AEPD (Spain) - PS/00475/2021
|AEPD (Spain) - PS/00475/2021
|Article 13 GDPR
Article 22(2) LSSI
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
English Summary[edit | edit source]
Facts[edit | edit source]
A Spanish Consumers and Users Organisation lodged a complaint with the Spanish DPA (AEPD) against MyHeritage, LTD, an online genealogy platform that offers a genetic testing service that analyses the user's DNA. The Spanish branch is part of a company based in Israel.
The complainant raised several issues:
- International transfers of personal data outside the EEA to countries without adequate guarantees, as stipulated in Article 46 GDPR.
- Processing of personal data without a clear legal basis, and lack of adequate information given to the data subject.
- Processing of genetic personal data (DNA) that does not seem to comply with any of the exceptions contained in Article 9(2) GDPR.
- Disclosure to other users of the personal data of third parties that are included in the genealogical trees.
- Disclosure of personal data of users among which "DNA Matches" or "Smart Matches" (similarities between their DNA) are established.
- Assignments to third parties for strange purposes (e.g. to protect their rights or the property of other users).
- Doubtful sharing of information with "Genealogy partners".
- Deficiencies in information and consent related to cookies.
- Legitimization of "investigations" based on consent. Doubts about whether they really get consent, what this investigation really consists of, its purposes, as well as the information provided to the data subjects.
- Deficiencies in information about the processing activities.
- Other deficiencies in the matter of information to users from Article 13 GDPR.
- No doors are closed to possible assignments or sales under license of health information or DNA of users who are not Russian, Norwegian and Swedish.
- Processing of minors' data between 13 years and the minimum age that each country establishes to provide consent without needing that of their parents or guardians.
- Other deficiencies in the drafting of the policy (inconsistencies, duplicities, omissions, ambiguities, etc.)
- Issues related to the exercise of rights.
- Doubts about the storage period of data once deleted, and the scope of the deletion.
Hence, the AEPD launched a general investigation.
Holding[edit | edit source]
According to the AEPD, the controller did not provide all the information required by Article 13 GDPR, since information about the right to portability and to restrict the processing was missing, as well as information about the right to lodge a complaint with the supervisory authority. In this regard, AEPD issued a reprimand to the controller and ordered them to include such information.
The AEPD found no evidence whatsoever of a violation of Article 6 GDPR, nor of Article 8 GDPR. There was also no violation of Article 9 GDPR, since the exception for explicit consent from Article 9(2)(a) GDPR applied.
With regard to international transfers of data, the AEPD concluded that there was no evidence of a violation, since the complainant did not point to any specific risks, and the controller manifested that they were working on new Standard Contractual Clauses (SCCs).
The AEPD also disregarded all the other allegations, finding no violations whatsoever, except in relation to cookies. Regarding cookies, the AEPD found that the website placed unnecessary own and third-party cookies before asking for consent. Additionally, the information offered in the banner was insufficient, and the cookies policy did not identify the cookies the web used. According to the AEPD, such facts constituted a violation of Article 22(2) LSSI, (the Spanish law implementing the e-Privacy Directive), and fined the controller €20,000, that were reduced to €16,000 because of an early payment.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.