DPC (Ireland) - LinkedIn inquiry
DPC - LinkedIn inquiry | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 6(1)(b) GDPR Article 6(1)(f) GDPR Article 13(1)(c) GDPR Article 14(1)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 20.08.2018 |
Decided: | 22.10.2024 |
Published: | 24.10.2024 |
Fine: | 310,000,000 EUR |
Parties: | |
National Case Number/Name: | LinkedIn inquiry |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | DPC (in EN) |
Initial Contributor: | Ao |
A DPA issued LinkedIn with a fine of €310,000,000 for the unlawful processing of personal data for the purposes of behavioural analysis and targeted advertising.
English Summary
Facts
On the 20 August 2018, the French non-profit organisation “La Quadrature du Net” filed a complaint against LinkedIn for intransparent data processing. The complaint had initially been made to the French DPA (CNIL) and was later taken over by the Irish DPA (DPC) as the lead supervisory authority for LinkedIn.
The inquiry analysed LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising to its users.
The inquiry found that non of the legal bases invoked by LinkedIn justified the data processing at hand. Specifically, the consent of the LinkedIn users to this processing had not been freely given, sufficiently informed or specific or unambiguous. Further, LinkedIn’s legitimate interests were overridden by the interests and fundamental rights and freedoms of data subjects and LinkedIn could not rely on contractual necessity for the processing.
In addition, the inquiry showed that the information provided to data subjects by LinkedIn regarding the lawful basis it claimed to rely on, namely Article 6(1)(a), 6(1)(b) and 6(1)(f) GDPR was insufficient.
Holding
In a press realease, the DPC highlighted that LinkedIn had breached the overarching principles of fairness and transparency (Article 5(1)(a) GDPR) all throughout the course of the processing.
The DPC held that LinkedIn could not rely on consent under Article 6(1)(a) GDPR, legitimate interests under Article 6(1)(f) GDPR nor contractual necessity under Article 6(1)(b) GDPR for its processing. In addition to Article 5(1)(a) GDPR, the DPC held that the information provided to data subjects violated Articles 13(1)(c) and 14(1)(c) GDPR.
Made up of three administrative fines, the DPC fined LinkedIn with a total of €310,000,000 for infringements of Articles 5(1)(a), 6(1)(a), 6(1)(f), 6(1)(b), 13(1)(c) and 14(1)(c) GDPR. In addition to the fine, the DPC issued a reprimand under Article 58(2)(b) GDPR and ordered LinkedIn to bring its processing into compliance as per Article 58(2)(d) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.