APD/GBA - 25/2020
|APD/GBA - DOS-2019-01156|
|Relevant Law:||Article 5 GDPR|
Article 6 GDPR
Article 7 GDPR
Article 30 GDPR
Article 37 GDPR
Article 38 GDPR
|National Case Number/Name:||DOS-2019-01156|
|European Case Law Identifier:||n/a|
|Original Source:||Belgian DPA (in NL)|
The litigation chamber concluded that the "invite a friend" function of a social media platform violates the GDPR since consent from the users was not collected.
A social media encourages both existing users and new joiners to invite their friends to join the platform via a "invite a friend" option. The Litigation Chamber examined the legal grounds for the "invite a friend" system. The user gave the provider access to his or her list of contacts, so that a message could be sent to those contacts to join the social media platform or, if they were already members of the social media platform, to become part of that user's network of friends on the platform.
The Litigation Chamber stated the "invite a friend" functionality made the provider a controller within the meaning of the GDPR, and such processing of personal data did not fall within the scope of the "household exemption". Therefore, the GDPR applied in full.
Only the data subject whose personal data are processed can validly consent to the processing of this data. The collection of contact details can take place only on a compare and forget basis: all data of non users of the platform should be deleted. That was not the case here.
No consent is required for an e-mail invitation to the user's non-member contacts under the following conditions (already stated by the Article 29 WP): – no pressure should be applied to the transmitter or receiver; – the provider is not allowed to choose the addressees of the message; – the identity of the user sending the message must be clearly indicated; – the user sending the message must be aware of the full content of the message to be sent on his behalf'
The social media provider claimed that others social media providers were following the same practices. However, the litigation chamber considered that was not a proper argument.
As conclusion, the litigation chamber imposed a fine of EUR 50,000 for processing personal data of non-members of the website without an appropriate legal basis, as well as personal data of members.
The Belgian DPA published the decision also in English, which you may find here: https://www.dataprotectionauthority.be/sites/privacycommission/files/documents/Beslissing_GK_25-2020_EN.pdf.
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.