Henrik Christian Strand of Holst, Advokater comments on selected GDPR decisions from the month of February 2020
Danish Meteorological Institute’s cookie consent subject to criticism
The Danish Data Protection Agency (DPA) has severely criticized Danish provider of weather forecasts and other climatic information, the Danish Meteorological Institute’s (DMI) processing of personal data in connection with displaying banner ads on its website dmi.dk.
Following the filing of the complaint, DMI became aware of the problem and changed the way in which consent is collected and personal data processed about the website users of dmi.dk.
The DPA found that neither DMI’s former nor current solution for collecting consent for processing of personal data on the users of dmi.dk complied with the requirements of Article 4 (11) of the GDPR on the data subject’s consent, and Article 5 (1) lit a of the GDPR on the basic principle about lawfulness, fairness and transparency. The DPA took into account that the action needed for agreeing to provide contrary to rejecting to provide one’s consent was unbalanced. Website users had to click through more steps to reject than to provide their consent. According to the DPA, such a solution is neither sufficiently clear nor transparent for users of the website. In other words, website users must not indirectly be pushed in the direction of providing consent rather than rejecting.
The DPA also found that DMI’s processing of personal data about the complainant, when collecting and transferring to Google, was – and is – contrary to Article 6 of the GDPR, seeing that neither DMI nor Google has had any lawful basis for processing because the users had not provided their consent for such, and no other legal basis for processing could be identified. Given this matter, the Danish DPA has drawn up new guidelines on the processing of personal data on website users.
The decision is in accordance with the ruling of the Court of Justice of the European Union regarding Planet49, in which the Court held that consent for using cookies is not valid if consent is provided on the basis of a pre-ticked box. The ruling was among others reasoned by the fact that consent can only be considered as an actual acknowledgement of a commitment when provided by active behaviour (“opt-in”). The requirement for consent applies regardless of whether the cookies are used for processing of personal data.
Multiple fines imposed on Vodafone in Spain
The Spanish data protection authority (“AEPD”) has issued no less than 5 fines totalling EUR 302,000 to the telecommunications provider Vodafone España, S.A.U.
Among others, Vodafone was issued a fine of EUR 42,000 for granting complainant access to other persons’ data (third party data) while using a personal Vodafone profile. Vodafone had not ensured the integrity and confidentiality of personal data which is contrary to Article 5 (1) lit f of the GDPR.
Vodafone was also fined EUR 75,000 because a former customer continued to receive invoice notifications although there at the time were no contractual obligations nor due payments tracing back to the expired contract between the customer and Vodafone. Vodafone claimed that a technical error had caused the submissions. The remaining three decisions concerned violation of Article 5 of the GDPR on failing to comply with general principles for processing of personal data and Article 6 on lacking lawful basis for the processing of personal data.
No permit for TV surveillance of a public area
The Spanish AEPD found that a cafeteria did not comply with its obligations under Article 5 of the GDPR, as the cafeteria had placed its surveillance cameras in such way as to monitor a public area outside its premises, which disproportionately affected pedestrians. The cafeteria was imposed with a modest fine of EUR 1,500.
If you would like to obtain a copy of the decisions, please do not hesitate to contact me.