GDPR - Article 05

Emailmovers Limited's privacy policy was not specific enough and did not clearly name third-party recipients. Deploying the deceptive pattern of hidden and misleading information, the company's email data and marketing service were found to have no clear lawful basis for possessing individuals' personal data, violating the principles of lawfulness, fairness, and transparency.

The Belgian DPA fined the private company targeting pregnant mothers. The company through its marketing campaign collected personal data without informing clearly of the processing. Despite withdrawing consent, the complainant was contacted by third parties for its promotions wherein it technically made it difficult to withdraw consent and stop receiving unwanted phone calls from the defendant's partners.

The Belgian DPA fined Roularta, for several violations regarding the use of cookies such as placing unnecessary cookies, placing statistical cookies without obtaining consent, using pre-ticked boxes to grant consent for cookies from partners, providing false and inadequate information in their privacy policy, and making it impossible to revoke consent.

Carrefour France has been fined by CNIL for violating GDPR and French data protection laws, including excessive data retention, unclear data processes, inadequate response to requests, security breaches, and unlawful use of cookies. They also sent prospecting emails despite objections and did not provide unsubscribe links.

A controller was fined by the AEPD for inadequate cookie information on its website, including a lack of information on tracking cookies and a vague cookie policy without an easy uninstall tool.

Banco Bilbao Vizcaya Argentaria, SA was fined by the Spanish Data Protection Authority (AEPD) for issues related to imprecise terminology, vague formulations, the absence of the option to refuse in the privacy policy, and the use of pre-ticked checkboxes to obtain consent.

Wind Tre was fined by the Garante for not allowing customers to withdraw consent or object to marketing data processing, lacking transparency in data information, using a single button for multiple consents, using small prints, bundled consents, and conducting unlawful data collection and unauthorised marketing.

The Italian DPA fined Douglas for providing a single button to accept the general terms and conditions, privacy policy and cookie policy. Additionally, there was no information about data processing in its privacy policy.

Klarna Bank was fined by the Swedish DPA for insufficiently informing data subjects about its processing activities, including international data transfers, retention periods, data subject rights, and automated decision-making, such as profiling.

The Hungarian DPA fined a hotel booking service for sending direct marketing emails without valid legal basis, not obtaining separate consent for specific purposes, not expressly mentioning data processing purposes in the privacy policy.

The Danish DPA found Den Blå Avis at fault for using a single 'accept' button for processing data for different purposes, disclosing data to third parties without sufficient notice, and not providing a link or menu for the purpose of data sharing.

The Irish DPC has issued a draft decision against Yahoo for using cookie banner that lacks an option for users to deny ad tracking by not offering the required free choice.

The Irish DPC held WhatsApp liable for failure to provide non-users with the necessary information and making it difficult to access by excessively spreading it out across several documents.

The Danish DPA expressed criticism against a controller for using multiple layers to collect consent, not providing adequate information and using colors (greyed options) to influence user choice.

The EDPB fined Meta for the providing lack of processing contact information on children’s business accounts and using ‘public by default’-settings for child users.

The DPA imposed a fine on a website as the web pages where personal data are requested, do not provide information on the company’s privacy policy.

The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.

The company was held liable for insufficient clarity in information, and the absence of a clear cookie policy or consent for the use of cookies.

Italian DPA found Ediscom guilty of using misleading interfaces and unclear submission procedures, such as prompting users to provide consent for marketing despite already denying it.

TikTok was held liable for nudging children towards privacy-intrusive settings using bold text in two pop-up notifications, hindering neutral and objective choices.