the data retention periods at
personal nature were not indicated for certain treatments. 62
The head of investigation noted that "the CNPD agents did not find any information
63
on the retention periods for data relating to operations A, B and C”.
57See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.
58cf. points 11 and 12 of this decision.
59“Objective 2 - Ensure that the information is complete”; Investigation report, page 13 et seq.
60Investigation report, page 13, point 4.4.2.1.
61 Investigation report, page 16, point 4.4.2.2.8.1.
62 Statement of Objections, paragraphs 52 and 53.
63
Statement of Objections, paragraph 55.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
17/31 Thus, it held that the conditions of article 13.2.a) of the GDPR "relating to the information
regarding the retention period of the data were not respected at the beginning of
64
investigation " .
49. The controlee for his part indicated in his letter of May 3, 2021 his intention to add
the point “[…] […] to the data protection policy which should also
mention the retention periods for personal data. This has been
noted in investigation report .65
50. The Restricted Committee recalls that Article 13.2.a) of the GDPR requires that information
relating to the retention period of personal data or, when this
is not possible, the criteria used to determine this duration, be provided to the
data subject at the time the personal data is obtained.
She notes that the Transparency Guidelines state that "the period of
conservation (or the criteria for determining it) can be dictated by different factors
such as regulatory requirements or industry guidelines, but it
should be formulated in such a way that the data subject can assess, according to the
situation in which it finds itself, what will be the retention period with regard to
specific data or in case of specific purposes. The controller does not
may simply state in a general way that the personal data
will be kept for as long as the legitimate purpose of the processing requires. The case
where appropriate, different storage periods should be mentioned for the different
categories of personal data and/or the different processing purposes,
66
including periods for archival purposes”.
51. The Restricted Committee notes that the data protection policy did not contain
no information on the retention periods of data relating to operations
A, B and C while information relating to the retention period of the data to be
personal character of the users were listed in two sections of the policy of
data protection, namely […]. Users therefore could not know for
all processing what were the related retention periods.
64
65 Statement of Objections, point 57.
66Investigation report, page 22, point 4.4.2.3.1.
WP 260 rev.01, Annex "Information to be communicated to a data subject under Article
13 or section 14”.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
18/3152. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and
concludes that at the start of the investigation, the auditee did not provide users of its site
internet all the information made mandatory by article 13.2.a) of the GDPR.
2.2 Regarding the exercise of their rights by the persons concerned
67
53. In the context of objective 2, the head of investigation expected, among other things, that “the
following information is accessible through the data protection policy,
in accordance with the annex of the G29 guidance relating to the information to be
communicated to a data subject under Article 13 or Article 14: […]
● The rights of data subjects: access, rectification, erasure, limitation of
processing, objection to processing, portability, […]. In addition, information is expected
on the means made available to exercise their rights of access (e-mail address or
specific contact form allowing the controller to receive the
data protection requests) […]”. 68
Thus, CNPD officers inspected the data protection policy to
identify “the presence of information relating to the rights of data subjects
including a summary of what the rights in question include and the measures that may
be taken by the person concerned to exercise them as well as any limitation to said
rights”.
54. According to the statement of objections, the analysis of the data protection policy has
revealed that some of the rights that may be exercised by data subjects were not
70
not indicated.
The head of the investigation specified that in this case "the right of limitation was not mentioned
in Company A's data protection policy at the start of the investigation and the
71
right of opposition is mentioned only in the particular case […]”.
Thus, it retained that the conditions of article 13.2.b) of the GDPR "as regards information on
72
the exercise of their rights by the persons concerned have not been respected”.
67 “Objective 2 - Ensure that the information is complete”; Investigation report, page 13 et seq.
68
69Investigation report, page 13, point 4.4.2.1.
70Investigation report, page 17, point 4.4.2.2.9.1.
71 Statement of Objections, point 58.
Statement of Objections, point 60.
72 Statement of Objections, point 62.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
19/3155. The controlee for his part indicated in his letter of May 3, 2021, that he was of the opinion that the
right to restriction of processing would already be mentioned in the privacy policy.
data protection at "point "[...]". However, he stated his intention to add
a reference to this right “under point […]” of the data protection policy and
73
provided a suggested text. This was noted in the investigation report.
56. The Restricted Committee recalls that Article 13.2.b) of the GDPR requires that information
on the existence of the right to request from the controller access to the data to
personal character, the rectification or erasure of these, or a limitation of the
processing relating to the data subject, or the right to oppose the processing and
right to data portability are provided to the data subject, at the time when
personal data is obtained.
She notes that the Transparency Guidelines state that "such information
should be specific to the treatment scenario and include a summary of what
understands the right in question and actions that can be taken by the person
concerned to exercise it, as well as any limitation of said right […]. In particular, the right
to object to the processing must be explicitly brought to the attention of the person
concerned at the latest at the time of the first communication with the person
concerned and must be presented clearly and separately from any other information
[…] » .4
57. With regard to the right to restriction of processing, it notes that the existence of this
right was not mentioned in the data protection policy.
In particular, it considers that this right did not appear in section "[...]" (in "point "[...]")
of said policy, as the term "[...]" used therein only meant a method that could
be used in order to put into practice the right to restriction of processing and not the
right to limitation as such.
58. With regard to the right to object, she noted that in the protection policy
data, the existence of this right was first mentioned in the section “[…]” (at
point "[...]") [...], and that the existence of this right was then recalled for some of the
processing for which it was indicated that it was based on Article 6.1.f) of the GDPR,
but not for all processing based on this article. […]
73
74Investigation report, page 22, point 4.4.2.3.3.
WP 260 rev.01, Annex "Information to be communicated to a data subject under Article
75 or section 14”.
Recital (67) GDPR.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
20/3159. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and
concludes that at the start of the investigation, the auditee did not provide users of its site
internet all the information made mandatory by article 13.2.b) of the GDPR.
II. 2. On the fine and corrective measures
1. On the principles
er
60. In accordance with article 12 of the law of 1 August 2018, the National Commission has
the powers provided for in Article 58.2 of the GDPR:
"(a) notify a controller or processor of the fact that the operations of the
envisaged processing are likely to violate the provisions of this Regulation;
(b) call a controller or processor to order when the
processing operations have resulted in a breach of the provisions of this Regulation;
(c) order the controller or processor to comply with requests
submitted by the data subject with a view to exercising their rights under this
this Regulation;
d) order the controller or the processor to put the operations of
processing in accordance with the provisions of this Regulation, where applicable, of
specific manner and within a specified time;
(e) order the controller to communicate to the data subject a
personal data breach;
(f) impose a temporary or permanent restriction, including prohibition, of the processing;
g) order the rectification or erasure of personal data or the
limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these
measures to the recipients to whom the personal data have been disclosed
pursuant to Article 17(2) and Article 19;
(h) withdraw a certification or order the certification body to withdraw a
certification issued pursuant to Articles 42 and 43, or order the body to
certification not to issue certification if the requirements applicable to the certification
are not or no longer satisfied;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Investigation No. […] conducted at Company A 21/31 i) impose an administrative fine pursuant to Article 83, in addition to or in addition to
instead of the measures referred to in this paragraph, depending on the characteristics
specific to each case;
j) order the suspension of data flows addressed to a recipient located in a
third country or an international organisation. »
61. In accordance with article 48 of the law of 1 August 2018, the CNPD may impose fines
administrative as provided for in Article 83 of the GDPR, except against the State or
of the municipalities.
62. Article 83 of the GDPR provides that each supervisory authority shall ensure that fines
administrative measures imposed are, in each case, effective, proportionate and
deterrents, before specifying the elements that must be taken into account to decide
whether an administrative fine should be imposed and to decide on the amount of this
fine :
“(a) the nature, gravity and duration of the breach, taking into account the nature, scope
or the purpose of the processing concerned, as well as the number of data subjects
affected and the level of damage they suffered;
b) whether the breach was committed willfully or negligently;
c) any action taken by the controller or processor to mitigate the
damage suffered by the persons concerned;
d) the degree of responsibility of the controller or processor, account
given the technical and organizational measures they have implemented under the
sections 25 and 32;
e) any relevant breach previously committed by the controller or
the subcontractor ;
f) the degree of cooperation established with the supervisory authority with a view to remedying the breach
and to mitigate any negative effects;
g) the categories of personal data affected by the breach;
h) the manner in which the supervisory authority became aware of the breach, in particular whether,
and the extent to which the controller or processor notified the
breach ;
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
22/31 i) where measures referred to in Article 58(2) have previously been
ordered against the controller or processor concerned for the
same purpose, compliance with these measures;
(j) the application of codes of conduct approved pursuant to Article 40 or
certification mechanisms approved under Article 42; And
k) any other aggravating or mitigating circumstance applicable to the circumstances of
the species, such as the financial advantages obtained or the losses avoided, directly or
indirectly, as a result of the breach”.
63. The Restricted Committee would like to point out that the facts taken into account in the context of the
this Decision are those found at the start of the investigation. The possible
changes relating to the data processing under investigation
subsequently, even if they make it possible to establish in whole or in part the
conformity, do not make it possible to retroactively cancel a breach noted.
64. Nevertheless, the steps taken by the control to comply with the
the GDPR during the investigation procedure or to remedy the shortcomings identified
by the head of investigation in the statement of objections, are taken into account by the
Restricted training as part of any corrective measures to be taken
and/or setting the amount of any administrative fine to be imposed.
2. In this case
2.1 Regarding the imposition of an administrative fine
65. In the statement of objections, the head of investigation proposes to the Restricted Panel to
pronounce against the controlled an administrative fine relating to the amount of
76
3,700 euros.
66. In order to decide whether to impose an administrative fine and to decide, if
applicable, of the amount of this fine, the Restricted Panel analyzes the criteria set
by article 83.2 of the GDPR:
- As for the nature and seriousness of the violation (article 83.2 a) of the GDPR), it recalls in
with regard to breaches of Articles 12 and 13 of the GDPR that transparency
applicable to the processing of personal data and information relating to
76 Statement of Objections, point 68.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
survey No. […] conducted with Company A 23/31 this processing are essential obligations incumbent on those responsible for
treatment, so that people are fully aware of the use that will be
made of their personal data, once collected. A
breach of these articles of the GDPR thus constitutes an infringement of the rights of
persons concerned. The right to transparency and the right to information have
have been reinforced under the GDPR, which demonstrates their very importance.
particular.
- As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Panel finds
that these shortcomings have lasted over time, at least since the beginning of
the investigation and until, if necessary, a possible modification of the policy of
Data protection. It recalls that guidance relating to the principles and
obligations provided for by the GDPR was available from the CNPD, in particular on its
website.
- As to the number of data subjects (article 83.2 a) of the GDPR), the Training
Restricted finds that these are all users of the website of the controlled and
the mobile app. It takes into account the assertion of the head of investigation that
“Company A has a significant number of customers (approximately […] based on the figures
77
communicated in December 2020)”.
- As to whether the breaches were committed deliberately or not
(by negligence) (article 83.2.b) of the GDPR), the Restricted Panel recalls that "no
deliberately” means that there was no intention to commit the violation, although
the controller or the processor has not complied with the obligation to
due diligence required by law.
In this case, the Restricted Committee is of the opinion that the facts and breaches
observed do not reflect a deliberate intention to violate the GDPR on the part of the
control.
- As to the degree of cooperation established with the supervisory authority (Article 83.2 f) of the
GDPR), the Restricted Panel takes into account the statement of the head of investigation according to
which the auditee has shown constructive participation throughout
78
investigation .
77 Statement of Objections, point 66.b).
78 Statement of Objections, point 66.d).
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Investigation No. […] carried out with Company A 24/31 - As to the measures taken by the inspected party to mitigate the damage suffered by the
persons concerned (article 83.2.c), the Restricted Training takes into account the
measures taken by the controlled and refers to Chapter II.2, Section 2.2 of this decision
for the related explanations.
67. The Restricted Committee notes that the other criteria of Article 83.2 of the GDPR are not
neither relevant nor likely to influence its decision on the imposition of a fine
administrative and its amount.
68. It also notes that while several measures have been put in place by the control in order to
remedy in whole or in part certain shortcomings, these were only adopted
following the launch of the investigation by CNPD agents on August 26, 2020 79
(see also point 63 of this decision).
69. Therefore, the Restricted Panel considers that the imposition of an administrative fine
is justified with regard to the criteria set out in Article 83.2 of the GDPR for breach of the
articles 12.1 and 13 of the GDPR.
70. With regard to the amount of the administrative fine, the Restricted Panel recalls that
Article 83.3 of the GDPR provides that in the event of multiple infringements, as is the case in
case, the total amount of the fine may not exceed the amount fixed for the violation the
worse. To the extent that a breach of Articles 12.1 and 13 of the GDPR is
accused of the controlled, the maximum amount of the fine that can be withheld is 20
million euros or 4% of worldwide annual revenue, whichever is greater
retained.
71. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the Training
Restricted considers that the imposition of a fine of two thousand one hundred (2,100) euros
appears to be both effective, proportionate and dissuasive, in accordance with the requirements of
GDPR Article 83.1.
2.2 Regarding the taking of corrective measures
72. In the statement of objections, the head of investigation proposes to the Restricted Panel
to adopt the following corrective measures: “within a period of 1 month from the
notification to Control of the decision taken by the Restricted Training:
79Sending of the preliminary questionnaire.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
investigation No. […] carried out with Company A 25/31 Order, pursuant to Article 58 (2) d) of the GDPR, the Controlled being brought into compliance with
Article 12 (1) of the GDPR by making the following changes:
a) Update the data protection policy ensuring that the
information contained in Company A's data protection policy
reflect reality, especially in terms of the use of plugins and tools […]
described in the policy;
b) Add a redirect link to the data protection policy to the
information collection points;
c) Translate the data protection policy into the same languages as
those proposed for the website;
d) Provide information relating to data protection at the level of
activity a.
Order, pursuant to Article 58 (2) d) of the GDPR, the Controlled to comply with
Article 13, paragraph 2, letter b) of the GDPR, supplementing, in the protection policy
data, the following information
- Information on the exercise of the right of opposition by persons
80
concerned”.
73. The Restricted Committee also observes that the head of investigation noted in the
communication of grievances that at the date of writing this document, the auditee had added
to the data protection policy information on the recipients of the data
of a personal nature, the retention periods of this data as well as the right to
restriction of processing. Therefore, the head of investigation did not propose to the Panel
Restricted from adopting corrective measures in these respects.
74. As for the corrective measures proposed by the head of investigation and by reference to the
point 64 of this decision, the Restricted Panel takes into account the procedures
carried out by the control in order to comply with the provisions of articles 12.1 and 13 of the
GDPR, as detailed in its letter of May 3, 2021. More specifically, it
takes note of the following facts:
80 Statement of Objections, paragraph 64.
81 Statement of Objections, point 38.
82 Statement of Objections, point 56.
83
Statement of Objections, point 61.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
26/31 - As for the corrective measure proposed by the head of investigation mentioned under a) of the
point 72 of this decision concerning the compliance of the audit with article
12.1 of the GDPR by updating the data protection policy by ensuring
that the information contained in it reflects reality, in particular at the level
of the use of plugins and tools […] described in the policy, the controlled indicated
in his letter of May 3, 2021 that the plugins that are not used on the site
internet would be removed from the data protection policy.
The Restricted Committee notes, however, that the processing for
84 85
"Platform A" and "Platform B" are always mentioned in the version
modified from the "Privacy Statement" in language A that the control has transmitted
to her by email dated October 13, 2022 (hereinafter: the “Data Protection Policy”
modified data”), and which bears the handwritten mention “PUTTING ONLINE […] 2021”.
It also observes that it appears from the information contained in the header as well as
in the footer of this document, that it was extracted from the website of the controlled in
date of October 13, 2022. In addition, no documentation submitted to the Formation
Restricted does not contain evidence that the audited now performs these
treatments.
In view of the insufficient compliance measures taken by the control
in this case and point 64 of this decision, the Restricted Panel considers as of
when there is reason to pronounce the corrective measure proposed by the head of investigation to
this regard and taken up in point 72 of this Decision under (a).
- As for the corrective measure proposed by the head of investigation mentioned under b) of the
point 72 of this decision concerning the compliance of the audit with article
12.1 of the GDPR by adding a redirect link to the data protection policy
data at the information collection points, the auditee confirmed in his
letter of May 3, 2021, that […] he had decided to change service provider.
During the Restricted Training session of September 28, 2022, the controller
reiterated his words.
However, no documentation submitted to the Restricted Training contains
proof that the audited has changed service provider and/or that
additional information, such as a redirect link to the protection policy
84
Modified data protection policy, se[…]o”.“
85 Amended Data Protection Policy, se[…]o”.“
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
27/31 modified data has been added to the interactive pages of its website, at
namely pages A, B and C.
In view of the insufficient compliance measures taken by the control
in this case and point 64 of this decision, the Restricted Panel considers as of
when there is reason to pronounce the corrective measure proposed by the head of investigation to
this regard and taken up in point 72 of this decision under b).
- As for the corrective measure proposed by the head of investigation mentioned under c) of the
point 72 of this decision concerning the compliance of the audit with article
12.1 of the GDPR by translating the data protection policy into the same
languages than those proposed for the website, the controller indicated in his
letter of May 3, 2021 that he intends to translate the data protection policy
data in C language.
However, it has only annexed the language A version of its data protection policy.
modified data to his email of October 13, 2022 to the Restricted Training.
No documentation submitted to the Restricted Training contains evidence
certifying that the data protection policy has been translated into C language and updated
available to users of the C language version of the controlled website. THE
also failed to provide evidence that the language B version of the policy
data protection has been updated and is made available to users of
its website.
In view of the insufficient compliance measures taken by the control
in this case and point 64 of this decision, the Restricted Panel considers as of
when there is reason to pronounce the corrective measure proposed by the head of investigation to
this regard and taken up in point 72 of this Decision under (c).
- As for the corrective measure proposed by the head of investigation mentioned under d) of the
point 72 of this decision concerning the compliance of the audit with article
12.1 GDPR by providing data protection information
at the level of activity A, the Restricted Formation, after observing that the control
of the processing carried out in connection with the operation of activity A was not in
the scope of the investigation in question (see point 43 of this decision), does not rule
nor on the proposal for corrective action by the head of investigation in this regard to the
point 72 of this decision under d).
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
28/31 - As for the corrective measure proposed by the head of investigation mentioned in point 72 of the
this decision concerning compliance of the audit with Article 13.2.b) of the
GDPR by completing, in the data protection policy, the information about
to the exercise of the right of opposition by the persons concerned, the Restricted
takes note that the auditee has added a reference to the right of opposition in the section
86
" […] " on point " […] " .
Although this clarification has been added […], the Restricted Panel considers that it
did not lend itself to informing users of the website that they have the right to
object at any time, for reasons relating to their particular situation, to a
processing of personal data concerning them based on Article 6.1.f)
of the GDPR.
In view of the insufficient compliance measures taken by the control
in this case and point 64 of this decision, the Restricted Panel considers as of
when there is reason to pronounce the corrective measure proposed by the head of investigation to
this regard and taken up at the end of point 72 of this Decision.
75. Finally, as it was noted that at the beginning of the investigation, no policy of
data protection intended to inform users of the mobile application was not
provision of the latter (see point 27 of this decision) and as the
Formation Restreinte also does not have evidence that information relating to
to the protection of personal data are now made available to
users of the mobile application (at the download points or on the pages of this
ci), it considers that corrective action should be taken in this regard.
In view of the foregoing developments, the National Commission sitting
in restricted formation, after having deliberated, decides:
- to retain breaches of Articles 12.1 and 13 of the GDPR;
- impose an administrative fine on Company A in the amount of
two thousand one hundred (2,100) euros with regard to breaches of Articles 12.1 and 13 of the
GDPR;
86[…].
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Investigation No. […] carried out with Company A 29/31- to issue against Company A an injunction to bring the
processing with the obligations resulting from Article 12.1 of the GDPR, within two
months following the notification of the decision of the Restricted Committee, and, in particular,
o ensure that the information contained in the data protection policy
of the website reflect the reality of processing in terms of the use of
plugins, tools […] described in said policy;
o add a redirect link to the data protection policy to all
information collection points;
o translate the data protection policy into the same languages as those
proposed for the website;
o provide information relating to data protection at the level of
the mobile application;
- issue against Company A an injunction to bring the
processing with the obligations resulting from Article 13 of the GDPR, within two
months following the notification of the decision of the Restricted Committee, and, in particular,
inform users of the website in a clear and precise manner of the existence of the right
of opposition.
Belvaux, December 13, 2022.
For the National Commission for Data Protection sitting in restricted formation
Tine A. Larsen Thierry Lallemang Alain Herrmann
President Commissioner Commissioner
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A
30/31 Indication of remedies
This administrative decision may be subject to an appeal for review within three
months following its notification. This appeal is to be brought before the administrative court and must
must be introduced through a lawyer at the Court of one of the Bar Associations.
________________________________________________________________________
Decision of the National Commission sitting in restricted formation on the outcome of
Survey No. […] conducted with Company A 31/31
