Datatilsynet (Denmark) - 2021-31-5282
From GDPRhub
| Datatilsynet - 2021-31-5282 | |
|---|---|
 | |
| Authority: | Datatilsynet (Denmark) |
| Jurisdiction: | Denmark |
| Relevant Law: | Article 4(1) GDPR Article 4(11) GDPR Article 6 GDPR Article 6(1)(a) GDPR Article 7 GDPR Recital 30 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 05.07.2021 |
| Decided: | |
| Published: | 23.12.2021 |
| Fine: | n/a |
| Parties: | Leadwise A/S |
| National Case Number/Name: | 2021-31-5282 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Danish |
| Original Source: | Datatilsynet (in DA) |
| Initial Contributor: | n/a |
English Summary
The Danish DPA criticised that Leadwise collected personal data on letfinans.dk without valid consent. The DPA found, among other things, that the consent solution did not comply with the GDPR, as the consent was not sufficiently informed.
Facts
Leadwise’s website letfinans.dk offered the data subject a consent solution which they could accept, decline, or view the details.
The data subject found, when visiting this website, that prior to the data subject’s interaction with the consent solution, several cookies were placed on his computer, including from third parties such as Google and Facebook.
The data subject informed Leadwise that he believed that the processing of information about him was in breach of the GDPR. Leadwise responded to the request and denied the allegations.
Subsequently, on 9 August 2021, the data subject filed a complaint with the Danish DPA about the processing of information about him on Leadwise's website letfinans.dk.
On 20 June 2022, the Danish DPA noted that Leadwise has changed its consent solution but did not give an opinion on the validity of the amended consent solution.
Holding
The Danish DPA found that Leadwise’s processing of personal data has not been carried out in accordance with Article 6 GDPR. They highlighted that the information about the data subject, collected through use of cookies, was gathered before the necessary consent was obtained, which is not acceptable under Article 6(1)(a) GDPR.
The Danish DPA assumed that Leadwise placed its own and third-party cookies on its website letfinans.dk with the intention to collect personal data for different purposes, such as statistics and marketing.
Furthermore, the Danish DPA emphasized that the consent solution, which appeared on letfinans.dk, does not meet the requirements of Article 4(11) and Article 7 GDPR for a valid consent. The Danish DPA underlined that Leadwise’s consent solution did not meet the information requirements set out in Article 4(11) GDPR. It does not state that data subjects have the right and opportunity to withdraw their consent at any time.
The Danish DPA expressed serious criticism about the way Leadwise processed personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Serious criticism of Leadwise's consent solution on letfinans.dk
Date: 23-12-2022
Decision Private companies Serious criticism Complaint Cookies / processing of personal data about website visitors Processing basis
The Danish Data Protection Authority has expressed serious criticism that Leadwise collected personal data on letfinans.dk without valid consent. The inspectorate found, among other things, that the consent solution did not comply with the rules, as the consent was not sufficiently informed.
Journal number: 2021-31-5282
Summary
Based on a specific complaint, the Danish Data Protection Authority initiated a case in 2021 regarding the placement of cookies on Leadwise A/S' website letfinans.dk.
Complainants were presented on the website with a consent solution with the tick options: ABSOLUTELY NECESSARY, PERFORMANCE, TARGETING, FUNCTIONALITY, UNCLASSIFIED. ABSOLUTELY NECESSARY was pre-ticked, while the other options were not pre-ticked.
The options "ACCEPT ALL", "REJECT ALL" and "SHOW DETAILS" appeared below.
In connection with the visit to the website, the complainant was able to ascertain that, before interacting with the consent solution, a number of cookies were placed on his computer, including from third parties such as Google and Facebook.
In the decision, the Danish Data Protection Authority emphasized that personal data about complaints was processed before he had given his consent to the processing. In addition, the supervisory authority found that the consent solution did not meet the requirements for a valid consent, as it e.g. was not sufficiently informed, and since no information was given about the possibility of withdrawing consent.
On the basis of the above, the supervisory authority expressed serious criticism.
During a visit to the website letfinans.dk on 20 June 2022, the Danish Data Protection Authority found that Leadwise has changed the consent solution. With this decision, the supervisory authority has not taken a position on the validity of the amended consent solution.
Decision
The Danish Data Protection Authority hereby returns to the case where the complainant on 5 July and 9 August 2021 complained to the Danish Data Protection Authority about the processing of information about him by Leadwise A/S on the website www.letfinans.dk.
The Danish Data Protection Authority must note that the Danish Data Protection Authority can only take a position on data protection legal issues. With this decision, the Danish Data Protection Authority has therefore not taken a position on the rules in executive order no. 1148 of 9 December 2011 on requirements for information and consent when storing or accessing information in end-user terminal equipment (the cookie executive order).
1. Decision
After a review of the case, the Danish Data Protection Authority finds that there are grounds for expressing serious criticism that Leadwise's processing of personal data has not taken place in accordance with the rules in Article 6 of the Data Protection Regulation[1].
Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.
2. Case presentation
It appears from the case that the complainant visited the website www.letfinans.dk. In this connection, he was met with a consent solution, from which the following appeared:
"This website uses cookies
This website uses cookies to improve the user experience. By using our website, you consent to all cookies in accordance with our cookie policy. Read more"
Below the text appeared the tick options ABSOLUTELY NECESSARY, PERFORMANCE, TARGETING, FUNCTIONALITY, UNCLASSIFIED.
ABSOLUTELY NECESSARY was pre-ticked, while the other options were not pre-ticked.
Underneath the tick options appeared the options "ACCEPT ALL", "REJECT ALL" and "SHOW DETAILS".
In connection with the visit to www.letfinans.dk, the complainant found that - before the complainant's interaction with the consent solution - a number of cookies were placed, including cookies from third parties such as Facebook and Google.
The complainant contacted Leadwise and pointed out that he believed that Leadwise was processing information about him in breach of data protection rules.
Leadwise responded to the inquiry on 26 July 2021. The following appears from the response:
"We do not process any personal data and do not send any personal data on our website when you simply visit it without making a loan application. (If you make a loan application, you must give consent) The examples you send are just for a visitor counter in Google Analytics, which counts the number of visitors to the website completely anonymously, and the Trustpilot example is just a widget on the website that shows our Trustpilot reviews without sending any kind of personal data.”
The complainant then lodged a complaint with the Danish Data Protection Authority on 9 August 2021. The Danish Data Protection Authority submitted the complaint for hearing on 10 September 2021 and requested Leadwise for an opinion.
On 30 September 2021, Leadwise sent a statement to the case, in which Leadwise explained the company's processing of information and use of cookies on the website www.letfinans.dk.
The statement was sent to complainants on 13 October 2021, after which complainants sent comments on the same day. The comments were sent to Leadwise on 1 November 2021. Leadwise stated on 15 November 2021 that the complainant's comments did not give Leadwise reason for further action.
2.1. Complainant's comments
The complainant has generally stated that Leadwise has processed information about him on the website www.letfinans.dk in violation of the data protection rules.
The complainant has stated as a reason for this that Leadwise has collected information about his visit to the website www.letfinans.dk without his consent, as Leadwise - prior to the complainant's possible consent - placed cookies and thus processed a number of information about him.
In this connection, the complainant has referred to a video which can be accessed at www.youtube.com[2], where the complainant has documented Leadwise's placement of cookies before the complainant has accepted or refused to consent to this.
2.2. Leadwise's comments
Leadwise has generally stated that all website visitors to www.letfinans.dk are asked to decide on cookies, and that the processing of information about website visitors, including complaints, thus takes place on the basis of the data subject's consent.
In relation to the detailed processing of personal data through the use of cookies, Leadwise has referred to the company's privacy and cookie policy, from which the following appears:
"In order to improve the user experience and generally improve Letfinans as a service, we also collect and process data that shows your user behavior on the page and the time of this.
We use different types of cookies and other similar technologies on the website. Cookies are a standard feature on websites that allow us to save small amounts of data on your computer that tells about you or your visit to the website. Cookies help with information about which areas of the website are useful and which need to be improved, as well as for statistics and marketing. You can read more about our cookie policy here".
3. Reason for the Data Protection Authority's decision
3.1.
It appears from Article 4, No. 1 of the Data Protection Regulation that personal data means any type of information about an identified or identifiable natural person ('the data subject'); identifiable natural person means a natural person who can be directly or indirectly identified, in particular by an identifier such as e.g. a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
In more detail, preamble consideration no. 30 of the data protection regulation states that natural persons can be associated with online identifiers provided by their devices, applications, tools and protocols, such as IP addresses and cookie identifiers, or other identifiers, such as radio frequency identification tags. This can leave traces that, especially when combined with unique identifiers and other information received by the servers, can be used to create profiles about natural persons and identify them.
Of the data protection regulation, article 6, subsection 1, it appears that the processing of personal data is only lawful if and to the extent that at least one of the conditions in letter a-f applies.
From letter a, it appears that personal data can be processed if the data subject has given consent to the processing of his personal data for one or more specific purposes.
According to Article 4, No. 11 of the Data Protection Regulation, consent is understood as any voluntary, specific, informed and unequivocal expression of will from the data subject, whereby the data subject, by declaration or clear confirmation, consents to personal data relating to the person concerned being made the subject of treatment.
In addition to the conditions in Article 4, No. 11, in order to be valid, consent must also meet the requirements of Article 7 of the Data Protection Regulation. This means, among other things, that the data subject has the right to withdraw his consent at any time, and that the registered person is informed of this before consent is given, cf. Article 7, subsection 3.
3.2.
The Danish Data Protection Authority assumes that Leadwise processes personal data about website visitors using cookies on the website www.letfinans.dk, and that the data is processed for several different purposes, including e.g. for statistics and marketing.
The Danish Data Protection Authority also assumes, on the basis of the information in the case, including the video that the complainant has made available on YouTube, that Leadwise placed its own and third-party cookies - and thus collected personal data - before the complainant had the opportunity to possibly consent to this.
On this basis, the Danish Data Protection Authority finds that Leadwise's processing of information about complaints in connection with his visit to the website www.letfinans.dk has not taken place in accordance with Article 6, subsection of the Data Protection Regulation. 1, letter a. Emphasis has been placed on the assessment that information about complaints, which was collected through the use of cookies, was collected before the necessary consent had been obtained.
The Danish Data Protection Authority has also emphasized that the consent solution, which appeared on www.letfinans.dk, does not otherwise meet the requirements set out in Article 4, No. 11 and Article 7 for a valid consent.
In this connection, the Danish Data Protection Authority has placed particular emphasis on the fact that the consent given by www.letfinans.dk does not meet the information requirement set out in Article 4, No. 11 of the Data Protection Regulation, and that it does not appear that the website visitor to at any time has the right (and opportunity) to withdraw his consent.
The consent, which Leadwise obtained at www.letfinans.dk, could therefore already for that reason not constitute a basis for processing personal data according to the data protection regulation, article 6, subsection 1, letter a, and the Danish Data Protection Authority as a result finds that there are grounds for expressing serious criticism of Leadwise's processing of information about complaints made through the use of cookies on www.letfinans.dk.
In conclusion, the Danish Data Protection Authority notes that the Danish Data Protection Authority can ascertain from a visit to the website www.letfinans.dk on 20 June 2022 that Leadwise has changed the consent solution. With this decision, the Danish Data Protection Authority has not taken a position on the validity of the amended consent solution.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).
[2] https://www.youtube.com/watch?v=9rzaWhEwTfU
