CNPD (Luxembourg) - Délibération n° 24FR/2022

From GDPRhub
CNPD - 24FR/2022
LogoLU.png
Authority: CNPD (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 12(1) GDPR
Article 13(2)(a) GDPR
Article 13(2)(b) GDPR
Article 58(2) GDPR
Type: Investigation
Outcome: Violation Found
Started: 17.07.2020
Decided: 13.12.2022
Published:
Fine: 3,700 EUR
Parties: n/a
National Case Number/Name: 24FR/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNPD (in FR)
Initial Contributor: ls

The Luxemburg DPA fined Є3,700 to a company running a website and a mobile app for not providing sufficient information about the processing of data and for using a privacy policy that did not reflect reality.

English Summary

Facts

On 17 July 2020, the Luxembourg DPA opened an investigation at Company A, operator of a website and mobile application, to verify the compliance of its activities with Articles 12(1), 13 and 14 GDPR. The investigation focused on the users of the website and mobile application and not on the employees.

The investigation showed that

  • the privacy policy mentioned processing operations that were not actually carried out;
  • the privacy policy was not available on all the pages on which the company collected data;
  • regarding the mobile app, no privacy policy was available before the download and once the application was installed, the privacy policy was not easily accessible;
  • the privacy policy was only available in two languages, whereas the website was available in three languages; and
  • the privacy policy did not mention the length of time for which the data would be kept or the right to restrict processing.

The controller replied that the unavailability of the information was due to the attitude of the service provider who managed his site and application.

Holding

The DPA considered that the privacy policy, by mentionning certain processing operations that were actually not carried out, did not reflect reality and that the controller did not provide the required information in a comprehensible manner, in clear and simple terms, in violation of Article 12(1).

It also found a lack of information, in breach of Articles 13(2)(a) and 13(2)(b): the information regarding the length of time the data will be kept was missing for certain processing activities. Concerning the rights of the data subjects, there was no information about the right to restrict.

The DPA therefore, in accordance with Article 58(2) and taking into account the measures already implemented by the company, imposed a fine of Є3,700 and ordered the controller to update its privacy policy to comply with the requirements of Article 12(1).

Comment

It is interesting to note that this decision is one of few that concern a mobile app.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Decision of the National Commission sitting in restricted formation on the outcome of

                       Survey No. […] conducted with Company A


                       Deliberation no. 24FR/2022 of December 13, 2022




The National Commission for Data Protection sitting in restricted formation,

composed of Mrs. Tine A. Larsen, president, and Messrs. Thierry Lallemang and Alain

Herrmann, commissioners;


Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating
the protection of natural persons with regard to the processing of personal data

personnel and on the free movement of such data, and repealing Directive 95/46/EC;


Considering the law of August 1, 2018 on the organization of the National Commission for the protection

data and the general data protection regime, in particular its article 41;


Having regard to the internal rules of the National Commission for Data Protection

adopted by decision no. 3AD/2020 dated January 22, 2020, in particular its article 10.2;

Having regard to the regulations of the National Commission for Data Protection relating to the

investigation procedure adopted by decision No. 4AD/2020 dated January 22, 2020, in particular

its article 9;


Considering the following:























    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. […] carried out with Company A 1/31I. Facts and procedure


1. During its deliberation session of July 17, 2020, the National Commission for

    data protection sitting in plenary session (hereinafter: the “Plenary Panel”)

    Plenary”) decided to open an investigation with Company A on the basis of Article 37
                    er
    of the law of 1 August 2018 on the organization of the National Commission for the

    data protection and the general data protection regime (hereinafter: the
              er
    “Law of August 1, 2018”) and to appoint Mr. Christophe Buschmann as Chief

    of investigation.


    The said decision specified that the investigation carried out by the National Commission for the

    data protection (hereinafter: the “CNPD” or the “National Commission”) had
    for the purpose of monitoring the application and compliance with the GDPR and the law of 1 August 2018, and

    specifically compliance with Articles 12.1, 13 and 14 of the GDPR.


2. Company A is […] registered with the Luxembourg Trade and Companies Register

    under number [...], with registered office at L - […] (hereinafter: the "controlled").


    The controlled [is active in the operation of internet portals and the provision of services via these

    portals].


3. The decision of the National Commission sitting in restricted formation (hereafter: the

    “Restricted Training”) on the outcome of the investigation will be based


    - on the processing carried out by the controller in relation to the operation of the site

        internet […] and the mobile application […] (hereinafter: the "website" respectively

        the “mobile application”), and checked by CNPD agents; And


    - on the legal and regulatory provisions taken into account by the head of investigation

        in its statement of objections.


4. By letter dated August 26, 2020, the head of investigation sent a preliminary questionnaire to the

    control. This moment is later referred to in this decision as "at the beginning

    of the investigation ". The control responded by mail dated September 13, 2020. After2

    an on-site visit which took place on October 6, 2020, the control and the investigation department of
                                                        3
    the CNPD exchanged letters.




1[...].
2This letter and its annexes were sent to the CNPD by e-mail on the same day.
3
 See Statement of Objections, point 9 for a detailed list of exchanges throughout the investigation.
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                        2/315. Following this exchange, the head of investigation drew up Investigation Report No.[…] based on the

    deliberation of July 17, 2020 relating to compliance with Articles 12 point 1, 13 and 14 of the

    GDPR dated May 10, 2021 (hereinafter: the “Investigation Report”).

                                      4
    It appears from the investigation report that in order to structure the investigation work, the chief

    investigation has defined nine control objectives, namely:


    1) ensure that the information is available;


    2) ensure that the information is complete;


    3) ensure that the absence of information is motivated by a valid exception;


    4) ensure that information is transmitted by appropriate means;


    5) ensure that the information is concise, transparent, understandable, and

        conveyed in clear and simple terms;


    6) ensure that the information is appropriate for the category of data subjects;


    7) ensure that information is free;


    8) ensure that information is easily accessible; And


    9) ensure that the information is transmitted during the key stages of the processing.


    It is specified in the investigation report that the CNPD agents did not check “the

    legality of the processing carried out by the controller”. In this context, it is given

    the following example: “in the event that the controller informs the persons

    concerned that their personal data are kept for a period

    2 years, CNPD officials will be able to check that the controller does not
    not retain said data for a different period. On the other hand, the agents of the

    CNPD will not comment on the legality of this 2-year period applied by the

    data controller » .5


    In addition, the survey focused on users of the website and the application

    mobile, and did not target other categories of data subjects such as employees

    of the controlled.6



4
5Investigation report, page 7, point “3.1 Control objectives”.
6Investigation report, page 6, point “2.3 Reservations”.
 Investigation report, page 6, point “2.2 Scope”.
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                       3/31 The investigation report has as appendices the documents collected by the investigation department of the

    CNPD and on which the investigation report is based (appendix 1), as well as the
    visit in relation to the on-site visit by CNPD agents of October 6, 2020

    aforesaid (appendix 2) (hereafter: the "minutes").


6. During its deliberation of July 23, 2021, the Restricted Panel appointed Mr. Marc

    Lemmer, commissioner, as head of investigation replacing Mr. Christophe

    Buschmann, resigned.

7. At the end of his investigation, the head of investigation notified the person inspected on

    January 13, 2022 a statement of objections detailing the shortcomings he considered

    constituted in this case in relation to the requirements prescribed by Article 12.1 of the GDPR

    (transparency obligation) and by Article 13 of the GDPR (right to information).


    The Head of Investigation proposed to the Restricted Panel to adopt five corrective measures

    different, as well as to impose on the controlled an administrative fine of an amount of
    3,700 euros.


    The ability to submit written observations on the statement of objections was

    offered to the control. The latter did not communicate any observations to the head of investigation.


8. The president of the Restricted Formation informed the controller by letter dated

    May 20, 2022 that his case would be registered for the session of the Restricted Panel of
    July 13, 2022 and that he was offered the opportunity to be heard there. At the request of

    checked, the aforementioned session was postponed to the session of the Restricted Formation

    of September 28, 2022. By email of September 15, 2022, the auditee confirmed his

    attendance at said meeting.


    During this session, the head of the investigation and the controller, represented by […], presented their
    oral submissions in support of their written submissions and responded to questions

    posed by the Restricted Panel. The Restricted Formation gave the controlled the

    possibility of sending additional information requested within 2 weeks

    during that session. The controller spoke last.


9. By email dated October 13, 2022, the auditee provided the information

    additional information requested from the Restricted Training.





7 Statement of Objections, point 72 et seq.
    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                              survey no. […] carried out with Company A 4/31II. Place


II. 1. On the reasons for the decision


A. On the breach related to the obligation of transparency


1. On the principles


10. According to Article 12.1 of the GDPR, the “controller shall take measures

    appropriate to provide any information referred to in Articles 13 and 14 as well as to
    carry out any communication under Articles 15 to 22 and Article 34 with regard to

    concerns processing to the data subject in a concise, transparent,

    understandable easily accessible, in clear and simple terms, in particular for

    any information intended specifically for a child. The information is provided by

    in writing or by other means including, where appropriate, electronically.

    When the data subject so requests, the information may be provided
    orally, provided that the identity of the data subject is demonstrated by other

    means. »


11. Transparency is a fundamental aspect of the principles relating to the treatment of

    personal data. The obligations in this area have been clarified by the

    Article 29 Working Party in its guidelines on transparency within the meaning of the

    Regulation (EU) 2016/679, the revised version of which was adopted on April 11, 2018 (hereinafter:

    “WP 260 rev.01” or the “transparency guidelines”).


    These guidelines explain in particular the general rules of transparency
    established by Article 12 of the GDPR, and which are applicable to the communication of information

    to data subjects (Articles 13 and 14 of the GDPR), to communications addressed

    to data subjects regarding the exercise of their rights (Articles 15 to 22 of the

    GDPR), and communications regarding data breaches (Article 34 of the
            9
    GDPR).


    They further underline that a “primary aspect of the principle of transparency put in place
    light in these provisions is that the data subject should be able to

    determine in advance what the scope and consequences of the processing encompass in order to





8
9See in particular Articles 5.1.a) and 12 of the GDPR, see also recitals (39), (58) to (60) of the GDPR.
 WP 260 rev.01, point 7.

    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               Survey No. […] conducted with Company A
                                                                                                     5/31 not to be caught off guard at a later stage as to how his data
                                                10
    of a personal nature have been used.


12. It should be noted that the European Data Protection Board (hereinafter: the “EDPS”), which

    succeeded the Article 29 Working Party on 25 May 2018, took over and reapproved the

    documents adopted by the said Group between May 25, 2016 and May 25, 2018, as

    precisely the aforementioned guidelines on transparency . 11


2. In this case



2.1 Regarding the requirement to provide information in a “concise and transparent” manner

                                   12
13. In the context of objective 5, the head of investigation expected, among other things, that “the

    data protection policy reflects the reality of the processing actually carried out

    place, that is to say without anticipation of processing that could possibly be put

    in place by the auditee in the future (cf. Test 5)” .13


    CNPD officials then inspected “the data protection policy to

    check that it reflects the reality of the processing actually implemented, i.e. without

    anticipation of processing that could possibly be put in place by the controller

    in the future. To do this, CNPD officials compared the content of the policy

    of data protection with the explanations obtained from the controller during the interview

    of 06/10/2020”. 14



14. It is apparent from the statement of objections that “the CNPD officials noted that

    certain information contained in the data protection policy of the

    Company A do not reflect reality" and that "the CNPD agents did not find any

    trace of the processing operations relating to Platform A or Platform B which are nevertheless
                                                                    15
    mentioned in the data protection policy”.


    Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to the

    loyalty and transparency of information" were not respected. 16




10
11WP 260 rev.01, item 10.
     See EDPS Endorsement Decision 1/2018 of 25 May 2018, available at:
https://edpb.europa.eu/sites/edpb/files/files/news/endorsement_of_wp29_documents_en_0.pdf.
12“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in
clear and simple terms”; Investigation report, page 28 et seq.
13Investigation report, page 29, point 4.4.5.1.
14Investigation report, page 30, point 4.4.5.2.5.1.
15 Statement of Objections, point 18.
16 Statement of Objections, point 20.


     ________________________________________________________________________


               Decision of the National Commission sitting in restricted formation on the outcome of
                                 Survey No. […] conducted with Company A
                                                                                                            6/3115. The control on his side confirmed in his letter dated May 3, 2021 "the presence

    description of plugins, which are not used on the website”, specifying that […]

    this description would be removed “from the declaration”. This was noted in the report

    of investigation, as well as in the statement of objections. 19


16. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that

    required information should be provided in a concise and transparent manner.


    She notes that the Transparency Guidelines state that “the requirement that the

    provision of information to data subjects and that communications to them

    are addressed are carried out in a “concise and transparent” manner means that the

    controllers should present the information/communications in a way

    effective and succinct in order to avoid overwhelming the persons concerned with information”. 20


17. She notes that the “Privacy Statement” that the control has put in place to

    inform users of its website of the processing of their personal data

    staff, and a copy of which was attached to the audit's email of September 13, 2020 21

    (hereinafter: the “data protection policy”), mentioned the processing

    through "Platform A" in the section "[...]" and "Platform B" in the section

    "[...]".


    It also notes that the controller did not dispute that these treatments were not

    carried out. Indeed, he confirmed in his aforementioned letter of May 3, 2021 "the presence of

    description of plugins, which are not used on the website”.


18. It considers that the provision of information to users which corresponds to

    processing that is not carried out, such as information on tools […] or

    unused plugins listed in the data protection policy, obstructs this

    that the required information is presented to users in an efficient and

    succinct.


19. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and

    concludes that at the start of the investigation, the auditee had breached the obligation of transparency





17This letter was sent to the CNPD by email dated May 6, 2021.
18Investigation report, page 31, point 4.4.5.3.3.
19 Statement of Objections, point 19.
20WP 260 rev.01, point 8.
21Document 3 appended to the inspector's email of September 13, 2020 containing a version in language A ("[...]")
and a B-language version ("[...]") of said policy. The language A version is part of annex 1 to the report
investigation (exhibit 1).

    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                        7/31 arising from Article 12.1 of the GDPR to provide the required information in a way

    concise and transparent.


20. As for the measures taken by control after the on-site visit by CNPD officials, the

    Restricted Training refers to it in point 64, as well as in Chapter II.2, Section 2.2 of this

    decision.


2.2 Regarding the requirement to provide information in an "easily accessible" way


21. Under objective 8 the lead investigator expected “that:


     On the website […] a link to the data protection policy is provided to the

          point of collection of personal data, or that this information is

          can be consulted on the same page as those where the personal data is

          collected (see Tests 1 and 2).

     On the mobile application, information relating to the protection of privacy

          must be easily accessible, before and after downloading the application
                              23
          (see Tests 3 and 4). »


22. CNPD officers then inspected


    - “Company A’s data protection policy and website to assess

        the visibility of information relating to data protection (review for example

        the choice of colors on the website to make the information relating

        easily visible data protection, including footer links
        to the data protection policy)”;24



    - “the points of collection of personal data on the website of the
        Company A to identify the existence of a link to the data protection policy

        data or the possibility of consulting this information on the same page as that

        where the personal data is collected”; 25











22“Objective 8 - Ensure that information is easily accessible”; Investigation report, page 34 et seq.
23Investigation report, page 34, point 4.4.8.1.
24Investigation report, page 34, point 4.4.8.2.1.1
25Investigation report, page 34, point 4.4.8.2.2.1


    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                        8/31 - "Company A's mobile application for evaluating the ease of access to information

        relating to the protection of privacy, once the mobile application has been downloaded”; 26

        And


    - “the mobile application of Company A and checked whether a link to the protection policy

        data was available before downloading the mobile application, on the

        Platform C and on Platform D”. 27



23. It is apparent from the statement of objections that “the CNPD officials noted that

    the data protection policy is not available on the website of the
    Company A at the personal data collection points, in particular at the

    level of pages A, B and C. In addition, the data protection policy is not

    directly accessible on Company A's mobile application. 28



    Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to

    accessibility of information (at the point of information collection)” were not
                 29
    respected.


24. The controller for his part told the CNPD agents during the on-site visit that a

    privacy statement was on its website, and that said statement was

    “available on each page of the website [by a link] in the footer of the page, at

    exception of “interactive” pages”, but that there was no declaration of

    confidentiality at the level of its mobile application. He clarified that the whole part

    interactive website as well as its mobile application would be managed by its

    service provider Company B. The latter would have refused several requests from the
    controlled to make changes to the relevant pages of the website. THE

    controlled would however be in discussion with its service provider, in order to study the

    possibility of adding a link to the data protection policy at the level of

    the mobile app. The controller included excerpts from the exchanges he had on this subject

    with its service provider in its letter dated November 2, 2020.


        31 32
    […] .





26
  Investigation report, page 35, point 4.4.8.2.3.1
27Investigation report, page 35, point 4.4.8.2.4.1
28 Statement of Objections, point 24.
29 Statement of Objections, point 26.
30Report, pages 4 and 5.
31Investigation report, page 36, point 4.4.8.3.1.
32 Statement of Objections, point 25.
     ________________________________________________________________________


               Decision of the National Commission sitting in restricted formation on the outcome of
                                 Survey No. […] conducted with Company A
                                                                                                             9/31 During the Restricted Training session of September 28, 2022, the controller reiterated

    his above-mentioned remarks […]. Regarding the availability of the policy of

    data protection on its mobile application, it also specified that a link in

    the mobile application referred to the privacy statement on its website.


25. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that

    required information must be provided in an easily accessible manner.



    She notes that the Transparency Guidelines state that “the criterion

    "easily accessible" means that the data subject should not have to
    search for information but should be able to access it immediately: for example, these

    information could be communicated to the persons concerned directly or to the

    means of a link which would be addressed to them”, and which they recommend for a context in

    line that a "link to the privacy statement or notice is provided

    at the point of collection of the personal data, or that this information is

    can be viewed on the same page where the personal data is

    collected » .4


26. With regard to the controlled website, the Restricted Committee notes that the

    CNPD officials have documented through screenshots that a direct link to the

    data protection policy appeared on the website of the control at the bottom of page , 35

    with the exception of the interactive pages of this site, namely pages A, B and C. For the

    pages in question, users could not immediately access the

    information required.


27. With regard to the mobile application of the controlled, the Restricted Panel notes that

    CNPD agents documented by screenshots for the systems

    [...] and [...] , that no declaration or opinion on the protection of life

    privacy was made available to users of said application prior to downloading

    of it. For the operating system […], they also documented that after the

    app download, user, from app home screen

    mobile, had to go through several steps to access the website of the control at the bottom

    which contained a link to the data protection policy. Not only the



33WP 260 rev.01, point 11.
34
35Idem.
36Annex 1 to the investigation report, exhibit 3.
37Annex 1 to the investigation report, exhibits 4, 5 and 6.
  Appendix 1 to the investigation report, exhibits 8 and 21.
38 Appendix 1 to the investigation report, exhibit 8.

     ________________________________________________________________________


               Decision of the National Commission sitting in restricted formation on the outcome of
                                 Survey No. […] conducted with Company A
                                                                                                         10/31 required information was not accessible before downloading the application

    mobile, they were also not directly accessible once the application was installed.


    It also notes that the data protection policy only covered the site
                        39
    internet of the controlled and not its mobile application which was not even mentioned

    in said policy. Indeed, a data protection policy taking into account

    the controlled mobile application did not exist at the start of the CNPD investigation.


28. In addition, the Restricted Committee considers that the assertion of the controlled that the unavailability

    of the required information would be due to the negative attitude of its service provider,
    could irritate its findings as to the unavailability of this information, given

    that Article 28.1 of the GDPR requires that “where processing is to be carried out for the

    account of a data controller, the latter only uses subcontractors

    which provide sufficient guarantees as to the implementation of technical measures

    and organizational measures so that the processing meets the

    requirements of this Regulation and guarantees the protection of human rights

    concerned”.


29. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and

    concludes that at the start of the investigation, the auditee breached the obligation of transparency
    arising from Article 12.1 of the GDPR to provide the required information in a way

    easily accessible.


2.3 As to the requirements to provide information in a way that is “understandable” and “in

clear and simple terms”


2.3.1 At the translation level


30. In the context of objective 5 40 the head of investigation expected, among other things, that “the

    data protection policy is available in the same languages as those

    offered on the website, i.e. the languages of the customers targeted by the services of the

    controlled (cf. Test 3)” .








39Cf. first sentence of the first sect[…]”.
40“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in
clear and simple terms”; Investigation report, page 28 et seq.
41 Investigation report, page 29, point 4.4.5.1.


    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                      11/31 CNPD officers then inspected “the data protection policy to

    identify the existence of a translation in the same languages as those for which

    the site is available » .2



31. In the Statement of Objections, the Head of Investigation noted that “CNPD officials

    found that Company A's data protection policy is available at

    language A and language B only while the website is translated into language A, in
                                 43
    language B and in language C”.


    Thus, the head of investigation held that the conditions of article 12.1 of the GDPR "as to the

    comprehensibility of the information (at the translation level)" were not

    respected. 44


32. Control, for its part, told CNPD officials during the on-site visit that it

    "It was a choice to limit ourselves to languages A and B". 45



    He specified in his letter of May 3, 2021 that he intended to translate the policy
                                                                                               46
    data protection in language C. This was noted in the investigation report as well as
                                            47
    than in the statement of objections.


33. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that

    required information must be provided in an understandable way.


    She notes that the Transparency Guidelines state that “the requirement that

    this information is “understandable” means that it should be able to be

    understood by the majority of the target audience. Comprehensibility is closely linked to

    the requirement to use clear and simple terms. A data controller knows the

    people about whom it collects information and may use such

    knowledge to determine what that audience would be likely to understand. 48



34. With regard to the above requirement to provide the information requested in

    Plain and simple terms, the Transparency Guidelines indicate more

    specifically that a “translation into one or more languages should be provided




42Investigation report, page 30, point 4.4.5.2.3.1.
43 Statement of Objections, point 30.
44 Statement of Objections, point 32.
45Report, page 6.
46Investigation report, page 31, point 4.4.5.3.2.
47 Statement of Objections, point 31.
48
  WP 260 rev.01, point 9.

     ________________________________________________________________________


               Decision of the National Commission sitting in restricted formation on the outcome of
                                 Survey No. […] conducted with Company A
                                                                                                          12/31 where the controller targets data subjects speaking these

    languages » .9


35. The Restricted Committee notes that at the start of the investigation the policy for the protection of

    data was only available in language A and language B, although the website was

    also available in C language.


    It considers that the fact that a C language version of the website was made available

    of users by the controlled, shows that the latter was also aimed at a public

    mastering neither language A nor language B, and who was not likely to understand the

    data protection policy in one of these languages.


    It therefore considers that the auditee had not provided users of its website

    a translation of its data protection policy in all languages in

    which its website was made available, it had not met the requirements of

    provide the required information in an understandable manner and in clear and

    simple.


36. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and

    concludes that at the start of the investigation, the auditee breached the obligation of transparency

    arising from Article 12.1 of the GDPR to provide the required information in a way

    understandable and in clear and simple terms.


2.3.2 At recipient level

                                   50
37. With regard to objective 5, the head of investigation recalled that the information relating

    to the recipients or categories of recipients who must be provided under the
                                                                                           51
    GDPR Articles 13 and 14 according to the Annex to the Transparency Guidelines.


38. From the statement of objections it appears in this respect that the head of investigation did not

    expected to “a list of recipients but at least [to] information
                                                  52
    precise on the categories of recipients”.


    Thus, as "the CNPD agents found that the recipients of the data

    personal data are not very detailed in the data protection policy of the



49WP 260 rev.01, point 13.
50“Objective 5 - Ensure that information is concise, transparent, understandable, and transmitted in
clear and simple terms”; Investigation report, page 28 et seq.
51Investigation report, pages 28 to 29, point 4.4.5.
52 Statement of Objections, point 36.


    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               Survey No. […] conducted with Company A
                                                                                                     13/31 Company A which mentions “the category of persons A” while the register of

    processing is more complete and precise by indicating as recipient "[...]", the head

    of the investigation held that the conditions of article 12.1 of the GDPR "as to the nature
                                                                                                 54
    comprehensible information (at the level of the recipients)" were not respected.


39. The controller for his part indicated in his letter of May 3, 2021 that he intended to add

    the point "[...]" to the data protection policy "so that users see
                                                                                             55
    […] all possible recipients […]”. This was noted in the investigation report.


40. The Restricted Committee recalls that Article 12.1 of the GDPR requires, among other things, that

    required information must be provided in an understandable way.


    Under the Transparency Guidelines, “the requirement that such information

    be “understandable” means that they should be able to be understood by the

    majority of the target audience. Comprehensibility is closely linked to the requirement to use
    plain and simple terms. A controller knows the people about

    from which it collects information and can use this knowledge to

    determine what this audience would be likely to understand”. 56


    It also recalls that, in accordance with Article 4.9) of the GDPR, the term

    ““recipient”, the natural or legal person, public authority, service or any

    other organization which receives communication of personal data, whether

    or not from a third party. […]”. It also notes that under the terms of Article 13.1.e) of the GDPR

    the control must, where appropriate, provide information on the recipients or

    information on the categories of recipients of personal data.


41. The Restricted Committee notes that the data protection policy indicated in

    the section "[...]" that the personal data of users were

    transferred to a category of recipients, namely […].


    It considers that the information met an acceptable degree of accuracy for

    allow users of the controlled website to understand to whom their data

    of a personal nature were transferred.


42. In view of the foregoing, the Restricted Panel does not agree with the opinion of the Head of Investigation

    and concludes that at the start of the investigation, the controlled person did not fail in the obligation to


53 Statement of Objections, point 37.
54 Statement of Objections, point 39.
55Investigation report, page 22, point 4.4.2.3.1.
56
  WP 260 rev.01, point 9.
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                      14/31 transparency arising from Article 12.1 of the GDPR to provide the information in a way
    understandable.


2.4 As to taking “appropriate measures” to provide the information


43. Given that the control of the processing carried out by the controlled in relation to

    activity A was not within the scope of the investigation in question, the Restricted Training
    does not rule in this decision on the grievance upheld in this regard by the head of investigation.





B. On the breach of the obligation to inform the persons concerned


1. On the principles


44. Article 13 of the GDPR provides the following:


    “1. Where personal data relating to a data subject is
    collected from this person, the data controller provides him, at the time

    where the data in question is obtained, all of the following information:


    a) the identity and contact details of the controller and, where applicable, of the

    representative of the controller;


    b) where applicable, the contact details of the data protection officer;

    c) the purposes of the processing for which the personal data are intended as well as

    the legal basis for the processing;


    d) where the processing is based on Article 6(1)(f), the legitimate interests

    sued by the controller or by a third party;

    e) the recipients or categories of recipients of the personal data,

    if they exist; And


    (f) where applicable, the fact that the controller intends to carry out a

    transfer of personal data to a third country or to an organization

    international community, and the existence or absence of an adequacy decision issued by the
    Commission or, in the case of transfers referred to in Article 46 or 47, or Article 49,

    paragraph 1, second subparagraph, the reference to the appropriate or suitable safeguards and the

    means of obtaining a copy or where they have been made available;

    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               Survey No. […] conducted with Company A
                                                                                                     15/312. In addition to the information referred to in paragraph 1, the controller shall provide the
the data subject, at the time the personal data is obtained,

the following additional information which is necessary to guarantee a

fair and transparent treatment:


a) the retention period of the personal data or, where this is not
possible, the criteria used to determine this duration;


b) the existence of the right to request from the controller access to the data to

personal character, the rectification or erasure of these, or a limitation of the

processing relating to the data subject, or the right to oppose the processing and
right to data portability;


c) where the processing is based on point (a) of Article 6(1) or on Article 9,

paragraph 2(a), the existence of the right to withdraw consent at any time,

without affecting the lawfulness of the processing based on the consent made before the
withdrawal thereof;


d) the right to lodge a complaint with a supervisory authority;


(e) information on whether the requirement to provide data to

personal nature has a regulatory or contractual nature or if it conditions the

conclusion of a contract and whether the data subject is obliged to provide the data to
personal character, as well as on the possible consequences of the non-provision of

those data ;


f) the existence of automated decision-making, including profiling, referred to in Article

22, paragraphs 1 and 4, and, at least in such cases, useful information concerning the
underlying logic, as well as the significance and intended consequences of such processing

for the person concerned.


3. When he intends to carry out further processing of personal data

personal data for a purpose other than that for which the personal data
have been collected, the data controller provides the data subject beforehand

concerned information about this other purpose and any other information

relevant referred to in paragraph 2.


4. Paragraphs 1, 2 and 3 do not apply where and to the extent that the person
concerned already has this information. »


 ________________________________________________________________________


          Decision of the National Commission sitting in restricted formation on the outcome of
                           Survey No. […] conducted with Company A
                                                                                                16/3145. The communication to data subjects of information relating to the processing of

    their data is an essential element in the context of compliance with the general obligations

    of transparency within the meaning of the GDPR. These obligations have been clarified by the Group

    of Article 29 in its guidelines on transparency which have been taken up and

                                  58
    re-approved by the EDPS.


46. For the rest, the Restricted Panel refers to points 10 to 12 of this

    decision with regard to the principles to be observed under the obligation to

    transparency in accordance with Article 12.1 of the GDPR.


2. In this case


2.1 Regarding the retention period of personal data


                                  59
47. In the context of objective 2, the head of investigation expected, among other things, that “the

    following information is accessible through the data protection policy,

    in accordance with the annex of the G29 guidance relating to the information to be

    communicated to a data subject under Article 13 or Article 14: […]

    ● The data retention period or, when this is not possible, the criteria
                                                   60
    used to determine this period […]”.


    CNPD officials then inspected “the data protection policy to

    identify the presence of information relating to data retention periods

    processed, and that each retention period has been mentioned for the different

    categories of personal data and/or the different purposes of the

    treatment » .1


48. From the statement of objections it is apparent in this context that an analysis of the policy

    data protection revealed that the data retention periods at

    personal nature were not indicated for certain treatments. 62



    The head of investigation noted that "the CNPD agents did not find any information
                                                                                          63
    on the retention periods for data relating to operations A, B and C”.




57See in particular Articles 5.1.a) and 12 of the GDPR, see also recital (39) of the GDPR.
58cf. points 11 and 12 of this decision.
59“Objective 2 - Ensure that the information is complete”; Investigation report, page 13 et seq.
60Investigation report, page 13, point 4.4.2.1.
61 Investigation report, page 16, point 4.4.2.2.8.1.
62 Statement of Objections, paragraphs 52 and 53.
63
  Statement of Objections, paragraph 55.

     ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                        17/31 Thus, it held that the conditions of article 13.2.a) of the GDPR "relating to the information

    regarding the retention period of the data were not respected at the beginning of
               64
    investigation " .


49. The controlee for his part indicated in his letter of May 3, 2021 his intention to add

    the point “[…] […] to the data protection policy which should also

    mention the retention periods for personal data. This has been
    noted in investigation report .65



50. The Restricted Committee recalls that Article 13.2.a) of the GDPR requires that information
    relating to the retention period of personal data or, when this

    is not possible, the criteria used to determine this duration, be provided to the

    data subject at the time the personal data is obtained.


    She notes that the Transparency Guidelines state that "the period of

    conservation (or the criteria for determining it) can be dictated by different factors

    such as regulatory requirements or industry guidelines, but it

    should be formulated in such a way that the data subject can assess, according to the

    situation in which it finds itself, what will be the retention period with regard to

    specific data or in case of specific purposes. The controller does not
    may simply state in a general way that the personal data

    will be kept for as long as the legitimate purpose of the processing requires. The case

    where appropriate, different storage periods should be mentioned for the different

    categories of personal data and/or the different processing purposes,
                                                        66
    including periods for archival purposes”.


51. The Restricted Committee notes that the data protection policy did not contain

    no information on the retention periods of data relating to operations

    A, B and C while information relating to the retention period of the data to be

    personal character of the users were listed in two sections of the policy of
    data protection, namely […]. Users therefore could not know for

    all processing what were the related retention periods.








64
65 Statement of Objections, point 57.
66Investigation report, page 22, point 4.4.2.3.1.
  WP 260 rev.01, Annex "Information to be communicated to a data subject under Article
13 or section 14”.
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                               Survey No. […] conducted with Company A
                                                                                                     18/3152. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and

    concludes that at the start of the investigation, the auditee did not provide users of its site

    internet all the information made mandatory by article 13.2.a) of the GDPR.


2.2 Regarding the exercise of their rights by the persons concerned


                                  67
53. In the context of objective 2, the head of investigation expected, among other things, that “the

    following information is accessible through the data protection policy,

    in accordance with the annex of the G29 guidance relating to the information to be

    communicated to a data subject under Article 13 or Article 14: […]
    ● The rights of data subjects: access, rectification, erasure, limitation of

    processing, objection to processing, portability, […]. In addition, information is expected

    on the means made available to exercise their rights of access (e-mail address or

    specific contact form allowing the controller to receive the

    data protection requests) […]”. 68



    Thus, CNPD officers inspected the data protection policy to

    identify “the presence of information relating to the rights of data subjects
    including a summary of what the rights in question include and the measures that may

    be taken by the person concerned to exercise them as well as any limitation to said

    rights”.



54. According to the statement of objections, the analysis of the data protection policy has

    revealed that some of the rights that may be exercised by data subjects were not
                  70
    not indicated.


    The head of the investigation specified that in this case "the right of limitation was not mentioned

    in Company A's data protection policy at the start of the investigation and the
                                                                            71
    right of opposition is mentioned only in the particular case […]”.


    Thus, it retained that the conditions of article 13.2.b) of the GDPR "as regards information on
                                                                                             72
    the exercise of their rights by the persons concerned have not been respected”.






67 “Objective 2 - Ensure that the information is complete”; Investigation report, page 13 et seq.
68
69Investigation report, page 13, point 4.4.2.1.
70Investigation report, page 17, point 4.4.2.2.9.1.
71 Statement of Objections, point 58.
  Statement of Objections, point 60.
72 Statement of Objections, point 62.

     ________________________________________________________________________


               Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                        19/3155. The controlee for his part indicated in his letter of May 3, 2021, that he was of the opinion that the

    right to restriction of processing would already be mentioned in the privacy policy.

    data protection at "point "[...]". However, he stated his intention to add

    a reference to this right “under point […]” of the data protection policy and
                                                                                    73
    provided a suggested text. This was noted in the investigation report.


56. The Restricted Committee recalls that Article 13.2.b) of the GDPR requires that information
    on the existence of the right to request from the controller access to the data to

    personal character, the rectification or erasure of these, or a limitation of the

    processing relating to the data subject, or the right to oppose the processing and

    right to data portability are provided to the data subject, at the time when

    personal data is obtained.


    She notes that the Transparency Guidelines state that "such information

    should be specific to the treatment scenario and include a summary of what

    understands the right in question and actions that can be taken by the person

    concerned to exercise it, as well as any limitation of said right […]. In particular, the right
    to object to the processing must be explicitly brought to the attention of the person

    concerned at the latest at the time of the first communication with the person

    concerned and must be presented clearly and separately from any other information

    […] » .4


57. With regard to the right to restriction of processing, it notes that the existence of this

    right was not mentioned in the data protection policy.


    In particular, it considers that this right did not appear in section "[...]" (in "point "[...]")

    of said policy, as the term "[...]" used therein only meant a method that could

    be used in order to put into practice the right to restriction of processing and not the

    right to limitation as such.


58. With regard to the right to object, she noted that in the protection policy

    data, the existence of this right was first mentioned in the section “[…]” (at
    point "[...]") [...], and that the existence of this right was then recalled for some of the

    processing for which it was indicated that it was based on Article 6.1.f) of the GDPR,

    but not for all processing based on this article. […]



73
74Investigation report, page 22, point 4.4.2.3.3.
  WP 260 rev.01, Annex "Information to be communicated to a data subject under Article
75 or section 14”.
  Recital (67) GDPR.
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                       20/3159. In view of the foregoing, the Restricted Panel concurs with the opinion of the head of investigation and
    concludes that at the start of the investigation, the auditee did not provide users of its site

    internet all the information made mandatory by article 13.2.b) of the GDPR.


II. 2. On the fine and corrective measures


1. On the principles

                                                er
60. In accordance with article 12 of the law of 1 August 2018, the National Commission has

    the powers provided for in Article 58.2 of the GDPR:

     "(a) notify a controller or processor of the fact that the operations of the

     envisaged processing are likely to violate the provisions of this Regulation;


     (b) call a controller or processor to order when the

     processing operations have resulted in a breach of the provisions of this Regulation;


     (c) order the controller or processor to comply with requests
     submitted by the data subject with a view to exercising their rights under this

     this Regulation;


     d) order the controller or the processor to put the operations of

     processing in accordance with the provisions of this Regulation, where applicable, of

     specific manner and within a specified time;

     (e) order the controller to communicate to the data subject a

     personal data breach;


     (f) impose a temporary or permanent restriction, including prohibition, of the processing;


     g) order the rectification or erasure of personal data or the

     limitation of processing pursuant to Articles 16, 17 and 18 and the notification of these
     measures to the recipients to whom the personal data have been disclosed

     pursuant to Article 17(2) and Article 19;


     (h) withdraw a certification or order the certification body to withdraw a

     certification issued pursuant to Articles 42 and 43, or order the body to

     certification not to issue certification if the requirements applicable to the certification
     are not or no longer satisfied;




    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               Investigation No. […] conducted at Company A 21/31 i) impose an administrative fine pursuant to Article 83, in addition to or in addition to
     instead of the measures referred to in this paragraph, depending on the characteristics

     specific to each case;


     j) order the suspension of data flows addressed to a recipient located in a

     third country or an international organisation. »

61. In accordance with article 48 of the law of 1 August 2018, the CNPD may impose fines

    administrative as provided for in Article 83 of the GDPR, except against the State or

    of the municipalities.


62. Article 83 of the GDPR provides that each supervisory authority shall ensure that fines

    administrative measures imposed are, in each case, effective, proportionate and
    deterrents, before specifying the elements that must be taken into account to decide

    whether an administrative fine should be imposed and to decide on the amount of this

    fine :


    “(a) the nature, gravity and duration of the breach, taking into account the nature, scope
    or the purpose of the processing concerned, as well as the number of data subjects

    affected and the level of damage they suffered;


    b) whether the breach was committed willfully or negligently;


    c) any action taken by the controller or processor to mitigate the
    damage suffered by the persons concerned;


    d) the degree of responsibility of the controller or processor, account

    given the technical and organizational measures they have implemented under the

    sections 25 and 32;


    e) any relevant breach previously committed by the controller or
    the subcontractor ;


    f) the degree of cooperation established with the supervisory authority with a view to remedying the breach

    and to mitigate any negative effects;


    g) the categories of personal data affected by the breach;


    h) the manner in which the supervisory authority became aware of the breach, in particular whether,
    and the extent to which the controller or processor notified the

    breach ;
    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               Survey No. […] conducted with Company A
                                                                                                    22/31 i) where measures referred to in Article 58(2) have previously been

    ordered against the controller or processor concerned for the
    same purpose, compliance with these measures;


    (j) the application of codes of conduct approved pursuant to Article 40 or

    certification mechanisms approved under Article 42; And


    k) any other aggravating or mitigating circumstance applicable to the circumstances of

    the species, such as the financial advantages obtained or the losses avoided, directly or
    indirectly, as a result of the breach”.


63. The Restricted Committee would like to point out that the facts taken into account in the context of the

    this Decision are those found at the start of the investigation. The possible

    changes relating to the data processing under investigation

    subsequently, even if they make it possible to establish in whole or in part the

    conformity, do not make it possible to retroactively cancel a breach noted.

64. Nevertheless, the steps taken by the control to comply with the

    the GDPR during the investigation procedure or to remedy the shortcomings identified

    by the head of investigation in the statement of objections, are taken into account by the

    Restricted training as part of any corrective measures to be taken

    and/or setting the amount of any administrative fine to be imposed.

2. In this case


2.1 Regarding the imposition of an administrative fine


65. In the statement of objections, the head of investigation proposes to the Restricted Panel to

    pronounce against the controlled an administrative fine relating to the amount of
                 76
    3,700 euros.


66. In order to decide whether to impose an administrative fine and to decide, if
    applicable, of the amount of this fine, the Restricted Panel analyzes the criteria set

    by article 83.2 of the GDPR:


   - As for the nature and seriousness of the violation (article 83.2 a) of the GDPR), it recalls in

       with regard to breaches of Articles 12 and 13 of the GDPR that transparency

       applicable to the processing of personal data and information relating to



76 Statement of Objections, point 68.
    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               survey No. […] conducted with Company A 23/31 this processing are essential obligations incumbent on those responsible for

       treatment, so that people are fully aware of the use that will be
       made of their personal data, once collected. A

       breach of these articles of the GDPR thus constitutes an infringement of the rights of

       persons concerned. The right to transparency and the right to information have

       have been reinforced under the GDPR, which demonstrates their very importance.

       particular.


   - As for the duration criterion (article 83.2.a) of the GDPR), the Restricted Panel finds
       that these shortcomings have lasted over time, at least since the beginning of

       the investigation and until, if necessary, a possible modification of the policy of

       Data protection. It recalls that guidance relating to the principles and

       obligations provided for by the GDPR was available from the CNPD, in particular on its

       website.


   - As to the number of data subjects (article 83.2 a) of the GDPR), the Training
       Restricted finds that these are all users of the website of the controlled and

       the mobile app. It takes into account the assertion of the head of investigation that

       “Company A has a significant number of customers (approximately […] based on the figures
                                              77
       communicated in December 2020)”.


   - As to whether the breaches were committed deliberately or not

       (by negligence) (article 83.2.b) of the GDPR), the Restricted Panel recalls that "no
       deliberately” means that there was no intention to commit the violation, although

       the controller or the processor has not complied with the obligation to

       due diligence required by law.


       In this case, the Restricted Committee is of the opinion that the facts and breaches

       observed do not reflect a deliberate intention to violate the GDPR on the part of the
       control.


   - As to the degree of cooperation established with the supervisory authority (Article 83.2 f) of the

       GDPR), the Restricted Panel takes into account the statement of the head of investigation according to

       which the auditee has shown constructive participation throughout
                78
       investigation .





77 Statement of Objections, point 66.b).
78 Statement of Objections, point 66.d).
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of

                               Investigation No. […] carried out with Company A 24/31 - As to the measures taken by the inspected party to mitigate the damage suffered by the

       persons concerned (article 83.2.c), the Restricted Training takes into account the
       measures taken by the controlled and refers to Chapter II.2, Section 2.2 of this decision

       for the related explanations.


67. The Restricted Committee notes that the other criteria of Article 83.2 of the GDPR are not

    neither relevant nor likely to influence its decision on the imposition of a fine

    administrative and its amount.

68. It also notes that while several measures have been put in place by the control in order to

    remedy in whole or in part certain shortcomings, these were only adopted

    following the launch of the investigation by CNPD agents on August 26, 2020 79

    (see also point 63 of this decision).


69. Therefore, the Restricted Panel considers that the imposition of an administrative fine

    is justified with regard to the criteria set out in Article 83.2 of the GDPR for breach of the
    articles 12.1 and 13 of the GDPR.


70. With regard to the amount of the administrative fine, the Restricted Panel recalls that

    Article 83.3 of the GDPR provides that in the event of multiple infringements, as is the case in

    case, the total amount of the fine may not exceed the amount fixed for the violation the

    worse. To the extent that a breach of Articles 12.1 and 13 of the GDPR is
    accused of the controlled, the maximum amount of the fine that can be withheld is 20

    million euros or 4% of worldwide annual revenue, whichever is greater

    retained.


71. In view of the relevant criteria of Article 83.2 of the GDPR mentioned above, the Training

    Restricted considers that the imposition of a fine of two thousand one hundred (2,100) euros
    appears to be both effective, proportionate and dissuasive, in accordance with the requirements of

    GDPR Article 83.1.


2.2 Regarding the taking of corrective measures


72. In the statement of objections, the head of investigation proposes to the Restricted Panel

    to adopt the following corrective measures: “within a period of 1 month from the

    notification to Control of the decision taken by the Restricted Training:





79Sending of the preliminary questionnaire.
    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               investigation No. […] carried out with Company A 25/31 Order, pursuant to Article 58 (2) d) of the GDPR, the Controlled being brought into compliance with

    Article 12 (1) of the GDPR by making the following changes:


           a) Update the data protection policy ensuring that the

           information contained in Company A's data protection policy

           reflect reality, especially in terms of the use of plugins and tools […]

           described in the policy;


           b) Add a redirect link to the data protection policy to the

           information collection points;


           c) Translate the data protection policy into the same languages as

           those proposed for the website;


           d) Provide information relating to data protection at the level of

           activity a.


    Order, pursuant to Article 58 (2) d) of the GDPR, the Controlled to comply with

    Article 13, paragraph 2, letter b) of the GDPR, supplementing, in the protection policy

    data, the following information


           - Information on the exercise of the right of opposition by persons
                         80
           concerned”.


73. The Restricted Committee also observes that the head of investigation noted in the

    communication of grievances that at the date of writing this document, the auditee had added
    to the data protection policy information on the recipients of the data

    of a personal nature, the retention periods of this data as well as the right to

    restriction of processing. Therefore, the head of investigation did not propose to the Panel

    Restricted from adopting corrective measures in these respects.


74. As for the corrective measures proposed by the head of investigation and by reference to the

    point 64 of this decision, the Restricted Panel takes into account the procedures

    carried out by the control in order to comply with the provisions of articles 12.1 and 13 of the

    GDPR, as detailed in its letter of May 3, 2021. More specifically, it

    takes note of the following facts:



80 Statement of Objections, paragraph 64.
81 Statement of Objections, point 38.
82 Statement of Objections, point 56.
83
  Statement of Objections, point 61.
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                       26/31 - As for the corrective measure proposed by the head of investigation mentioned under a) of the

       point 72 of this decision concerning the compliance of the audit with article

       12.1 of the GDPR by updating the data protection policy by ensuring
       that the information contained in it reflects reality, in particular at the level

       of the use of plugins and tools […] described in the policy, the controlled indicated

       in his letter of May 3, 2021 that the plugins that are not used on the site

       internet would be removed from the data protection policy.


       The Restricted Committee notes, however, that the processing for
                         84 85
       "Platform A" and "Platform B" are always mentioned in the version
       modified from the "Privacy Statement" in language A that the control has transmitted

       to her by email dated October 13, 2022 (hereinafter: the “Data Protection Policy”

       modified data”), and which bears the handwritten mention “PUTTING ONLINE […] 2021”.

       It also observes that it appears from the information contained in the header as well as

       in the footer of this document, that it was extracted from the website of the controlled in

       date of October 13, 2022. In addition, no documentation submitted to the Formation
       Restricted does not contain evidence that the audited now performs these

       treatments.


       In view of the insufficient compliance measures taken by the control

       in this case and point 64 of this decision, the Restricted Panel considers as of

       when there is reason to pronounce the corrective measure proposed by the head of investigation to

       this regard and taken up in point 72 of this Decision under (a).


   - As for the corrective measure proposed by the head of investigation mentioned under b) of the

       point 72 of this decision concerning the compliance of the audit with article
       12.1 of the GDPR by adding a redirect link to the data protection policy

       data at the information collection points, the auditee confirmed in his

       letter of May 3, 2021, that […] he had decided to change service provider.

       During the Restricted Training session of September 28, 2022, the controller

       reiterated his words.


       However, no documentation submitted to the Restricted Training contains
       proof that the audited has changed service provider and/or that

       additional information, such as a redirect link to the protection policy




84
  Modified data protection policy, se[…]o”.“
85 Amended Data Protection Policy, se[…]o”.“
    ________________________________________________________________________

              Decision of the National Commission sitting in restricted formation on the outcome of
                                Survey No. […] conducted with Company A
                                                                                                      27/31 modified data has been added to the interactive pages of its website, at
    namely pages A, B and C.


    In view of the insufficient compliance measures taken by the control

    in this case and point 64 of this decision, the Restricted Panel considers as of

    when there is reason to pronounce the corrective measure proposed by the head of investigation to
    this regard and taken up in point 72 of this decision under b).


- As for the corrective measure proposed by the head of investigation mentioned under c) of the

    point 72 of this decision concerning the compliance of the audit with article

    12.1 of the GDPR by translating the data protection policy into the same
    languages than those proposed for the website, the controller indicated in his

    letter of May 3, 2021 that he intends to translate the data protection policy

    data in C language.


    However, it has only annexed the language A version of its data protection policy.
    modified data to his email of October 13, 2022 to the Restricted Training.


    No documentation submitted to the Restricted Training contains evidence

    certifying that the data protection policy has been translated into C language and updated

    available to users of the C language version of the controlled website. THE
    also failed to provide evidence that the language B version of the policy

    data protection has been updated and is made available to users of

    its website.


    In view of the insufficient compliance measures taken by the control

    in this case and point 64 of this decision, the Restricted Panel considers as of
    when there is reason to pronounce the corrective measure proposed by the head of investigation to

    this regard and taken up in point 72 of this Decision under (c).


- As for the corrective measure proposed by the head of investigation mentioned under d) of the

    point 72 of this decision concerning the compliance of the audit with article
    12.1 GDPR by providing data protection information

    at the level of activity A, the Restricted Formation, after observing that the control

    of the processing carried out in connection with the operation of activity A was not in

    the scope of the investigation in question (see point 43 of this decision), does not rule
    nor on the proposal for corrective action by the head of investigation in this regard to the

    point 72 of this decision under d).


 ________________________________________________________________________


           Decision of the National Commission sitting in restricted formation on the outcome of
                            Survey No. […] conducted with Company A
                                                                                                   28/31 - As for the corrective measure proposed by the head of investigation mentioned in point 72 of the

       this decision concerning compliance of the audit with Article 13.2.b) of the
       GDPR by completing, in the data protection policy, the information about

       to the exercise of the right of opposition by the persons concerned, the Restricted

       takes note that the auditee has added a reference to the right of opposition in the section
                                86
       " […] " on point " […] " .


       Although this clarification has been added […], the Restricted Panel considers that it
       did not lend itself to informing users of the website that they have the right to

       object at any time, for reasons relating to their particular situation, to a

       processing of personal data concerning them based on Article 6.1.f)

       of the GDPR.


       In view of the insufficient compliance measures taken by the control
       in this case and point 64 of this decision, the Restricted Panel considers as of

       when there is reason to pronounce the corrective measure proposed by the head of investigation to

       this regard and taken up at the end of point 72 of this Decision.


75. Finally, as it was noted that at the beginning of the investigation, no policy of

    data protection intended to inform users of the mobile application was not
    provision of the latter (see point 27 of this decision) and as the

    Formation Restreinte also does not have evidence that information relating to

    to the protection of personal data are now made available to

    users of the mobile application (at the download points or on the pages of this

    ci), it considers that corrective action should be taken in this regard.




In view of the foregoing developments, the National Commission sitting

in restricted formation, after having deliberated, decides:


- to retain breaches of Articles 12.1 and 13 of the GDPR;


- impose an administrative fine on Company A in the amount of

    two thousand one hundred (2,100) euros with regard to breaches of Articles 12.1 and 13 of the

    GDPR;





86[…].
    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               Investigation No. […] carried out with Company A 29/31- to issue against Company A an injunction to bring the
    processing with the obligations resulting from Article 12.1 of the GDPR, within two

    months following the notification of the decision of the Restricted Committee, and, in particular,


        o ensure that the information contained in the data protection policy

           of the website reflect the reality of processing in terms of the use of
           plugins, tools […] described in said policy;


        o add a redirect link to the data protection policy to all

           information collection points;


        o translate the data protection policy into the same languages as those

           proposed for the website;

        o provide information relating to data protection at the level of

           the mobile application;


- issue against Company A an injunction to bring the

    processing with the obligations resulting from Article 13 of the GDPR, within two
    months following the notification of the decision of the Restricted Committee, and, in particular,

    inform users of the website in a clear and precise manner of the existence of the right

    of opposition.










Belvaux, December 13, 2022.





For the National Commission for Data Protection sitting in restricted formation







Tine A. Larsen Thierry Lallemang Alain Herrmann

  President Commissioner Commissioner


    ________________________________________________________________________


              Decision of the National Commission sitting in restricted formation on the outcome of
                               Survey No. […] conducted with Company A
                                                                                                    30/31 Indication of remedies


This administrative decision may be subject to an appeal for review within three

months following its notification. This appeal is to be brought before the administrative court and must
must be introduced through a lawyer at the Court of one of the Bar Associations.



























































     ________________________________________________________________________

               Decision of the National Commission sitting in restricted formation on the outcome of

                                 Survey No. […] conducted with Company A 31/31