UODO (Poland) - DS.523.4486.2024: Difference between revisions

From GDPRhub
m (link added)
(Short summary wording changed.)
Line 65: Line 65:
}}
}}


A DPA issued a decision under [[Article 66 GDPR|Article 66 GDPR]], prohibiting Meta from sharing data subject’s data via fake-ads presented on Facebook and Instagram within Poland for three months.
A DPA issued a decision under [[Article 66 GDPR|Article 66 GDPR]], prohibiting Meta from sharing advertisements containing data subject’s data, including the fake-ads, on Facebook and Instagram within Poland for three months.


== English Summary ==
== English Summary ==

Revision as of 09:31, 27 August 2024

UODO - DS.523.4486.2024
LogoPL.png
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 5(1)(d) GDPR
Article 66(1) GDPR
Article 70 para 1 of of Data protection act (Ustawa o ochronie danych osobowych)
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 05.08.2024
Published:
Fine: n/a
Parties: Meta Platforms Ireland
National Case Number/Name: DS.523.4486.2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Polish
Original Source: UODO (in PL)
Initial Contributor: wp

A DPA issued a decision under Article 66 GDPR, prohibiting Meta from sharing advertisements containing data subject’s data, including the fake-ads, on Facebook and Instagram within Poland for three months.

English Summary

Facts

Data subject’s data was used to create a deep-fake ads, published on Facebook and Instagram. According to the data subject, there were approximately 260 different ads, where her name, surname and image was published, combined with a fake information about her, for example information about her death or crime committed. The ads were accessible to many users of Facebook and Instagram, including the family of data subject.

The data subject contacted the data controller Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, and requested restriction of data processing and prohibition of publication of her data via fake ads. The controller didn’t answer the request.

In parallel, the data subject filed a complaint with the Polish DPA (UODO).

Holding

The DPA explained that the Irish DPA (DPC) was competent to examine the complaint and start the proceedings. Nevertheless, the DPA found the contested processing activities fell within the scope of urgency procedure under Article 66(1) GDPR.

According to the DPA, Meta Ireland together with the ads creator acted as a joint controllers within Article 26 GDPR.

The DPA emphasised the Meta Ireland, acting as a data controller of data processed on Facebook and Instagram, processed the data related fake-news ads. One of the aggravating factors was the fact that Meta didn’t follow their privacy polices in practice (regarding ads creators due diligence). The position of data controller obliged Meta process the data subject’s data, including the data contained in ads, in compliance with data principles stemming from the GDPR, especially data accuracy principle of Article 5(1)(d) GDPR. Additionally, the affected data subject was a famous person and the published ads contained serious fake information about her. Because of that, data subject’s privacy, reputation and credibility of public figure were threatened, which violated also Article 1 CFR and Article 7 CFR.

As a result, the DPA issued a decision under Article 66(1) GDPR and Article 70(1) of Data protection act (Ustawa o ochronie danych osobowych), to secure rights and freedoms of data subject by restricting the processing activities. The DPA prohibited the controller to share the data subject’s data via ads presented on Facebook and Instagram within Poland for three months.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Polish original. Please refer to the Polish original for more details.