Definition
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Excerpt
- Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing; where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.
- In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- where the processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
- Where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
- Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has the information.
Related cases
Groupe Rossel & Cie, a press group, was found to have unlawfully obtained user consent for the management of non-essential cookies on its websites through the ‘further browsing’ technique, which unlawfully coupled the users' expression of cookie consent with the choice to continue to the website.
The Spanish DPA imposed a fine on the owner of a commercial website for processing personal data without proper consent, using unnecessary third-party cookies that could not be rejected, and failing to provide clear information about the cookies in use in the Cookies policy.
The Spanish DPA found an online clothing store responsible for handling personal data without consent from the people involved, not having a privacy policy in place, and using unnecessary cookies without informing users properly through a cookie banner.
The Spanish DPA imposed a fine on an adult content website for violating data protection regulations. The website was penalised for using cookies without providing adequate information about their nature and purposes, as well as for having an outdated privacy policy that did not comply with the GDPR.
The Spanish Data Protection Authority (DPA) imposed a fine on a website for violating data privacy laws by installing third-party cookies without user consent and failing to provide sufficient information about the purpose of these cookies. Additionally, the website did not offer an option to reject these cookies and continued to use them without consent even after the user had deactivated the option.
The Washpoint SL was fined by the Spanish DPA (AEPD) for two violations: first, the absence of a Privacy Policy on their website; and second, the absence of a reject button on the second layer of their Cookie Policy.
Carrefour France has been fined by CNIL for violating GDPR and French data protection laws, including excessive data retention, unclear data processes, inadequate response to requests, security breaches, and unlawful use of cookies. They also sent prospecting emails despite objections and did not provide unsubscribe links.
The Spanish Data Protection Authority (AEPD) initiated a sanction procedure against Eslora Proyectos, S.L. based on a complaint filed by a Spanish citizen, which alleged that the defendant, the owner of three websites, failed to provide the necessary basic layer information to users regarding the cookies loaded on the websites.
The Belgian Data Protection Authority (APD/GBA) imposed a fine on the defendant for placing cookies without prior consent and obtained consent via pre-ticked boxes. Additionally, their policies lacked transparent information on data subject's rights, their exercise, and legal basis for processing.
ARANOW PACKAGING MACHINERY, S.L was fined by AEPD for violations related to its Cookie Policy. AEPD conducted an investigation that included an examination of the information provided in the Cookie Policy, including details on the use of cookies and data collected. AEPD also looked for any mechanism to reject all cookies, but found none.
Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.
Miguel Ibáñez Bezanilla was fined by the Spanish DPA for multiple violations related to his website. These included the absence of a banner on cookies usage, insufficient information on the identity, features, and length of cookies, and the lack of an option to refuse them. The website was found to be technically unsafe, the privacy policy was not updated, and the provided cookie information was inadequate.
Predase Servicios Integrales SL was fined by the Spanish Data Protection Agency (AEPD) for breaching Article 13 of the GDPR. The company was found to be non-compliant as it did not have a privacy policy and failed to provide any information on data processing in the contact section of its website, which required users to provide their personal data.
The Italian DPA fined Douglas for providing a single button to accept the general terms and conditions, privacy policy and cookie policy. Additionally, there was no information about data processing in its privacy policy.
Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.
Just Landed, a Spanish entity, has been fined by the Spanish DPA for having a privacy policy written only in English and not providing a mechanism to accept, reject or manage cookies.
Iweb Internet Learning, S.L. was fined by the Spanish Data Protection Agency for failing to identify the data controller, not allowing separate consent for each purpose, and providing insufficient information on the use of cookies.
HH Invest SIA, an online store, was fined by the Latvian DPA (Datu valsts inspekcija) for insufficiently informing a data subject about the processing of their data.
The Irish DPC has issued a draft decision against Yahoo for using cookie banner that lacks an option for users to deny ad tracking by not offering the required free choice.
The Irish DPC held WhatsApp liable for failure to provide non-users with the necessary information and making it difficult to access by excessively spreading it out across several documents.
CNIL found Google liable for providing information in a fragmented and generic manner, and for using pre-ticked boxes for personalization settings of the account.
The Belgian DPA fined the IAB Europe as information provided to the data subjects was too generic and incomplete regarding processing of data or their right to object to it.
The Spanish DPA fined a online genealogy platform for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.
The DPA imposed a fine on a website as the web pages where personal data are requested, do not provide information on the company’s privacy policy.
The Norwegian DPA held the controller liable for direct marketing purposes to a data subject despite of having previously objected to such processing.
The company was held liable for insufficient clarity in information, and the absence of a clear cookie policy or consent for the use of cookies.