Excerpt
The company was held liable for insufficient clarity in information, and the absence of a clear cookie policy or consent for the use of cookies.
Our analysis
In this case, the data subject lived in social housing provided by the controller and raised multiple issues at different times. These issues included inadequate information provided when exercising the right of access, an insufficiently secure website with a vague privacy policy, no clear cookie policy, and no consent asked for the usage of cookies. The retention period of personal data was also not discussed, and it was unclear why certain personal data of medical nature was required. The DPA upheld that a privacy policy should serve to fully inform the data subject about what is actually done with his or her personal data and in what context those data are processed. Any processing of personal data should be lawful, proper, and transparent. Data subjects should be clearly informed of what data is being processed, how the processing is being carried out, and why the personal data is being processed. However, the Privacy Sheet presented did not adequately inform the data subjects, particularly as they were socially disadvantaged people, and the language used must be clear and plain. The DPO was not properly designated or communicated to the data subject, and the DPO was not involved in all data protection matters, breaching Article 38(1) GDPR. Additionally, no consent was asked for the Google-DoubleClick.net cookie, breaching Article 6(1) GDPR. The processing of personal data through cookies without consent is not legally valid.
Outcome
The DPA has ordered a private housing company to become compliant with data protection regulations within three months and pay a fine of €1500. The DPA does not consider the housing company to be a "public authority or public body" under Article 83(7) of the DPA, which exempts such bodies from administrative fines. This concept is defined by Union law and is subject to an autonomous and uniform interpretation by Union institutions, particularly the Court of Justice.
Parties
Mr X (The complainant) and Y Housing company (The defendant)
Case number
73/2020
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
The trick wording deceptive pattern takes advantage of user expectations and ambiguous language to mislead and deceive users. It is normal for users to scan-read when they are online, as a way to cope with the sheer volume of information they are faced with. This means they don't read and dwell on every word on every page. Trick wording usually takes advantage of the scan reading strategy, by making a piece of content look like it is saying one thing, when in fact it is saying something else that is not in the user's best interests.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Grants individuals the right to access their personal data and receive information on how it is processed.
Outlines the appointment of a Data Protection Officer (DPO) for certain organizations.
Requires the appointment of a Data Protection Officer (DPO) in certain circumstances.