publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Summary Final Decision Art 60
Investigation

Compliance order

Background information
Date of final decision: 16 December 2019
LSA: FR
CSAs: BE, DE-Rhineland-Palatinate, DK, ES, IT, HU, LU, PL, PT, SE, SK
Legal Reference: Transparency and Information (Articles 12, 13 and 14), Right to erasure (Article 17), Right to object (Article 21), Security of processing (Article 32)

Decision: Order to comply
Key words: Transparency and Information, Right to Erasure, Right to Object, Security of Processing, E-Commerce, Direct Marketing, Children, Consumers

Summary of the Decision

Origin of the case
The LSA conducted two on-site investigations at the controller’s premises to audit the controller’s compliance with the GDPR and tested the procedure set up by the controller to create an account.

Findings
The controller is a company offering subscription to educational magazines for children. On the basis of the investigation, the LSA found several GDPR infringements. First of all, several breaches of the obligation to inform data subjects, enshrined in articles 12 and 13 GDPR, were identified. No information relating to data protection nor link to the controller’s Terms and Conditions was given to the data subjects upon registration or when placing an order. As a consequence, the information was considered to be not accessible enough.
The Terms and Conditions did not include any information on the legal basis for processing, on the retention period and on the individual rights to restriction of processing, data portability, or to submit a claim to a supervisory authority. Although the target audience was French-speaking and the website is fully in French, the “unsubscribe” button in the newsletter and marketing emails was hyperlinked to a text in English, asking for confirmation. An additional hypertext link was included in the final page (titled “Clicking here”): this is misleading for the user, as clicking on such link actually resulted in a new subscription.

Secondly, a breach of the obligation to comply with the request to erase data was identified, as personal data was not erased systematically when requested by data subjects although there was no legal requirement to keep it and although users had been informed of the erasure of the data.

Last, there was a breach of the obligation to ensure the security of data, concerning passwords, locking of workstations, and access to data. More specifically, the password requirements and methods for processing the passwords were found to be non-compliant with the obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, since authentication was based on insufficiently complex passwords and obsolete hash algorithms. Additionally, the computer used by one of the database’s administrators was configured to never automatically lock or go on sleep mode. With regard to access to data, the absence of specific identification (i.e. the use of the same account by several people) made it impossible to ensure access traceability.

Decision
The LSA ordered the controller to comply, within two months of the notification of the decision, with several specific instructions.
First, the controller was ordered to provide full information to data subjects about the processing activities, in an easily accessible manner. Additionally, the LSA ordered the controller to set up a procedure for unsubscribing that is compliant with Articles 12 and 21 GDPR.
Secondly, the controller was ordered to ensure the effectiveness of all requests to exercise the right of erasure.
Last, the authority ordered the controller to take appropriate security measures to protect personal data and prevent access thereto by unauthorised third parties (by setting up a new password policy, avoiding the transmission of passwords in clear text, ensuring that workstations go on sleep mode, and setting up individual accounts).


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Please see also EDPB Copyright page

publishable_fr_2019-06_art_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 17 June 2019
LSA: FR
CSAs: BE, ES, LU, DE-Lower Saxony, DE-Rhineland-Palatinate, DE-Berlin, IT
Legal Reference: Security of processing (Article 32)

Decision: No violation of art. 32 GDPR and recommendation on the adoption of technical measures
Key words: Consumers, e-commerce, security of data

Summary of the Decision

Origin of the case
This case concerned a complaint lodged by a data subject regarding the fact that the username and password for access to a website operated by the controller were given to him via a plain text email.

Findings
After correspondence with the controller, the LSA reached the conclusion that it did not communicate to its users or store in its databases plaintext passwords. However, the LSA found that, despite its assertions to the contrary, the controller did not operate a captcha system and only operated an access temporization system of 1 second.

Decision
The LSA closed the case regarding the complaint and recommended to the controller to introduce a captcha system and enhance access temporization to 1 minute after 5 failed attempts and introducing a limit of 25 attempts within 24 hours.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-06_art_32_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cz_2019-07_lawfulnessoftheprocessing_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Violation of Article 24(1)

Background information
Date of final decision: 11 July 2019
LSA: CZ
CSAs: All
Legal Reference: Principles relating to processing of personal data (Article 5); Lawfulness of the processing (Article 6); Responsibility of the controller (Article 24)

Decision: Violation
Key words: Concept of personal data, Accountability, Consumers

Summary of the Decision

Origin of the case
A complaint was filed with the Dutch SA concerning the processing of personal data of the users of the antivirus software provided by the controller, and specifically the protection granted to users of the free version of the software compared to that granted to the paying users.

Findings
In its inspection report, the LSA concluded that the inspected party failed to comply with Articles 5(2) and 24(1) GDPR, which was interpreted as the obligation to take into account all relevant circumstances surrounding the processing and to adopt a set of measures to ensure that all personal data processing is carried out exclusively under pre-defined conditions that the controller is able to regularly check and enforce. This stemmed from the conclusion that the inspected party, despite its assertions to the contrary, was indeed processing personal data (e.g. IP addresses), based on the Court of Justice case law, and was acting as a data controller.
The controller filed several objections to the inspection report, arguing inter alia that no processing of personal data was involved, that it was not to be universally considered as a data controller, and that sufficient information to properly show compliance with Articles 5(2) and 24(1) GDPR was provided.
The last objection was partially accommodated by the LSA, which concluded that only an infringement of Article 24(1) GDPR had been ascertained, whereas no specific breach of Article 5(2) followed from the documentation.

Decision
The controller was found to have violated Article 24(1) GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-07_lawfulnessoftheprocessing_summarypublic.pdf

Please see also EDPB Copyright page