DVI (Latvia) - skola2030.lv
From GDPRhub
| DVI - skola2030.lv | |
|---|---|
 | |
| Authority: | DVI (Latvia) |
| Jurisdiction: | Latvia |
| Relevant Law: | Article 5(1) GDPR Article 6(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 13.01.2025 |
| Decided: | 11.02.2025 |
| Published: | |
| Fine: | n/a |
| Parties: | State Education Development Agency |
| National Case Number/Name: | skola2030.lv |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Latvian |
| Original Source: | DVI (in LV) |
| Initial Contributor: | cci |
The DPA found that a website, controlled by the State Education Development Agency, placed marketing and analytics cookies without visitors' consent and without providing information about the processing of personal data. The DPA ordered the Agency to bring the use of cookies into compliance.
English Summary
Facts
The State Education Development Agency (a public entity) manages the www.skola2030.lv website. The DPA was informed that the website placed cookies without visitors' consent and started an investigation.
The investigation confirmed that marketing and analytics cookies were placed without consent and without displaying a consent banner. Additionally, the DPA found that the website's privacy notice was severely lacking and did not provide visitors with sufficient information about cookie use.
Holding
First, the DPA held that the State Education Development Agency was the controller for personal data processed by the website. This first step was necessary because the privacy notice on the website did not clearly identify the Agency as the controller.
Second, the DPA held that under Article 7 of the Information Society Services Act, marketing and analytics cookies can only be written with the consent of the end user. Therefore, the DPA held that the Agency processed personal data unlawfully and violated Article 7 of the Information Society Services Act[1], as well as Article 5(1) and 6(1) GDPR.
The DPA ordered the Agency to bring its use of cookies into compliance by collecting visitors' consent before writing cookies, and by providing them with all the necessary information about the processing of their data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Latvian original. Please refer to the Latvian original for more details.
Elijas Street 17, Riga, LV-1050, tel. 67223131, e-mail pasts@dvi.gov.lv, www.dvi.gov.lv In Case No. [..] State Education Development Agency eAddress Decision Riga, February 11, 2025 No. [..] On the application of a corrective measure [1] The State Data Inspectorate (hereinafter – the Inspectorate) has received information about violations of the State Education Development Agency, registration number 90001800413 (hereinafter – VIAA) in the processing of personal data by VIAA using cookies on the website managed by VIAA https://www.skola2030.lv (hereinafter – the Website). [2] In order to verify the legality of the actions taken by the Data Protection Authority and in accordance with Article 4, paragraph 1, paragraph 1 and Article 5, paragraph 1, paragraph 1 of the Law on the Processing of Personal Data (hereinafter – the Data Law), Article 57, paragraph 1, subparagraphs a) and h) and Article 58, paragraph 1, subparagraphs a), d), e) of the General Data Protection Regulation (hereinafter – the Data Regulation), the following actions were taken. [2.1] On 13 January 2025, the Inspectorate conducted an inspection of the Website managed by the VIAA, within the framework of which the following was found: [2.1.1] The Website section “About the project” indicates that “Competence approach to learning content” (School2030) is a project implemented by the State Education Content Centre (hereinafter - VISC), the aim of which is to develop, approve, and successively introduce in Latvia such general education content and approach to teaching from preschool to secondary school, as a result of which students would acquire the knowledge, skills and attitudes necessary for modern life. [2.1.2] The Website uses optional cookies (analytical and marketing) without the consent of the Website user. The Website does not contain an informative warning window (banner) about the fact that cookies are being processed on the Website. Consequently, the Website users are not provided with the possibility to agree/opt-out of the use of cookies at any time or to later change their cookie settings on the Website. [2.1.3] By clicking on the “Privacy Policy” section, a window opens, which contains the following information: “We inform you that as of January 1, 2025, the State Education Content Center (VISC) has ceased its operations 1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2018 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC 2 Inspection report of 13 January 2025[..]r. 2 and the functions and tasks of VISC have been taken over by the State Education Development Agency (VIAA). Next, the VISC website (hereinafter – the VISC Website) is opened and the “Privacy Policy” published on it, which contains the following information: “The personal data controller of the unified platform of websites is the State Chancellery (SC). The personal data processors of the Unified Website Platform are the institutions whose websites are hosted on the Unified Website Platform, the platform operator – the State Digital Development Agency (VDAA), the website host – the Information Centre of the Ministry of the Interior (IeMIC) and the technical service provider – the Latvian State Radio and Television Centre (LVRTC).” General information on the operation of the unified platform of websites, its maintenance, as well as information on cookies (definition, types, opt-out options) is also provided. In general, during the inspection, it was found that the Website uses optional cookies before the consent of the website user is obtained and no consent mechanism (banner) has been developed so that the Website user can agree or refuse the use of cookies. It was also found that the Website does not have a privacy policy published, while the privacy policy available on the VISC website is not appropriate for the processing of personal data on the Website using cookies, and also misleads the Website visitors, as it does not provide clear information about who is responsible for the data processing on the Website. [2.2.] Based on the information obtained as a result of the inspection and upon detection of violations, an inspection case No. [..] (hereinafter – the Case) was initiated regarding Processing of personal data on the website using cookies. [2.3] Considering that the inspection did not reveal correct information about who is the controller of the personal data processing on the website using cookies, the Inspectorate contacted the State Chancellery, registration number 90000055313, and the VIAA and received a response from the VIAA, from which it follows that the controller of the personal data processing on the website since 1 January 2025 is the VIAA. [3] Taking into account the findings in paragraphs [1.-2.] of this decision, the Inspectorate concludes the following. [3.1] According to the Data Protection Regulation, cookies and other tracking technologies that can be used 7 for profiling or identifying users are to be considered as personal data and are therefore subject to the requirements of the Data Protection Regulation. The Court of Justice of the European Union has also held that the use of cookies constitutes the processing of personal data of data subjects, which is subject to data protection requirements. [3.2] According to Article 4(7) of the Data Protection Regulation, the controller is responsible for the compliance of the processing of personal data 10 and, according to the information provided by the VIAA, the VIAA is the controller of the processing of personal data carried out on the Website. This means that the VIAA, as a controller, must comply with the basic principles of personal data processing set out in Article 5 of the Data Protection Regulation when processing personal data, according to which: 1) personal data must be processed in a lawful, fair and transparent manner; 2) personal data shall be collected for specified, explicit and legitimate purposes and shall not be further processed in a manner incompatible with those purposes; 3https://www.visc.gov.lv/lv 4https://www.visc.gov.lv/lv/privatuma-politika 5Inspection letter of 15 January 2025 [..] 6VIAA letter of 27 January 2025 No. [..] 7 Personal data means any information which can be used to identify a natural person, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the Data Protection Regulation) 8Article 4(1) of the Data Protection Regulation; Recitals 26 and 30 9Preliminary judgment of the Court of Justice of the European Union of 5 June 2018 in Case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, available at: http://curia.europa.eu/juris/document/document.jsf?text=s%25C4%25ABkdatnes&docid=202543&pageIndex=0&docla ng=lv&mode=req&dir=&occ=first&part=1&cid=4970214#ctx1 10the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data [..] 3 3) personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; 4) personal data shall not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed; 5) personal data shall be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by means of appropriate technical or organisational measures. In accordance with Article 6(1) of the GDPR, the processing of personal data by a controller shall be lawful only to the extent and only where at least one of the following legal grounds applies: consent, performance of a contract, legal obligation, public interest, protection of vital interests and legitimate interests. Furthermore, in accordance with the principle of accountability set out in Article 5(2) of the GDPR, it is the controller that is required to ensure that the processing of personal data by the controller complies with the requirements of the data protection legislation. In view of the above, the Inspectorate points out that only by observing the fundamental principles specified in Article 5 of the Data Protection Regulation and if one of the legal bases specified in Article 6(1) of the Data Protection Regulation exists, the processing of personal data can be recognized as lawful. On the other hand, if the aforementioned conditions are not observed, the processing of personal data by the controller does not comply with the requirements of the Data Protection Regulation and may not be carried out. Thus, before carrying out the processing of personal data, the controller must assess whether there is a legitimate and legitimate purpose for the planned processing of personal data, whether this purpose can be achieved by the planned processing of personal data and whether this purpose cannot be achieved by processing personal data to a lesser extent, in a different way or by not processing them at all. In addition to ensuring the legal basis and compliance with the principles of data processing, the controller must also ensure compliance with other requirements of the Data Protection Regulation and the Data Protection Act, including the rights of the data subject referred to in Chapter III of the Data Protection Regulation, including the obligation of the controller in Article 12(1) of the Data Protection Regulation to take appropriate measures to provide the data subject with all information referred to in Articles 13 and 14 in a concise, transparent and easily accessible manner, using clear and plain language, and to ensure all communications referred to in Articles 15 to 22 and Article 34 relating to the processing. Although the Data Regulation does not require that all information regarding the processing of personal data by the controller must be provided on the controller’s website, the Data Regulation requires that the information in question be easily accessible, clearly understandable and transparent to all data subjects. In compliance with the requirements of the aforementioned legal framework, with regard to the processing of personal data using cookies, the Inspectorate clarifies that, with regard to the use of strictly necessary (technical) cookies, the controller is obliged to provide the data subject with all information required by the Data Regulation regarding the processing of data using cookies (including but not limited to the types of cookies used, the purpose of the data processing, the controller for the data processing, etc.). In turn, with regard to the processing of personal data on the Website using cookies that are not strictly necessary (technical) cookies, the Inspectorate explains that, in addition to the above-mentioned obligation to provide information, prior and informed consent is also required, as Article 7, paragraphs 1 and 2 of the Information Society Services Law (hereinafter - ISPL) stipulates that the storage of information in the subscriber's or user's terminal equipment or the acquisition of access to information stored in the terminal equipment is permitted if the subscriber or user concerned has given his or her consent 12 after receiving clear and comprehensive information about the purpose of the aforementioned processing in accordance with the Data Regulation. 11Article 5(1)(a) (‘lawfulness, fairness and transparency’), (b) (‘purpose limitation’), (c) (‘data minimisation’), (e) (‘storage limitation’) and (f) (‘integrity and confidentiality’) of the Data Protection Regulation. 12The consent referred to in the first subparagraph of this Article shall not be required where the storage of information in the terminal equipment or the access to information stored in the terminal equipment is necessary for the flow of information in an electronic communications network or for the intermediary service provider to provide a service requested by the subscriber or user. 4 In addition, Article 7(3) of the Data Protection Regulation requires the controller to ensure that the data subject can withdraw his or her consent at any time as easily as he or she gave it. The Data Protection Regulation does not require that the consent and the withdrawal of consent must always be done by the same act. However, if consent is obtained by electronic means and with just a single mouse click, swipe or keystroke, data subjects should be able to withdraw this consent just as easily in practice. The requirement for easy withdrawal is described in the Data Regulation as a necessary aspect of valid consent. If the right of withdrawal does not comply with the requirements of the Data Regulation, then the controller's consent mechanism does not comply with the Data Regulation. According to Article 7(3) of the Data Regulation, the controller must inform the data subject about the right of withdrawal before the actual consent is obtained. The Inspectorate notes that in the specific case, the controller (VIAA) has not provided the Website user with the right to consent or not to consent to the processing of cookies, as no banner has been developed/created. During the inspection, it was found that analytical and marketing cookies are processed on the Website without the consent of the Website user. In addition, we explain that when using cookies, the data subject's consent does not need to be obtained for all cookies used on a particular Website. Namely, technical, including security-related cookies do not require the data subject's consent to be used on the Website, just as personalized cookies do not require the data subject's consent, but the consent of the user must be obtained to process analytical or marketing cookies. Namely, the controller must obtain the data subject's consent before any other actions are performed on the Website, including even in cases where the visitor, for example, does not register as a customer on the Website, but only views the Website as such. In addition, the Inspectorate indicates that the Website, without providing a clear, easily understandable and transparent privacy policy, makes it difficult for data subjects to obtain the necessary information about the processing of personal data on the Website. In addition, the privacy policy published on the VISC website is general, does not apply to the Website and the State Chancellery is indicated as the controller, but according to the information provided by the VIAA, the controller is the VIAA. The Inspectorate informs that its website (https://www.dvi.gov.lv/lv/dvi) contains guidelines “Guidelines for the use of cookies on a website”, which provide recommendations for controllers who install cookies and use them to obtain information (process personal data). In addition, we invite to familiarize yourself with the Inspectorate’s explanations “Our website uses cookies, please agree!” (https://www.dvi.gov.lv/lv/jaunums/dviskaidoro-musu-timekla-vietne-tiek-izmantotas- sikdatnes-ludzu-piekritiet), “What should I know about cookies?” (https://www.dvi.gov.lv/lv/jaunums/dviskaidoro-kas-man-jazina-par-sikdatnem-jeb-cookies). [3.3] Taking into account the above, with regard to the use of cookies on the Website, it can be concluded that analytical and marketing cookies are used without the consent of the user (data subject), and that a free and informed option to consent or refuse the use of cookies on the Website in accordance with the requirements of the Data Regulation is not actually provided. It follows that the storage of information on the subscriber's or user's terminal device is carried out without the legal basis specified in Article 6(1) of the Data Regulation, namely without the informed consent of the data subject. Based on the above, the Inspectorate finds that the processing of personal data on the VIAA Website using cookies does not currently comply with the requirements of Article 5(1)(a), Article 6(1), Article 7, and Article 7¹, paragraph 1, of the Data Regulation. [4] We would like to inform you that the Inspectorate implements the “Consult first” principle in its activities, which provides that The primary tasks of the Inspectorate are the effective protection of personal data (providing instructions on deficiencies identified in the processing of personal data by the controller and providing proposals for their elimination) 13 1 14Article 7, paragraph 2 of the Information Society Services Law 15Article 7, paragraph 1 of the Information Society Services Law Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Article 5(3), Recital 25 5 and in the event of unlawful processing of personal data, taking the necessary steps to bring it to an end as soon as possible, thereby minimising the damage caused to the data subject. [5] Article 58(2)(d) of the Data Protection Regulation provides for the Inspectorate to issue an order to the controller or processor to bring processing operations into compliance with the provisions of the Data Protection Regulation, where necessary, in a specific manner and within a specific period. Article 23 of the Data Protection Regulation provides that the Inspectorate shall, when taking decisions on the imposition of a legal obligation, apply the Administrative Procedure Act (hereinafter referred to as the APL). [5.1] Taking into account the above and the fact that VIAA has established violations of the provisions of the Data Regulation, the Inspectorate, in accordance with the first paragraph of Article 62 of the APL, when deciding on the issuance of an administrative act that could be unfavourable to the addressees, the institution (in this case the Inspectorate) is required to ascertain and evaluate the views and arguments of the addressees in this case. In turn, Article 62, paragraph two, point 3) of the APL stipulates that ascertaining the views and arguments of a person is not necessary if it follows from the nature of the case that ascertaining the views of a person is impossible or inadequate. Taking into account the factual circumstances indicated in this decision, namely that a violation has been established, ascertaining the views of the addressee (VIAA) before issuing a decision is not useful, because the views or arguments of the VIAA cannot affect the decision on the merits. [5.2] In accordance with the first paragraph of Article 66 of the APL, it is necessary to decide on the expediency of issuing an administrative act. Namely, when making a decision on the prevention of unlawful personal data processing, the Inspectorate must assess the possibility of deciding on a lesser restriction of the rights of the individual. When assessing the necessity and need for an administrative act, the Inspectorate concludes that the adoption of a decision is both necessary and necessary to achieve the objective – to prevent violations of the provisions of the Data Regulation and the ISPL in the processing of personal data by the VIAA using cookies. An administrative act is an appropriate means of achieving the objective, as it creates a legal obligation on the VIAA to eliminate the identified violations within a specific procedural deadline, as well as prevents the occurrence of similar violations in the future. An administrative act is considered the most proportionate means of achieving the objective, as it is considered more lenient in comparison with a decision on the imposition of an administrative penalty. At the same time, the imposition of a legal obligation is aimed at ensuring the fundamental right of the data subject to the protection of personal data provided for in the Data Regulation, the Data Law and other regulatory enactments. In view of the above, the Inspectorate, based on Article 58(1)(e) and(2)(d) of the Data Regulation, Article 23 of the Data Regulation, Article 5(1)(3) and 6 of the Data Law, Article 13(1) of the ISPL and Article 63(1)(2) of the APL, decides: to oblige VIAA, by 11 March 2025, when processing personal data using cookies, to ensure compliance with and observance of the requirements of the Data Regulation and the Data Law, including: 1) to make necessary changes to the Website, providing the user with all the necessary information regarding the processing of personal data (including cookies) in a clear, easy-to-understand and user-friendly manner, so that the data subject can make an informed choice (to place an information banner regarding cookies); 2) ensure an appropriate legal basis for the processing of personal data carried out on the Website using cookies and compliance with other requirements of the Data Regulation, the Data Law and the ISPL, in particular by ensuring an appropriate “consent mechanism” so that subjects have the opportunity to consent to or refuse the use of optional cookies; 3) develop a privacy policy appropriate to the Website or make the necessary changes and additions to the VIAA privacy policy, indicating to which privacy policy applies,6 as well as clearly indicating who is the controller of the specific websites, thus ensuring clear and understandable provision of information to data subjects; 4) review and eliminate other possible inconsistencies in the processing of personal data carried out by VIAA. To notify in writing about the execution of the decision by March 17, 2025, by submitting information on the execution of the decision to the Inspectorate. In accordance with the first and second parts of Article 70 of the APL, the decision enters into force from the moment it is notified to the addressee, while the decision is notified to the addressee in accordance with the Notification Law. The first part of Article 9 of the Notification Law stipulates that a document shall be notified to the official electronic address in the cases and in accordance with the procedure specified in the Official Electronic Address Law, if the addressee has an activated official electronic address account. A document sent to an official electronic address shall be deemed to have been notified on the second business day after its sending. Article 5, part one, point 2) of the Official Electronic Address Law stipulates that the use of an official electronic address is mandatory for a legal entity registered in the registers or a “legal person”. Section 12, Part One of the Official Electronic Address Law provides that, if an official electronic address account is activated, a state institution and a private person shall communicate electronically and an electronic document shall be sent using the official electronic address. [..] This decision, in accordance with Section 76, Parts One and Two, Section 79, Part One and Section 24, Part One of the Data Law, may be appealed within one month from the date of its entry into force to the Director of the State Data Inspectorate. Deputy Director L. Dilba [..] 16Last day for submitting a written response by post or sending it electronically with a secure electronic signature.
