APD/GBA - 19/2021

From GDPRhub
APD/GBA - 19/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 21(2) GDPR
Article 32 GDPR
Article 7(3) GDPR
Type: Complaint
Outcome: Upheld
Decided: 12.02.2021
Published: 12.02.2021
Fine: None
Parties: Telenet
National Case Number/Name: 19/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Dutch
Original Source: Beslissing ten gronde 19/2021 van 12 februari 2021 (in NL)
Initial Contributor: Enzo

The Belgian DPA (APD/GBA) sets out best practices for transparency in a layered privacy policy and how to facilitate the right to object to direct marketing in the telecom sector.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant states that finding how to exercise their right to opt-out of receiving direct marketing on the website of the telecom provider (Telenet) is very difficult. Sending a request for further information also led to no solution.

The DPA's inspection states the following:

1. The use of a large number of documents, which makes the provision of information complex, unclear and difficult to understand; 2. The presence of erroneous information;

3. The use of techniques that may have an impact on the choices of the data subject including the granting of free consent and whether or not to become acquainted with the information or the exercise of rights;

4. The construction of the information in the form of a maze in which the data subject cannot easily access the information;

5. The default choices set by Telenet that are not the most privacy friendly and always allow profiling;

6. The mandatory quasi-automatic acceptance of communication of data via cookies;

7. Combined with the lack of possibility to easily way to exercise the right to object.


Dispute[edit | edit source]

How clear and transparent must a privacy policy be in order to satisfy the requirements of Article 13 GDPR and Article 13 GDPR?

Does continuing to use a website constitutes consent to cookies?

Holding[edit | edit source]

Direct marketing[edit | edit source]

The DPA states that the right to opt-out of direct marketing is absolute. To opt-out for Telenet's services, the opt-out must be sent through every channel of direct marketing communication or, to disable all at once, contact Telenet or go to a physical shop.

The DPA finds that the medium of communication made available for exercising the right to object must be proportionate to the means by which the controller communicates with the data subject: if the controller communicates the mandatory information under Article 13 GDPR and Article 14 GDPR via its website and/or if the data subject receives digital marketing messages from the controller, then the right to object must also be capable of being expressed online.

The DPA states that this does not facilitate the opt-out in a sufficient manner for the data subject. "A single click should suffice". The DPA links this with Article 7(3) GDPR, opting-in should be as easy as opting-out.

Transparency[edit | edit source]

The DPA states that the information structure is hard to navigate because of the overflow of information and repetitiveness. The complainant had to click 14 times to reach the full Privacy Policy. The information in this Policy however, was not sufficiently clear to allow the complainant to exercise its right to be object to direct marketing.

Judging the transparency of the website, the DPA states that it is insufficient and that Telenet should facilitate a more clear information structure. The right to object should be easily accessible according to Article 21(2) GDPR. This information should be clear and not mixed with other information. In casu, the information should be accessible through the public part of the website and not just on the user page.

Judging the 'layered' information, the DPA states that the first layer may be used to fulfill the information obligation of Article 13 GDPR and Article 14 GDPR if this information is sufficiently clear but not too detailed for the average internet user. The same applies for 'fold-out' layers, they must be clear and accessible.

Telenet's privacy policy, however, was found to be insufficiently clear. The first layer was too detailed and an overload of cross-references were present. Instead of providing a direct link to the operational page where the right to object can be exercised, the reader is provided with a descriptive explanation of how to exercise the right to object. This description is not sufficient to facilitate the individual to concretely exercise their right to object. Another example would be capital 8 referring to capital 7 and vice versa (without hyperlinks). This reduces readability and is hardly compatible with Article 12(1) GDPR, Article 12(2) GDPR, Article 13 GDPR and Article 14 GDPR.

The DPA recommends to place a link on the public page to exercise the right to object which refers to the user page "Mijn Telent" in which the customer is able to exercise this right, after logging in.

Potential for confusion regarding privacy-settings[edit | edit source]

Telenet uses 4 privacy levels, of which "Algemeen" (General) is the first level. Customers might think that this level is the most privacy friendly as this is how it is described on the website and in the privacy-settings. However, the right to object to direct marketing is still possible and because the privacy policy is not sufficiently clear, data subjects can be confused to what the most privacy friendly settings are. The first level "Algemeen" is as such not the most privacy friendly setting. This creates a risk for confusion.

Telenet states that the privacy levels do not try to replace the right to object. This reasoning is problematic according to the DPA as the way the information is structured can make it seem like these are the only options (the four levels). The privacy settings are thus a way to activate direct marketing, but not a way to deactivate it and this is not compliant as described earlier (opting-out should be as easy to opt-in).

The DPA finds that Telenet's choice to separate the right to object from the privacy settings may lead to confusion among data subjects to the extent that the former (level "Algemeen" General) is described as the "most protective" privacy level. In doing so, the Respondent lacks transparency regarding the existence and exercise of the right to object under Article 21(2) GDPR in conjunction with Article 12(1) GDPR, Article 12(2) GDPR, Article 13 GDPR and Article 14 GDPR.

Mandatory quasi automatic acceptation of sharing of information through cookies[edit | edit source]

Telenet asked for permission for cookies by stating that continuing to use the website equals consent for cookies.

As explained by the EDPB, the requirement of unambiguous and specific consent means that neither silence nor lack of action/action on the part of the data subject nor the mere use of a service can be considered valid consent. The DPA also points to recital 32 of the AVG, according to which implied consent is out of the question. This is a breach of Article 7 GDPR in conjunction with Article 4(11) GDPR. However, no fine will be given as Telenet has changed its practices after and in line with the Planet49 case of the CJEU.

Comment[edit | edit source]

The DPA considers this case particularly important as an opportunity to make best practice recommendations around certain actions to be taken to increase transparency, especially in the telecommunications sector.In doing so, the DPA contributes to the explicit task of supervisory authorities to increase awareness among data controllers and processors of their obligations under the GPDR, pursuant to Article 57(1)(b) GDPR.

Given the importance of transparency with respect to the decision making of the DPA, this decision is published on the website of the Data Protection Authority. However, given the justification in this decision refers to the content and features of the Defendant's website, it is impossible to avoid the indirect identification of the Respondent,even if his name were not to be published directly. Therefore, the DPA finds that the direct identification of the Defendant in this Decision would not put him at a greater disadvantage than the indirect identification. Therefore, the DPA decides to disclose the Defendant's identifying information.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.