The Danish Data Protection Agency (DPA) has severely criticised Danish provider of i.a. weather forecasts and other climatic information, the Danish Meteorological Institute’s (DMI) processing of personal data in connection with displaying banner ads on its website dmi.dk.
Following the filing of the complaint, DMI became aware of the problem and changed the way in which consent is collected and personal data processed about the website users of dmi.dk.
The DPA found that neither DMI’s former nor current solution for collecting consent for processing of personal data on the users of dmi.dk complied with the requirements of Article 4 (11) of the GDPR on the data subject’s consent, and Article 5 (1) lit a of the GDPR on the basic principle about lawfulness, fairness and transparency.
The DPA took into account that the action needed for agreeing to provide contrary to rejecting to provide one’s consent was unbalanced. Website users had to click through more steps to reject than to provide their consent. According to the DPA, such solution is neither sufficiently clear nor transparent for users of the website. In other words, website users must not indirectly be pushed in the direction of providing a consent rather than rejecting.
The DPA also found that DMI’s processing of personal data about the complainant when collecting and transferring to Google was - and is - contrary to Article 6 of the GDPR, seeing that neither DMI nor Google have had any lawful basis for processing because the users had not provided their consent for such, and no other legal basis for processing could be identified.
Given this matter, the Danish DPA has drawn up new guidelines on the processing of personal data on website users; the guidelines are available here (in Danish).
The decision is in accordance with the ruling of the Court of Justice of the European Union regarding Planet49, in which the Court held that consent for using cookies is not valid if consent is provided on the basis of a preticked box. The ruling was among others reasoned by the fact that a consent can only be considered as an actual acknowledgement of a commitment when provided by active behaviour (“opt-in”). The requirement for consent applies regardless of whether the cookies are used for processing of personal data. Read the decision about Planet49 here.
The Spanish data protection authority ("AEPD") has issued no less than 5 fines totalling EUR 302,000 to the telecommunications provider Vodafone España, S.A.U.
Among others, Vodafone was issued a fine of EUR 42,000 for granting a complainant access to other persons’ data (third party data) while using a personal Vodafone profile. Vodafone had not ensured the integrity and confidentiality of personal data which is contrary to Article 5 (1) lit f of the GDPR.
Vodafone was also fined EUR 75,000 because a former customer continued to receive invoice notifications although there at the time were no contractual obligations nor due payments tracing back to the expired contract between the customer and Vodafone. Vodafone claimed that a technical error had caused the submissions.
The remaining three decisions concerned violation of Article 5 of the GDPR on failing to comply with general principles for processing of personal data and Article 6 on lacking lawful basis for processing of personal data. The three decisions are available in Spanish here: No. 1, No. 2, and No. 3 .
The Spanish AEPD found that a cafeteria did not comply with its obligations under Article 5 of the GDPR, as the cafeteria had placed its surveillance cameras in such way as to monitor a public area outside its premises, which disproportionately affected pedestrians.
The cafeteria was imposed with a modest fine of EUR 1,500.