DVI (Latvia) - SIA GZ AUTO

From GDPRhub
DVI - SIA GZ AUTO
LogoLV.png
Authority: DVI (Latvia)
Jurisdiction: Latvia
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 7 GDPR
Type: Investigation
Outcome: Violation Found
Started: 19.01.2024
Decided: 29.01.2024
Published:
Fine: n/a
Parties: SIA GZ AUTO
National Case Number/Name: SIA GZ AUTO
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Latvian
Original Source: DVI (in LV)
Initial Contributor: im

The DPA reprimanded a controller for processing analytical and marketing cookies before users took any action on a website.

English Summary

Facts

On 19 January 2024, the DPA carried out an inspection on the website grosauto.lv, which is operated by SIA GZ AUTO (‘controller’), a company that provided car services. Once the website was visited, a cookie banner appeared with the following text: ‘This website uses cookies to optimize its performance. By continuing to use this website, you agree to the use of cookies. Read more.’ Thus, it appears that visitors are not able to provide consent other way than just continuing to use the website.

When the DPA visited the controller’s e-shop they were taken to another website called detalas.lv. At the bottom of the page a cookie banner appeared with a similar text as on the previous website saying: ‘We use cookies to ensure you get the best experience on our website. By continuing to use this website or by staying on the page, you agree to our use of Cookies. Continue.’ Once they clicked on the ‘Use of cookies’ they were provided with information that the website collected analytical cookies and indicated that as a visitor they could turn off cookies based on the browser they were using. By clicking on ‘Continue’, the banner window disappeared.

Additionally, the website contained a ‘Privacy Policy’ which specified the possibility to withdraw consent in cases where customers’ personal data are processed by SIA GZ AUTO on the basis of customer’s consent.

However, it emerged that the controller used analytical ‘_ga’ cookies (used by Google), marketing ‘_fbp’ cookies (used by Facebook) and necessary cookies from the moment the website was opened – before the consent was provided

Holding

According to the DPA, the storage of analytical and advertising cookies on the visitors’ end devices was carried out without the legal basis laid down in Article 6(1) GDPR, i.e. without the data subject’s informed consent. Despite the information on the provision of consent and the possibility to withdraw it in the Privacy Policy of the controller, in practice this option did not exist. In fact, the controller must obtain the data subject’s free and informed consent before any other action is taken on the website, including the online store detalas.lv in accordance with Article 7 GDPR.

On this basis, the DPA reprimanded the controller for an infringement of Article 5(1)(a), Article 6(1) and Article 7 GDPR. The controller was ordered to make necessary changes to its website to ensure that the use of cookies complies with the requirements of the GDPR, in particular to ensure an adequate ‘consent mechanism’.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.

Elijas iela 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv



                                                                                             In case no. [..]


                                                                                         Ltd. GZ AUTO

                                                                           Pulkveža Brieža street 93B - 12
                                                                      Sigulda, Sigulda district, LV - 2150


                                               The decision

Riga, 29.01.2024.                                                                      No. [..]

On the application of the corrective measure


      [1] Information about SIA GZ has come to the disposal of the Data State Inspectorate (hereinafter - I1spekcija).
AUTO, registration number 40203231971 (hereinafter - SIA) for violations by persons committed by SIA
in data processing using cookies on the SIA website grosauto.lv (hereinafter - the Website).
      [2] In order to verify the legality of the activities carried out by SIA and in accordance with the Data of Natural Persons

Article 4, paragraph 1, paragraph 1 and Article 5, paragraph 1 of the processing law (hereinafter – Data Law)
paragraph 1, Article 57 paragraph 1 a) of the General Data Protection Regulation (hereinafter - the Data Regulation) and
(h) and Article 58(1)(a), (d), (e) were followed up.
                                                                                                  3
      [2.1] On January 19, 2024, the inspection official inspected the website of SIA, which
found the following:
      1) The website offers the opportunity to buy parts for cars, which is doable
by visiting the website online store detalas.lv, as well as information about SIA is available

location of stores throughout Latvia. By clicking on the "Stores" section, it is possible to find stores and
car services, as well as the following information is indicated at the bottom of the page: Details "SIA "GZ AUTO", Reg. No.
40203231971, Legal address: Pulkveža Brieža iela 93B – 12, Sigulda, Postal address: Piebalgas 85,

Vaives parish, Cēsu prov., LV-4136, Bank: AS "Citadele banka", SWIFT code: PARXLV22, EUR
Account No. LV77PARX0022935610001”. So SIA is the administrator and persons of the Website
data controller.
      2) A banner window with

write "This website uses cookies to optimize its operation. By continuing to use this website, you
you agree to the use of cookies. Read more. I AGREE". It is possible to click on "AGREE" and
the said banner window closes.



1
 https://www.ur.gov.lv/lv/legal-entity/?id=40203231971
2 Regulation of the European Parliament and of the Council (EU) No. 2016/679 (April 27, 2018) on the protection of natural persons
regarding the processing of personal data and the free movement of such data and repealing Directive 95/46/EC
3 Inspection report of January 19, 2024 No. [..]
4https://online.detalas.lv/Login/Login.aspx
5https://grosauto.lv/kontakti/ 2

      3) At the bottom of the website page, there is a "Customer Registration" section that opened when clicked

page https://online.detalas.lv/Register/Register.aspx, which shows a window that the customer can fill out
indicating whether there is a natural/legal person, the chosen natural person, the next page opens, in which you must indicate
such personal data as name, surname, e-mail, telephone number, the customer must choose the nearest store from
of the proposed list and the user's name must be specified. The option to agree or disagree was also offered
to receive news, personalized offers by marking "Yes" or "No" and must be marked in some way

and want to receive information in Latvian or Russian by SMS or e-mail.
      4) Clicking on the "Buy iStore" section opened a page where, as a registered user,
both as an unregistered user it is possible to purchase goods. A banner window appears at the bottom of the page with
the following text "We use cookies to provide the best possible website
usage experience. By continuing to use this website or by staying on the page, you agree to Cookies
                                                                                         7
for use. To continue". Clicking on "Use of cookies" opens the page "Homepages
cookies", which provides information about what cookies are used on the detalas.lv page
analytical cookies and it is indicated that as a visitor of the detalas.lv page, cookies should be turned off, taking into account
the browser you are using. On the other hand, when you press "Continue", the banner window disappears.
      5) The website contains a "Privacy Policy" consisting of 23 (twenty-three) sections.

Section 13 of the Privacy Policy "The right to withdraw your consent" states: "In cases where
Customer data is processed by GZ AUTO on the basis of the Customer's consent, the Customer has the right at any time
withdraw your consent, and the data processing based on the Client's consent will be stopped. Your own
The Client can correct the consent - revoke it or re-give previously revoked consent by submitting
appropriately updated Customer Support Program application form or by contacting GZ AUTO

Customer support in the ways specified in the program rules.
      If the Customer's consent becomes invalid or is revoked or cancelled, GZ AUTO deletes the data
processed on the basis of the Customer's consent, unless there is also another basis for their processing to reach others
the purposes of data processing provided for in this Policy, but in the cases specified in the Policy - GZ AUTO
permanently anonymizes the data. In any situation, the consent given by the Client and proof of it in GZ

AUTO can also be stored for a longer period if it is necessary to be able to protect your rights
in connection with demands and claims made against GZ AUTO."
      6) By clicking on the open website with the right mouse button of the working computer during the viewing
pages without consent, the browser's menu window opens, and selecting the "Inspect" option
but then in the top section of the "Application" option, and on the left side of the "Cookies" section, you can see that

The website uses analytical cookies "_ga". On the other hand, during the inspection, if consent is given,
then it was found that both analytical cookies and marketing cookies '_fbp' are used as
also necessary cookies. Also, checking which ones on the detalas.lv website's online store page
cookies are used, it was found that analytical "_ga" cookies are used on the mentioned page.
      According to publicly available information, cookies such as “_ga”, “_gid”, “_gat” are Google

cookies, they are used to analyze website visitors. On the other hand, "fbp" is Facebook
cookie to display ads while on Facebook after visiting the site.
      In general, after evaluating what is available on the website, including the online store detalas.lv
information, during the inspection it was found that the website is not provided with legal
correct possibility for the website user to agree/opt-out in accordance with regulatory requirements

from the use of cookies. A website is not only used for the functionality of the website
necessary cookies, but also other types, such as analytical and advertising cookies, without the visitor
consents given by (the data subject).



6
7https://online.detalas.lv/Login/Login.aspx?lang=lat
8https://detalas.lv/majaslapas-sikdatnes/
 https://policies.google.com/technologies/cookies?hl=lv 3


      [2.2.] Based on the information obtained during the inspection, inspections were started on January 19, 2024
case no. [..] (hereinafter – the Case) regarding the processing of personal data on the Website using cookies.
      [3] In accordance with the findings in points [1-2] of this decision, the Inspectorate concludes the following.

      [3.1] In accordance with the Data Regulation, cookies and other tracking technologies that may be used
to profile or identify users, must be considered personal data and thus have
applicable requirements of the Data Regulation. The Court of the European Union 11 has also recognized that cookies

processing of personal data of data subjects, which is subject to data protection, is carried out in the form of use
requirements.
      [3.2] In accordance with Article 4, subsection 7) of the Data Regulation on the adequacy of personal data processing
is the responsible manager 12 and according to the information provided on the website, SIA is recognized as

controller for the processing of personal data carried out on the website.
      This means that SIA, as the controller, must comply with Article 5 of the Data Regulation in the processing of personal data
the established basic principles of personal data processing, according to which: 1) personal data must be processed

in a lawful, fair and transparent manner; 2) collection of personal data shall be carried out in specific, clear and
for legitimate purposes, and their further processing is not carried out in a manner incompatible with said purposes;
3) personal data must be adequate, relevant and contain only what is necessary for their processing
purposes; 4) storage of personal data in a way that allows the identification of data subjects cannot be longer

as necessary for the purposes for which the relevant personal data is processed; 5) personal data must be processed
in such a way as to ensure adequate security of personal data, including protection against unauthorized or
illegal processing and against accidental loss, destruction or damage using appropriate
                                              13
technical or organizational measures. According to Article 6, Clause 1 of the Data Regulation, the controller
the processing of personal data carried out is lawful only to the extent and only if in relation to it
at least one of the following legal grounds is applicable: consent, contract
enforcement, legal obligation, public interest, protection of vital interests and legitimate interests

compliance. In addition, in accordance with the principle of accountability established in Article 5, paragraph 2 of the Data Regulation, directly
the manager is obliged to ensure a personal data processing process that allows proving that the manager
the processing of personal data is in accordance with the requirements of the data protection regulatory framework.

      In compliance with the above, the Inspectorate states that only in accordance with the provisions of Article 5 of the Data Regulation
basic principles and in the presence of any of the legal provisions specified in Article 6, Clause 1 of the Data Regulation
grounds, the processing of personal data may be recognized as legal. On the other hand, if the mentioned conditions are not met
complied with, the personal data processing performed by the controller does not comply with the requirements of the Data Regulation and may not be done

perform. Thus, before processing personal data, the manager must assess whether there is a legal and
bona fide purpose for the planned processing of personal data, whether it is possible to achieve this purpose with the planned one
processing of personal data and whether this goal cannot be achieved by processing personal data in a smaller way

in volume, in a different way or without processing them at all.



9 Personal data is any information with which it is possible to identify a natural person, in particular with reference to an identifier,
for example, the name, surname, identification number, location data, online identifier or
one or more physical, physiological, genetic, mental, economic,
cultural or social identity factors (Article 4, Clause 1 of the Data Regulation)
10
11 Paragraph 1 of Article 4 of the Data Regulation; recitals 26 and 30
  Preliminary ruling of the European Court of Justice of June 5, 2018 in case No. C-210/16 Unabhängiges Landeszentrum
für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, available at:
http://curia.europa.eu/juris/document/document.jsf?text=s%25C4%25ABkdatnes&docid=202543&pageIndex=0&docla
ng=lv&mode=req&dir=&occ=first&part=1&cid=4970214#ctx1
12 a natural or legal person, public institution, agency or other body that determines alone or jointly with others
the purposes and means of personal data processing [..]
13 Data Regulation, Article 5, Clause 1, subparagraph a) ("lawfulness, integrity and transparency"), subparagraph b) ("purpose
limitations”), point c (“data minimization”), point e (“storage limitation”) and point f)
(“integrity and confidentiality”).                                                    4

      In addition to ensuring the legal basis and respecting the principles of data processing, the controller has

also ensure the fulfillment of other requirements of the Data Regulation and the Data Law, including Chapter III of the Data Regulation
the mentioned rights of the data subject, including the obligation of the controller in Article 12, paragraph 1 of the Data Regulation
take appropriate measures to be concise, transparent and easily accessible, using a clear
and plain language, would provide the data subject with all the information referred to in Articles 13 and 14 and ensure

all 15-22 communication referred to in Article and Article 34 regarding processing. Although the Data Regulation does not state that
all information regarding the processing of personal data by the administrator must be indicated on the administrator's website
website, the Data Regulation provides that the said information must be easily accessible, clearly understandable and
transparently.

      In compliance with the requirements of the mentioned legal regulation, regarding the processing of personal data using
cookies, the Inspectorate explains that regarding absolutely necessary (technical) cookies
use, the manager is obliged to provide the data subject with all the information provided for in the Data Regulation
data processing using cookies (including but not limited to the types of cookies used, data processing

purpose, data controller, etc.). On the other hand, regarding the personal data provided on the Website
processing using cookies that are not absolutely necessary (technical) cookies, Inspection
explains that, in addition to the obligation to provide information already mentioned above, it is also necessary
prior and informed consent, as the first and second paragraphs of Article 7 of the ISPL state that the information

storage in the subscriber's or user's terminal or gaining access to the terminal store14ai
information is permitted if the respective subscriber or user has given their consent after
has received clear and comprehensive information about the purpose of the aforementioned processing in accordance with the Data
regulation.
      In addition, Article 7, paragraph 3 of the Data Regulation stipulates that the manager must ensure that the data subject

You can withdraw your consent at any time as easily as you gave it. The Data Regulation does not stipulate that
giving and withdrawing consent must always be done through the same action. However, if
consent is obtained by electronic means and with just one mouse click, swipe
gesture or keystroke, data subjects should in practice be able to withdraw this consent just as easily.

The request for a simple withdrawal is described in the Data Regulation as requiring valid consent
aspect. If the right of withdrawal does not meet the requirements of the Data Regulation, then the controller's consent mechanism
does not comply with the Data Regulation. In accordance with Article 7, paragraph 3 of the Data Regulation, the controller must inform the data subject
on the right of withdrawal before obtaining the actual consent.

      The inspection indicates that in this particular case the manager (SIA) did not provide the website user
the right to agree, the right to agree to the processing of cookies, because the developed banner does not work, let it be possible only
agree to the use of cookies. During the inspection, it was found that the website is being processed
analytical cookies, regardless of whether the Website User agrees or not at all

choice, but if the visitor agrees to the use of cookies, marketing cookies are also processed,
thereby misleading the users of the Website. On the other hand, in the "Homepage cookies" rules, which
can be found if you visit the website's online store detalas.lv in the cookie opt-out
the mechanism is complex. It should also be noted that the website does not provide the possibility to disagree with analytical,

for the processing of marketing cookies. In addition, we explain that using cookies requires the consent of the data subject
it is not necessary to obtain all the cookies used on the specific website.
security-related cookies do not require the data subject's consent to be used by the web
website, like personalized cookies, does not require the data subject's consent, however, 15
in order to process analytical or advertising cookies, it is necessary to obtain consent from the user. Namely, the manager has

the consent of the data subject must be obtained before any other activities are carried out on the website, including cases

14 The consent referred to in the first part of the Article is not required if the information storage terminal is accessed
the information stored in the terminal is necessary for ensuring the circulation of information in the electronic communication network or
to an intermediary service provider to provide the service requested by the subscriber or user.
15 Law on Information Society Services 7. the second part of the article
16 Law on Information Society Services 7. first part of Article 5

even if the visitor, for example, does not register a customer on the website, but only browses the website
as such.17
      The inspection informs that guidelines are available on its website (https://www.dvi.gov.lv/lv/dvi).

"Guidelines for the use of cookies on the website", which provide recommendations for administrators who install
cookies and uses them to obtain information (personal data processing). In addition, we invite you to familiarize yourself with
For inspection explanations "Our website uses cookies, please accept!"
(https://www.dvi.gov.lv/lv/jaunums/dvičrevo-musu-timekla-vietne-tiek-izmantotas-sikdatnes-ludzu-
agree), "What should I know about cookies?"
(https://www.dvi.gov.lv/lv/jaunums/dvičrevo-kas-man-jazina-par-sikdatnem-jeb-cookies).

      [3.3] In view of the aforementioned, in relation to the use of cookies on the website unarīdetalas.lv, it can be concluded,
that the websites use analytical cookies and advertising cookies without the visitor (data subject)
given consents, which in fact are not provided free and informed in accordance with the requirements of the Data Regulation
the possibility to agree or refuse the use of certain cookies on websites. It follows that
the storage of information in the subscriber's or user's terminal is carried out without Article 6, Clause 1 of the Data Regulation
the prescribed legal basis, namely without the informed consent of the data subject.

      On the basis of the above, the Inspectorate finds that the information provided on the website of SIA Tīmekļa
the processing of personal data using cookies does not currently comply with Article 5, Paragraph 1 of the Data Regulation
(a), Article 6(1), Article 7, ISPL7¹. to the requirements of the first part of Article
      [4] We inform you that the Inspection implements the "Consult first" principle in its activities, which provides that
The primary tasks of the inspection are the effective protection of data of natural persons (instructions on the controller
deficiencies identified in the personal data processing and providing suggestions for their elimination)

and in case of illegal processing of personal data, performing the necessary actions with the aim of
to stop it as soon as possible, thereby reducing the damage caused to the data subject.
      [5] Article 58, paragraph 2, subparagraph d) of the Data Regulation provides for the authority of the Inspectorate to issue an order
for the controller or the processor to coordinate the processing activities with the provisions of the Data Regulation, needs
case - in a specific way and in a specific period of time. Article 23 of the Data Regulation stipulates that the Inspection,
when making decisions regarding the imposition of a legal obligation, the Law on Administrative Procedure shall be applied

(hereinafter - APL).
      [5.1] Taking into account the above and the fact that SIA has found violations of the provisions of the Data Regulation,
For the inspection in accordance with the first part of Article 62 of the APL, deciding on the issuance of an administrative act that
could be unfavorable to the addressees, the authority (in the specific case the Inspectorate) is necessary
to find out and evaluate the opinion and arguments of the addressees in this case. On the other hand, the second parts of Article 62 of the APL
Point 3) specifies that clarifying the person's opinion and arguments is not necessary, if necessary

it follows from the essence that clarifying the person's opinion is impossible or inadequate. Given this
the factual circumstances specified in the decision, namely that a violation has been detected, from the point of view of the addressee (SIA).
clarifying before issuing the decision is not useful, because the opinion or arguments of SIA cannot influence
decision on the merits.
      [5.2] According to the first part of Article 66 of the APL, it is necessary to decide on the administrative act
utility of issuance. Namely, when making a decision on the prevention of data processing of an unlawful person,

The inspection should evaluate the possibility of deciding on a smaller restriction of personal rights.
      Evaluating the necessity and necessity of the administrative act, the Inspectorate concludes that the decision
adoption is both necessary and necessary to achieve the goal of preventing the Data Regulation and ISPL
violations of the rules in personal data processing carried out by SIA using cookies.
      The administrative act is a suitable means to achieve the goal, as it creates a legal obligation for SIA
to prevent detected violations within a specific procedural term, as well as prevent similar violations

occurrence in the future.

17
  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and
life protection in the electronic communications industry. Article 5, paragraph 3, recital 25 6

      The administrative act can be considered as the most proportionate means for achieving the goal, because in comparison
with the decision on imposing an administrative penalty is considered more lenient. At the same time, legal
the imposition of the obligation is aimed at the data subject in the Data Regulation, the Data Law and other regulatory acts

provision of the expected fundamental rights to personal data protection.
      In compliance with the above, the Inspection, on the basis of Article 58, paragraph 1, subparagraph e) of the Data Regulation
and sub-paragraph d) of paragraph 2, Article 23 of the Data Regulation, Article 5 of the first part 3 of the Data Law and
paragraph 6, paragraph one of Article 13 of the ISPL and paragraph 2) of Article 63 of the first paragraph of the APL,

                                               decides:


      oblige SIA to make the necessary changes to the Website, ensuring that
the use of cookies complies with the requirements of the Data Regulation and the ISPL, in particular to ensure appropriate
a "consent mechanism" so that data subjects have genuine opportunities to consent and/or opt-out
from the use of non-mandatory cookies, to inform in writing about the implementation of the decision until 2024
on March 1, by submitting information about the measures taken by the SIA to the Inspectorate.


      According to the first and second parts of Article 70 of the APL, the decision enters into force from the moment it is announced
to the addressee, while the decision is notified to the addressee in accordance with the Notification Law. Notification Act
The second part of Article 4 provides that the legal entity is notified of the document at its legal address. Notifications
The third and fourth parts of Article 8 of the law stipulate that a document notified as registered mail,
shall be considered notified on the seventh day after it has been delivered to the post office, as well as if a statement is received from the post office

delivery of the shipment or a returned document does not in itself affect the notification of the document
fact.
      This decision in accordance with the first and second parts of Article 76, Article 79 of the Administrative Procedure Law
the first part and 24 of the Data Law. the first part of the article can be appealed within one month of its entry into force
days Data to the Director of the State Inspection.
      [6] The Inspectorate informs that Article 83, Clause 5 of the Data Regulation provides for the application of administrative

fines of up to EUR 20,000,000 or, in the case of a company, up to 4% of its total
worldwide annual turnover of the previous financial year, depending on the amount
greater, in accordance with Clause 2 for violations of the following rules: on the basic principle of processing, including
conditions for consent, subject to Articles 5, 6, 7 and 9, the data subject's rights under Data
Articles 12 - 22 of the regulation, if the order of the supervisory authority or temporary or final processing is not followed
or restriction of data circulation in accordance with Article 58, paragraph 2 of the Data Regulation, or access has not been granted,

in violation of Article 58, paragraph 1 of the Data Regulation.
      In compliance with the above, the Inspectorate informs that in the event that the provisions of this letter are not fulfilled
order, the Inspectorate will implement other powers granted to the Inspectorate in the Data Regulation.

      Taking into account the fact that from January 1, 2023, all legal entities - companies,
associations, foundations, trade unions and other legal subjects registered in the registers in Latvia

The official electronic address or e-mail address is mandatory, the Inspectorate invites legal entities to create an e-
address. More information is available in the article published on the website of the Data State Inspectorate:
https://www.dvi.gov.lv/lv/jaunums/e-adrese.

Deputy Director L. Dilba


[..]


18
  the last day for submitting a written response by post or sending it electronically with a secure electronic signature