Commissioner (Cyprus) - Aylo Freesites Ltd
| Commissioner - Aylo Freesites Ltd | |
|---|---|
 | |
| Authority: | Commissioner (Cyprus) |
| Jurisdiction: | Cyprus |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(2) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 28.03.2025 |
| Fine: | 58,400 |
| Parties: | Aylo Freesites Ltd. |
| National Case Number/Name: | Aylo Freesites Ltd |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Greek |
| Original Source: | CPDP (in EL) |
| Initial Contributor: | cci |
The Cypriot DPA fined an online adult content provider €58,400 for several GDPR infringements, including the illegal use of cookies on pornographic websites and the illegal processing of visitors' data.
English Summary
Facts
In 2022 the Cypriot DPA carried out an own-volition investigation on Aylo Freesites Ltd (the data controller). The company, formerly known as Mindgeek, owns and operates a number of popular pornographic websites.
In a preliminary decision, the DPA found that the controller did not comply with a number of key data protection principles, including accountability, transparency, lawfulness, data minimisation, storage limitation, and data security.
The DPA issued instructions to the controller in order to bring its data processing into compliance with the GDPR. The DPA later evaluated the controller’s compliance with its orders.
Holding
In its final decision, the DPA fined the controller €48,000 for the breaches of the Regulation that took place before it complied with the DPA’s instructions. Additionally, the DPA fined the data controller €10,400 over illegal cookie use.
Comment
The decision itself was not published: the DPA only explained it in a press release (available here).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Inspection under Article 58(1)(b) of the Regulation My Office carried out an ex officio inspection at the premises of Aylo Freesites Ltd (formerly Mindgeek), which owns and operates world-renowned adult content websites. The inspection focused on issues such as cookie consent, processing of biometric data by a third party, data protection impact assessments and data processing agreements. Several breaches of the Regulation were found, leading to a prima facie decision with a compliance order. In summary, a lack of compliance with several key data protection principles was found, including accountability, transparency, lawfulness, data minimisation, storage limitation, data security and the necessity of a legal basis for processing. These gaps were considered significant because they occurred four years after the implementation of the Regulation. The Company responded to the instructions I gave it in the context of my Mandate and implemented corrective measures. I then issued a final Decision where, after taking into account the Company's compliance with my recommendations, I imposed an administrative penalty of a fine of €48,000 for violations of the Regulation that took place before its compliance. In addition, I imposed an administrative penalty of €10,400 for the illegal use of cookies. The Company paid the imposed fine within the deadline.
