Datatilsynet (Denmark) - 2020-431-0085

From GDPRhub
Revision as of 14:37, 7 February 2022 by Gr (talk | contribs)
Datatilsynet (Denmark) - 2020-431-0085
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1)(f) GDPR
Type: Investigation
Outcome: Violation Found
Started: 18.06.2020
Decided:
Published: 26.01.2022
Fine: None
Parties: Den Blå Avis'
Datatilsynet (Danish Data Protection Authority)
National Case Number/Name: 2020-431-0085
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: Sara Horvat

The Danish DPA held that neither the first, nor the second consent manager used by controller, obtained consent in accordance with the GDPR, in violation of Article 5(1)(a) GDPR. Moreover, it held that controller could not rely on Article 6(1)(f) GDPR when processing for statistical purposes.

English Summary

Facts

Controller is Den Blå Avis' (DBA), an online platform for second hand goods. At the end of June 2020, the DPA conducted an ex officio investigation on DBA's processing of personal data of its website visitors. After the investigation, the DPA concluded that controller had not obtained valid consent for its processing of personal data. The controller then hanged its consent manager, after which the DPA re-investigated the matter, but then focussed on the new consent manager. Hence, in it's decision, the DPA has taken a position on the two different consent managers.

Holding

First, the DPA found that the consent was not specific, since by clicking "accept", personal data was processed for different processing purposes (like marketing and personalisation etc.), without these purposes being divided and clearly stated. Second, DBA had lacked to sufficiently inform the visitor that the personal data disclosed to third parties, nor did a link or fold-out menu appear in close connection with the purpose for which the information was passed on. After assessing the second consent manager, the DPA found that the issues with the first manager still existed. Hence, the DPA concluded that neither the first, nor the second consent manager were adequate to obtain consent in accordance with Article 4(11) GDPR, and the processing is thus not in compliance with the principle of legality, reasonableness and transparency, Article 5(1)(a) GDPR.

Furthermore, the DPA holds that, because the controller uses Google Analytics and has not implemented any measures to ensure that protection of data subjects' personal data is essentially equivalent to that within the EU, the data subject's interests override the controller's legitimate interest. Hence, the DPA found that controller could not rely on Article 6(1)(f) GDPR, regarding the processing for statistical purposes. Apart from expressing criticism, however, the DPA did not use any of their corrective powers as laid down in Article 58(2) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.


The Danish Data Protection Agency expresses serious criticism of Den Blå Avis' consent solution
Date: 26-01-2022
Decision
Private companies

The Danish Data Protection Agency has made a decision in a proprietary case concerning Den Blå Avis' processing of personal data about website visitors. The Danish Data Protection Agency expresses serious criticism that DBA's consent solution www.dba.dk does not comply with the rules in the Data Protection Ordinance.

Journal number: 2020-431-0085
Summary

At the end of June 2020, the Danish Data Protection Agency launched a self-employment case against Den Blå Avis' (DBA) processing of personal data about website visitors. After the Danish Data Protection Agency initiated the investigation, DBA chose to change its consent solution at www.dba.dk. The Danish Data Protection Agency has therefore taken a position on two different consent solutions in the decision.

As part of the investigation, the Danish Data Protection Agency has, among other things, assessed whether the conditions for a data protection law consent have been, and are, met in connection with DBA's processing of personal data.

In connection with the processing of the case, DBA stated that the processing of information about website visitors for analytical and statistical purposes can be based on the company's legitimate interests. In this connection, DBA uses the statistics and analysis tool Google Analytics.

After the case had been considered at a meeting of the Data Council, the Danish Data Protection Agency found reason to express serious criticism that neither DBA's previous nor current consent solution for processing personal data about visitors to www.dba.dk meets the Data Protection Ordinance's requirements for consent.

The Danish Data Protection Agency also found that DBA's current consent solution for the processing of personal data does not comply with the basic principle of legality, reasonableness and transparency in the Data Protection Regulation.

In addition, the Danish Data Protection Agency found that DBA's processing of personal data for statistical purposes is not in accordance with the Data Protection Regulation.
Decision

The Danish Data Protection Agency hereby returns to the case which the Authority has initiated on its own initiative regarding Den Blå Avis A / S ’(DBA) processing of personal data about website visitors. The Danish Data Protection Agency's decision concerns in particular whether DBA's consent solution at https://www.dba.dk/ before 25 June 2020 and the website's current consent solution are in accordance with the data protection law rules.

The Danish Data Protection Agency finds - after the case has been submitted to the Data Council - that neither DBA's previous nor current consent solution for processing personal data about visitors at https://www.dba.dk/ meets the Data Protection Ordinance's [1] requirement for consent in Article 4, no. 11 .

Furthermore, the Danish Data Protection Agency finds that DBA's current consent solution for the processing of personal data does not comply with the basic principle of legality, reasonableness and transparency in Article 5 (1) of the Data Protection Regulation. 1, letter a.

In addition, the Danish Data Protection Agency finds that DBA's processing of personal data for statistical purposes is not in accordance with Article 6 (1) of the Data Protection Regulation. 1, letter f.

On the basis of the above background, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that DBA's processing of personal data about visitors at https://www.dba.dk/ does not take place in accordance with the Data Protection Ordinance.

Below is a more detailed review of the case and a justification for the Danish Data Protection Agency's decision.
2. Case presentation

As a follow-up to the issuance of the Authority's guidelines from February 2020 on the processing of personal data on website visitors, the Danish Data Protection Agency has chosen to focus on whether the rules in this area are complied with.

On that occasion, the Danish Data Protection Agency has decided to investigate e.g. the website https://www.dba.dk/ further of its own operation, and the Authority has by letters of 18 June 2020, 30 July 2020 and 18 June 2021, respectively, asked DBA a number of questions with a view to the Danish Data Protection Agency's processing of the case.

In connection with the processing of the case, the Danish Data Protection Agency has examined two different consent solutions on the website https://www.dba.dk/, as DBA changed its original consent solution on 25 June 2020.

Before 25 June 2020, the consent solution at DBA was formulated as follows:

By clicking "Accept" or by clicking on a link or image on the page so that you use our site, you agree to the use of cookies and other technologies, such as cookie identifiers that process behavioral data and personal data, for the purpose of enhance and personalize your experience across brands and pages powered by eBay, including third-party advertising tailored to you on and off the page here. In addition, you also agree that third party companies that we work with may use cookies and similar technologies on your device that you visit the site from, to collect and use information for tailored targeted marketing / banners on third party sites, measurement and analysis. You can revoke your consent at any time. ”

On 25 June 2020, the DBA subsequently changed its consent solution for the processing of personal data. The consent solution contains a text in which, among other things, the following is stated:

By clicking "OK" you agree to the use of cookies and similar technologies (collectively referred to as 'cookies'), which we use for the purpose of making targeted advertising, including on third party sites, using segmentation, market research / audience analysis and statistics generated in connection with your behavior on our websites (DBA and BilBasen) as well as improving advertising services.

In addition, you agree that certain third party companies that we work with may use cookies for the above purposes here on the website.

In connection with our use of cookies, we and the above-mentioned third parties process the following personal information: IP address and other cookie ID, Facebook ID (in certain cases) as well as information about your browser, your device, your operating system and your behavior in in connection with the use of our services. ”

DBA's current consent solution allows visitors to press "OK" or "Do not accept" for the website's processing of personal data. In addition, the option to press "Settings" is presented, where visitors can access more information about the purposes for which the information is processed. Under "Settings" there is a section on advertising, which is divided into resp. IAB Partners and Non-IAB Partners (IAB is a trade association).

As part of the processing of the case, the Danish Data Protection Agency has investigated which cookies DBA uses for analytical and statistical purposes at https://www.dba.dk/.

In its opinion of 11 September 2020, the DBA has stated that the DBA has adapted its consent solution in continuation of the DBA's response of 14 July 2020, and is continuously working on improvements in the light of current practices and standards to improve transparency.

Under the section on statistics cookies in dba.dk's consent solution, the following was stated about one of the cookies used for statistics:

"This is one of the four most important cookies set by the Google Analytics service, which enables website owners to track visitor behavior and measure website performance. This cookie lasts by default for 2 years and distinguishes between users and sessions. It is used to calculate new and returning visitor statistics. The cookie is updated every time data is sent to Google Analytics. Cookie life can be customized by website owners ”

Another example of a cookie used to perform statistics on dba.dk is described as follows:

This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites. ”

DBA has also described in its personal data policy the use of the analysis tool Google Analytics. The personal data policy states, among other things: following:

We use Google Analytics, an analytics tool from Google LLC and Google Ireland Ltd. ("Google") to continuously improve our services. The use makes it possible to assign data, sessions and interactions to a pseudonymous user ID and thus analyze a user's activities on our site. Google Analytics uses cookies that are stored on your device and that enable us to analyze your use of our services. The data collected by cookies about the use of our services (including your IP address) is usually transmitted to a Google server in the USA and stored there (see further information for users in the European Economic Area below in this section).

On our behalf, Google processes this data in order to evaluate the use of our services, to compile reports on usage activities and to provide us with additional services related to the use of our services. Your IP address sent in connection with Google Analytics will not be combined with other data from Google.

[…]

We would like to point out that Google Analytics on our site has been expanded with the code "gat._anonymizeIp ();" to guarantee an anonymised collection of IP addresses (so-called IP masking). This means that before your IP address is transmitted to Google's servers in the United States, it is sent to a Google server in the EU (or in another EEA state), where it is abbreviated so that it cannot be traced to a specific person. Only after the IP address has become anonymous, the short IP address is sent to a Google server in the US and stored there.

If personal data is transferred to the United States, this will be done on the basis of the European Commission's adequacy decision under EU-US privacy protection. "

On 26 June, 14 July, 11 September 2020 and 9 July 2021, the DBA issued statements to the Danish Data Protection Agency, and section 2.1. below deals with the DBA's comments.
2.1. DBA’s comments

2.1.1. DBA's consent solution before 25 June 2020

DBA has stated that in its previous consent solution, the company processed information about website visitors covered by the Data Protection Regulation. In continuation of the Danish Data Protection Agency's new guidelines on the processing of personal data about website visitors, DBA chose to change the consent solution, as the website implemented a new solution on 25 June 2020 in order to meet the Data Inspectorate's assessment of the legal situation and to increase transparency for website visitors.

DBA's previous consent solution was designed so that website visitors were presented with a consent solution on their first visit to the website. The user then had the opportunity to give consent by either clicking on a link on the website, a feature or by clicking on the box "Accept" in the consent solution. Against this background, the DBA has stated that consent required active action from the user and that the user was informed of this when visiting the website.

2.1.2. DBA's current consent solution

DBA has generally stated that the company with its current consent solution processes information about website visitors, including information about IP address, information about the visitor's browser and operating system and information about the visitor's behavior in connection with the use of the website.

DBA has further stated that the company processes personal information about website visitors for the purpose of targeting marketing and advertising as well as for purely analytical purposes. The information collected about visitors to dba.dk is used to create statistics that can give DBA a better understanding of how the website is used by users. The information is crucial to the company's ability to improve their services and products, including analyzing whether visitors show interest in new features. The information also gives the DBA an understanding of whether the website provides value to the advertisers who have paid for it.

2.1.2.1. Treatment authority

Ad the balance of interests rule

Referring to the nature of the processing and the reasonable expectations of the data subjects, the DBA has stated that the information that the website processes for analytical purposes can be made on the basis of the balancing of interests rule in Article 6 (1) of the Data Protection Regulation. 1, letter f.

In this connection, the DBA has emphasized that sensitive information is not processed, that the processing takes place for analytical purposes, and that the scope of the processing is of a modest nature, which will not affect the data subject. The sole purpose of the treatment is to optimize the website on the basis of analyzes of anonymously aggregated data that can show how the website is used and facilitate the delivery of data to DBA's advertisers, so that the value of dba.dk as an advertising platform is visible and user payment is kept to a minimum.

In support of this, the DBA refers to recital 47 of the Data Protection Regulation, which states that the processing of personal data for direct marketing can be considered to have been carried out in a legitimate interest. With reference to this, the DBA has stated that a treatment aimed solely at generating anonymously aggregated data for use in the operation and development of the website may be based on a legitimate interest. Processing for purely analytical purposes must be considered to be less intrusive towards the data subject than processing information about a named person for direct marketing, therefore the processing of the visitor's information must be considered to take place in accordance with his reasonable expectations.

DBA has also referred to the Danish Data Protection Agency's guidelines on the processing of personal data about website visitors and an earlier statement by the Authority on Nuuday A / S [2] 'processing of personal data for analytical purposes, where the Authority found that the processing could take place in relation to predictive models. with a view to targeting any subsequent marketing in the light of Article 6 (1) of the Data Protection Regulation 1, letter f.

DBA has argued that the company's legitimate interest in processing the information for analytical purposes using cookies, so as to gain a better understanding of the visitors' needs and behavior on the website, is reinforced by the fact that DBA is in intense competition with several major online platforms among other in the form of Facebook and Marketplace.

These companies are able to achieve a very detailed understanding of their users' behavior without the use of cookies. Against this background, the DBA has stated that if the DBA is barred from processing information about website visitors for analytical purposes on the basis of a legitimate interest, the consequent lack of knowledge about the visitors will weaken the DBA's competitiveness and distort competition in the market.

It appears from DBA's current consent solution that the website uses the tool Google Analytics for the collection of personal data for statistical purposes. DBA has hereby explained that Google LLC in connection with Google Analytics processes data on behalf of DBA, and is therefore to be regarded as a data processor for DBA. Only data originating from DBA's own services (website and app) are processed and they are not merged with data from other sources. Google LLC does not use the data collected from DBA for its own or third party purposes.

DBA has also elaborated on the use of Google Analytics and stated that DBA uses the Universal Google Analytics version. The configuration of the analysis tool works in such a way that it is possible to deselect certain of Google Analytics' functions (so-called features) when implementing on the website. DBA has actively taken advantage of this opportunity and configured Google Analytics to minimize the processing of personal information about website visitors.

DBA has disabled the option of "Data sharing for Google Products", which means that DBA does not collect or otherwise process information about the visitor that may be available through his Google account. DBA has also deactivated Google's so-called "Cross device tracking via User ID" function, which is why DBA does not collate data about the visitors across their various devices (computer, iPhone, tablets, etc.) when a visitor is not logged in to his DBA account. DBA has also disabled Google's "Anonymize IP" feature so that the IP address is only stored at an aggregate level without the last three digits. This means that the IP address cannot be attributed to a specific person or household.

To the question of DBA using Google Analytics exchanges information about visitors with Google LLC and, if so, which ones, DBA has stated that Google LLC, on behalf of DBA, collects information about the visitor's IP address, cookie ID and information about the visitor's browser, operating system and behavior on dba.dk. If the visitor is logged in to their DBA account, their user ID (in encrypted form) and email address will also be transferred by DBA to Google Analytics. The IP address is processed only at an aggregate level, with the last three digits of the IP address being deleted immediately after Google receives it. The IP address can then not be traced to a specific person or household, but can only be used to deduce which geographical area the page is accessed from.

By consent

With regard to DBA's processing of information about website visitors for marketing and advertising purposes, DBA has stated that the company obtains consent from their users, cf. Article 6 (1) of the Data Protection Regulation. 1, letter a.

DBA has claimed that the website visitor is presented with a consent solution when the page is accessed for the first time and every time changes are made to the consent solution. The visitor has the opportunity to both give consent to the treatment and refrain from giving consent.

The consent solution also states who the data controller is, which of the data controller's pages on which information is collected, for what purpose the processing takes place, and that consent can be revoked at any time. By clicking on the "Settings" button, the visitor has the opportunity to customize the consent. Furthermore, the consent solution contains a link to DBA's cookie policy.

Against this background, the DBA is of the opinion that the consent solution gives the website visitor the opportunity to give a consent that is voluntary, specific, informed and expresses an unequivocal expression of will, cf. Article 4, No. 11 of the Data Protection Regulation.

The current system is designed so that technically no cookies can be stored in relation to targeted marketing on the website visitor's unit, unless the website visitor has given an active consent by clicking "OK" in the consent solution. If the visitor chooses this solution, a text string is sent back to dba.dk, which indicates whether consent has been given or not. In this way, it is ensured that personal data is not processed, unless the visitor has previously given consent to the processing. A cookie is also placed on the visitor's device for the purpose of remembering whether consent has been given or not.

By virtue of this, it can be documented that it is not possible for DBA to process personal data about website visitors for targeted marketing without the users' consent. As the DBA also informs the visitor that the consent may be revoked or amended at any time in accordance with Article 7 (1) of the Data Protection Regulation. 3, it is the DBA's assessment that the consent is in accordance with Article 7 of the Data Protection Regulation.

DBA has stated that the website targets its advertising using statistics generated by the visitor's behavior on the website in order to select relevant content for the ads. The targeted advertising and the processing in question in relation to statistics are therefore linked, which is why both the main purpose (targeted advertising) and the underlying processing (statistics for advertising purposes) are highlighted in the consent solution for the sake of transparency towards users.

Against this background, the DBA has stated that a visitor's click on "OK" only triggers consent for one purpose but two related treatments. If the visitor presses the "Do not accept" button, the website can still be used without restrictions. It is therefore the opinion of the DBA that the consent solution fulfills the condition of voluntariness in accordance with Article 4 (11) of the Data Protection Regulation.

2.1.2.2. Treatment principles

Ad legality, fairness and transparency

DBA has stated that if a visitor to dba.dk only wishes to give consent to certain treatments, the visitor can click on "Settings" in the consent solution and then make an adjustment of his consent with regard to targeted advertising. The information is provided in an easily accessible and easy-to-understand language.

Against this background, DBA has stated that the company uses a consent solution with several "layers" for the purpose of ensuring voluntariness and transparency and to prevent too much information from being included in the consent solution, so that the website visitor has difficulty understanding what is consent is given to. The consent solution must also be suitable for display on devices with different screen sizes, and that on certain devices there are limits to the amount of information that can be provided.

By giving the visitor the opportunity to either give or refuse consent in the first "layer" of the solution and the possibility of a customized consent in the second "layer", it is the DBA's opinion that the solution is in accordance with the data protection law rules. In support of this, the DBA has referred to the European Data Protection Board's (EDPB) guidelines on consent from May 2020 and the Irish Data Protection Authority's guidelines from April 2020.

Overall, the DBA's assessment is that a multi-layered consent solution that is immediately accessible to the website visitor (one click away) and that allows it to customize its consent is in line with the Data Protection Regulation's principle of transparency, cf. the Data Protection Regulation Article 5, paragraph 1, letter a.
Justification for the Danish Data Protection Agency's decision

In the following, DBA's processing of personal data about the company's website visitors both before and after 25 June 2020, when the website's consent solution was changed.

3.1. DBA's processing of personal data before 25 June 2020

The conditions for a valid consent

It appears that before 25 June 2020, the DBA processed personal information about website visitors by obtaining consent via a consent solution, which presented website visitors to either press "Settings" or "Accept".

Article 6 (1) of the Data Protection Regulation 1, letter a, it follows that the processing of personal data is lawful if the data subject has given consent to the processing of his personal data for one or more specific purposes.

It follows from Article 4 (11) of the Data Protection Regulation that consent must be a voluntary, specific, informed and unequivocal expression of the will of the data subject.

All four conditions must be met for a consent to be valid under the Data Protection Regulation.

In addition, Article 7 of the Data Protection Regulation contains additional conditions, including the condition in paragraph 1. 3, on the revocation of consent.

Voluntary

Thus, a consent must, among other things, be voluntary in order to be valid according to the rules of data protection law.

The EDPB has adopted guidelines on consent [3], which describe the understanding of the definition of a consent.

According to the EDPB's guidelines, the requirement of voluntariness implies that the data subject has a real free choice. There is a voluntary expression of will if the following four criteria are met: i) the data subject must be free to choose the purposes for which consent is given (granularity), ii) the data subject must be able to refuse to give or revoke his consent without it being to the detriment of the person concerned, (iii) performance of a contract must not be made conditional on consent to the processing of personal data which is not necessary for the performance of the contract; and (iv) there must be no clear imbalance (unequal relationship) between the data subject; and the data controller

It also follows from recital 32 in the preamble to the Data Protection Regulation that:

Consent should cover all treatment activities performed for the same purpose or purposes. When the treatment serves several purposes, consent should be given to all of them. ”

In addition, recital 43 in the preamble states:

"Consent is not presumed to have been given voluntarily if it is not possible to give separate consent to different processing activities concerning personal data, even if it is appropriate in the individual case […]."

Specifically

Consent must also be specific. It must therefore not be generally designed or without a precise indication of the purposes of the processing of personal data and which personal data will be processed. In other words, a consent must be specified in such a way that it is clear what consent is given for.

The requirement of specific consent is linked to the principle of purpose limitation, which means that personal data must always be collected for explicitly stated and legitimate purposes, and must not be further processed in a way that is incompatible with these purposes. The consent of the data subjects must therefore, in accordance with this principle, always be obtained for specifically stated purposes.

According to the EDPB's guidelines [4], a data controller who obtains consent for the processing of personal data for several different purposes must ensure that the data subject is given the opportunity to select or deselect the various processing purposes.

The Danish Data Protection Agency assesses that the various treatments, which a visitor by choosing "Accept" gave, constituted several different processing purposes, including marketing, collection of information in order to improve and personalize the user experience on the website and disclosure of information to third party companies with for the purposes of processing the information of these companies. The purposes were therefore not divided and precisely stated.

Furthermore, the third-party companies were not specifically stated in the consent solution, nor did a link or fold-out menu appear in close connection with the purpose for which the information was passed on [5].

It is also the Data Inspectorate's assessment that a consent can not be assumed to have been given voluntarily if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent to various processing activities concerning personal data and the data subject is thus forced to consent for all purposes. By being presented with the function "Accept" in the consent solution, the users were not given the opportunity to select and deselect the various treatment purposes.

Against this background, the Danish Data Protection Agency finds that the consent that DBA collected from the company's users before 25 June 2020 did not meet the conditions for being voluntary and specific.

Informed

That a consent must be informed means that the data subject must be aware of what consent is given for. The data controller must provide the data subject with a range of information to ensure that the data subject can make his decision on an informed basis.

The information must at least consist of information about:

    the identity of the data controller,
    the purpose of the proposed treatment,
    what information is processed, and
    the right to withdraw consent.

The Danish Data Protection Agency finds that the consent obtained by the DBA in its previous consent solution was not sufficiently informed.

The Danish Data Protection Agency has emphasized that there was not sufficiently clear information about the third-party companies in collaboration with whom personal data was collected and for which personal data was passed, and that it was not sufficiently clear to the data subjects which personal data was collected and passed on to these third party companies.

In this connection, the Danish Data Protection Agency should note that it is the Authority's view that - with regard to consent to the processing of personal data - it is necessary that a consent solution or declaration in an easy-to-understand and easily accessible form and in a clear and simple language it appears which data controllers, for example, personal information is passed on to. It is added in this connection that it is the identity of the data controller's organization that must appear, and not the data controller's websites, nicknames or product names that the data controller uses, as it is not easy to understand and easily accessible to the data subject.

Unambiguous expression of will

The consent of the data subject must be given in the form of an unequivocal expression of will. This means that the consent given must not give rise to doubt.

Such a statement may consist of the data subject clearly stating in an affidavit or in an active act an acceptance that personal data about him or her is being processed.

The Danish Data Protection Agency notes that a website visitor's passivity, silence or continued use of a website is not considered an active option, and that such a solution can therefore not constitute a valid consent under the data protection law rules. The Danish Data Protection Agency hereby refers to pkt. 75 and 79 of the EDPB Guidelines on Consent [6] on page 18.

The Danish Data Protection Agency finds that the consent that DBA collected from the company's users before 25 June 2020 was not an expression of an unequivocal expression of will.

The Danish Data Protection Agency has hereby emphasized that a consent that the user can give both by actually accepting the processing of personal data but also by clicking on a link or image on the page, is not an unambiguous expression of will from the data subject.

Against this background, the Danish Data Protection Agency finds overall that DBA, through the previous consent solution, did not obtain consent from visitors to dba.dk in accordance with Article 4, no. 11 of the Data Protection Ordinance, and therefore processed personal data in violation of Article 6 (1) of the Data Protection Ordinance. 1, letter a.

3.2. DBA's processing of personal data with its current consent solution

Consent

It appears that DBA processes information about website visitors for targeted marketing and advertising on the basis of the users' consent, cf. Article 6 (1) of the Data Protection Regulation. 1, letter a, and that DBA processes information about website visitors for targeted marketing by using statistics generated in connection with the website visitor's behavior on the website. The information is also passed on to other companies for the purpose of processing these companies' information.

Regardless of the fact that DBA's business purpose with these processing activities is marketing, it is the Data Inspectorate's opinion that DBA in the context of data protection law processes website visitors' personal information for more and other purposes than this one purpose.

The purpose must also be well-defined and delimited, so that sufficient clarity and openness is created about the processing and the indication of marketing as the only purpose implies in the Data Inspectorate's opinion an inaccurate description of the purposes associated with the processing that DBA carries out using the website visitor information.

On the basis of what is stated in the case, the Danish Data Protection Agency finds that the consent that DBA obtains from the company's users in its current consent solution is not granulated, and therefore does not meet the condition of voluntariness, as users are not given the option "OK" in the consent solution. to select and deselect the various treatment purposes.

The Danish Data Protection Agency has hereby emphasized the previously stated that a consent can not be assumed to have been given voluntarily if the procedure for obtaining consent does not give the data subject the opportunity to give separate consent to different processing activities concerning personal data, and thus forced to consent for all purposes.

The Danish Data Protection Agency assesses that the DBA, with its current consent solution, processes information for various purposes, which are not divided and precisely stated.

Against this background, it is also the Data Inspectorate's assessment that the consent that DBA collects in its current consent solution is contrary to the principle of purpose limitation, and the condition that a consent must be specific.

Furthermore, it does not appear that the information is passed on to third party companies for the purpose of their marketing on DBA's website, including which companies and for what purpose. The user receives certain information about this only by reading DBA's personal data and cookie policy. Similarly, it is not clear to which third-party companies the transfer takes place, and the visitor must also go deep into the text of the personal data and cookie policy to find an overview of the third parties.

In addition, the compilation of statistics / analyzes of visitors' behavior on the website should have been covered by the consent solution, cf. below on the application of Article 6 (1) of the Data Protection Regulation. 1, letter f.

Overall, the Danish Data Protection Agency finds that DBA's processing of personal data with its current consent solution for targeted marketing is in breach of Article 6 (1) of the Data Protection Regulation. 1, letter a, as no valid consent is obtained from the data subjects, cf. Article 4, no. 11.

Processing of personal data for statistical and analytical purposes

The DBA states that the processing of personal data for purely analytical and statistical purposes is carried out on the basis of Article 6 (1) of the Data Protection Regulation. 1, letter f, and that DBA in this connection uses Google Analytics to collect personal data for statistical purposes.

It follows from Article 6 (1) of the Regulation 1, letter f, that the processing of personal data is lawful if the processing is necessary for the data controller or a third party to pursue a legitimate interest, unless the data subject's interests or fundamental rights and freedoms take precedence over this.

Recital 47 in the preamble to the Data Protection Regulation complements the provision, which states, inter alia:

The legitimate interests of a data controller, including a data controller to whom personal data may be disclosed or the legitimate interests of a third party may constitute a legal basis for processing, unless the data subject's interests or fundamental rights and freedoms take precedence over data controllers' reasonable expectations relationship with the data controller.

[…]

In all cases, the presence of a legitimate interest requires a careful assessment, including whether a data subject at the time of and in connection with the collection of personal data can reasonably expect that processing for this purpose can take place. "

Furthermore, DBA's privacy policy states that the data collected by cookies about the use of DBA's services is normally transferred to a Google server in the USA and stored there. The Privacy Policy states that if personal information is transferred to the United States, this will be done on the basis of the European Commission's adequacy decision under the privacy protection of the European Union.

Against this background, the Danish Data Protection Agency assumes that DBA's use of Google Analytics for statistical purposes involves the transfer of personal data to Google LLC in the USA.

The Danish Data Protection Agency then finds that DBA's processing of personal data for statistical purposes cannot take place on the basis of the balance of interests rule in Article 6 (1) of the Data Protection Regulation. 1, letter f.

The Danish Data Protection Agency has emphasized that DBA, by integrating content from Google in the form of the web analysis tool Google Analytics, gives Google the opportunity to collect personal information about website visitors, as this opportunity arises from the time the website is used.

The Danish Data Protection Agency has also emphasized that the European Commission's adequacy decision under the EU-US privacy protection, which the DBA has pointed out as a basis for transfer, was declared invalid by the EU judgment of 16 July 2020, in case C-311/18 (Schrems II) . The Danish Data Protection Agency is aware that transfers to Google LLC in the USA after this date take place on the basis of the EU Commission's Standard Contract (SCC).

The DBA has not demonstrated on the present basis that measures should have been implemented, in addition to what was agreed in the relevant SCCs, which, overall, provide the data subjects with a protection of their rights, which is at a level that is essentially equal to protection in the EU.

The Danish Data Protection Agency assesses that this in itself means that DBA's legitimate interests in gaining a better understanding of the visitors' behavior on the website and in order to form a basis for product and service improvements on dba.dk do not exceed consideration for the website's users. as the website visitors can not reasonably expect that their information, in addition to being the subject of analyzes and statistics on dba.dk, will also be passed on to Google LLC's servers in the USA.

The Danish Data Protection Agency therefore finds that consideration of the website visitors' interests and rights exceeds consideration of DBA's legitimate interests in processing the information for statistical purposes, and that DBA's processing of information about website visitors for this purpose cannot therefore take place on the basis of Article 6 para. 1, letter f.

The Danish Data Protection Agency further adds, with reference to DBA's remark on the Authority's opinion in a case concerning Nuuday A / S, that the Danish Data Protection Agency did not state in the decision in question that Article 6, para. 1, letter f, could be applied in relation to the use of predictive models.

With this decision, the Danish Data Protection Agency has not taken a position on what is stated by DBA that Google LLC in connection with Google Analytics processes information about website visitors on behalf of DBA, and that Google LLC is therefore to be regarded as a data processor for DBA.

Ad the structure of the consent solution

Article 5 (1) of the Data Protection Regulation 1, letter a, states that personal data must be processed legally, fairly and in a transparent manner in relation to the data subject.

The conditions in Article 4 (11) of the Data Protection Regulation that a consent must be voluntary, specific, informed and express an unequivocal expression of intent on the part of the data subject means, inter alia, that the purposes for which information is processed must be stated. covered by the consent.

This means that to the extent that a treatment is carried out on the basis of Article 6 (1), 1, letter f, on balancing of interests, this treatment should not appear as part of what the consent deals with. In the opinion of the Danish Data Protection Agency, the text of consent should only cover the processing (s) that the consent must cover. The data controller should therefore be aware of the basis for the processing of personal data that is relevant in the design of the consent text.

As stated in the case presentation, the following appears from DBA's current consent solution:

"By clicking OK" you agree to the use of cookies and similar technologies (collectively referred to as 'cookies'), which we use for the purpose of making targeted advertising, including on third-party sites, using segmentation, market research / target group analysis and statistics generated in connection with your behavior on our websites (DBA and BilBasen) as well as improvement of advertising services.

In addition, you agree that certain third party companies that we work with may use cookies for the above purposes here on the website. ”

It is the Data Inspectorate's assessment that the wording makes it unclear to the website visitors which processing basis (s) actually form the basis for DBA's processing of personal data in relation to statistics, as the processing purpose is mentioned here in connection with what the users consent to.

Similarly, the Danish Data Protection Agency's assessment is that information on withdrawal of consent is not sufficiently clear in DBA's current consent solution, as the information about this is neither highlighted nor otherwise draws the visitor's attention to this possibility.

Against this background, the Danish Data Protection Agency finds that DBA's current consent solution for the processing of personal data does not comply with the basic principle of legality, reasonableness and transparency in Article 5 (1) of the Data Protection Regulation. 1, letter a.

On the basis of the above background, the Danish Data Protection Agency finds that there are grounds for expressing serious criticism that DBA's processing of personal data about the visitors to the website dba.dk does not take place in accordance with the Data Protection Ordinance.

On the basis of the above comments on the new consent solution, the Danish Data Protection Agency must encourage the DBA to reconsider the design of the DBA's current consent solution.

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General data protection regulation).

[2] The decision was published on the Danish Data Protection Agency's website on 2 June 2020 (2019-31-1713)

[3] EDPB, Guidelines on 05/2020 on consent, Version 1.1., Adopted on 4 May 2020.

[4] Ibid. for. 60.

[5] Ibid. for. 45, example 7.

[6] Ibid. for. 75 and 79