Vienna based company fined for unlawful data collection and processing under GDPR

A Vienna based company incurred a GDPR fine of €2 million for the unlawful collection and processing of user data. 

 

A GDPR fine of €2 million was recently imposed on the Vienna based loyalty program operator, Unser Ö-Bonus Club GmbH, for unlawfully processing user data. The company was accused of collecting user data without making the users sufficiently informed of the intended use of their data. Data subjects whose personal data is processed, must be specifically informed of the intended use of their data and be allowed to opt out of the arrangement if they choose to do so. However, businesses that allow users to accept their privacy policy without giving them adequate opportunity to fully read and understand the terms are liable to be fined, according to this latest decision by the Austrian Data Protection Authority. It should also be noted that data subjects should be asked whether they have read and understood the Privacy Policy rather than prompting them to ‘accept’ it, as the latter should be applicable only where the lawful basis for processing is consent.

 

While the company provided users with a privacy policy, it was considered improperly placed, and therefore unable to adequately inform users. 

 

Unser Ö-Bonus Club GmbH was found to have provided a form for registration for their service which collected user data, and created profiles for users using this data. The data was then passed on to advertising partners for marketing purposes. While the company provided new users with a privacy policy, it was found to have been improperly placed, at the point where a user is issuing consent when signing up for their service. Users who were signing up would have had to scroll past the option for clicking yes or no to give their consent, down to the privacy policy. Their format was therefore not seen as appropriately able to inform users of the terms of usage of their data. 

 

The Vienna based company was found to have violated several GDPR guidelines. 

 

Unser Ö-Bonus Club GmbH was found to have violated a number of guidelines, including unlawful user data collection, insufficient acquisition of  consent, unlawfully processing personal data for profiling consumers, and continuation of violation after admission. The violations concern Articles 6, 7, 12, and 13 of the GDPR. According to the GDPR, businesses processing personal data can do so only if the processing and its purposes are legal. Also, companies collecting personal data after consent should be able to demonstrate – whenever required – that they have obtained consent for the specific purposes for which the data was collected. GDPR further requires that notice of collection should be given at the data collection point and that nothing should be hidden from the users with regards to their data.

 

The company incurred a heavier fine because it continued to use unlawfully collected data after admittance to the violations. 

 

After the company admitted to the violations during the investigation, they continued to handle the data which was unlawfully collected. Although the company amended the form, it continued to unlawfully use the collected personal data, from the previous form, which was deemed inadequate. The company blamed the Austrian Data Protection Authority for not informing them that their continued use of that data was deemed unethical and unlawful. However, the Authority concluded that an additional fine would be applied for that violation as well, bringing the total fine to €2 million. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Fine imposed by CNIL

Fine imposed by CNIL for failing to comply with retention periods and transparency duties under GDPR

A recent fine imposed by CNIL of France for €1.75 million relates to two GDPR violations by SGAM AG2R LA MONDIALE. 

 

A recent fine imposed by CNIL on the Mutual Insurance Group company- SGAM AG2R LA MONDIALE for GDPR violations, will cost the company €1.75 million. The company was found to have customer personal data which was kept beyond the legal retention period allowed under the GDPR. In addition, customers contacted by the company by phone were not provided key information required under the GDPR. Following the fine, CNIL also decided to make the decision public. Measures have been taken to achieve compliance, as has been noted by CNIL. 

 

SGAM AG2R LA MONDIALE was found to have been keeping customer data years after customers had been out of contact with the company. 

 

Following an inspection by CNIL, the insurance group was found to have violated article 5(.1) (.e) of the GDPR, by failing to limit the retention period of customer data. There was no implementation of systems to ensure that customer data was not kept beyond the maximum legal retention period, and as result there was data in the company’s records relating to almost 2000 customers who had not been in contact with the company in 3-5 years. There was also a group of over 2 million customers whose personal data, including sensitive health and financial details, was kept beyond the legal retention period allowed after the end of a contract. 

 

The fine imposed by CNIL included a violation of Articles 13 and 14 of the GDPR. 

 

Articles 13 and 14 of the GDPR outline information which must be provided to data subjects when personal data is collected from them (Article 13), and also when personal data has not been collected from them (Article 14). SGAM AG2R LA MONDIALE employed a subcontractor to contact data subjects on its behalf. Upon investigation, it was revealed that the information provided to data subjects by the company’s subcontractor did not include all the necessary elements as required under the GDPR. Data subjects were not given sufficient information regarding the processing of their personal data and other rights. In addition, the data subjects were not given the option of accessing more comprehensive information whether via email or by pressing a key on their phone. 

 

A fine of €1.75 million has been imposed on the company as they take measures to achieve compliance. 

 

CNIL made the decision to impose a total fine of €1,750,000 on SGAM AG2R LA MONDIALE and to make the decision public. There is no indication that the Mutual Insurance Group has contested the fine. The company has in fact, taken measures to come into compliance with GDPR Articles 5(1) (e), 13 and 14 GDPR. The restricted committee of the CNIL has taken note of the compliance measures adopted by the company concerning the limitation of the retention period and the information of data subjects.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA

TikTok fined by Dutch DPA for failure to provide translated information to users

The video sharing social networking app TikTok was recently fined by the Dutch DPA, according to this report from the EDPB. Upon investigation into apps typically used by minors, it was discovered that the information provided when installing the app (including the privacy policy) was only provided in English. By failing to provide this information in Dutch, TikTok violated the rights of Dutch speaking users, by their failure to give users clear, comprehensible information on what happens with their personal data. This in and of itself is a violation of their privacy rights. TikTok has been hit with a fine for €750,000, to which the company has objected. 

TikTok, fined by the Dutch DPA, and now being investigated by the Irish DPA after establishing headquarters in Ireland. 

While this initial fine was imposed by the Dutch DPA, and rightfully so, because at the time TikTok had no headquarters in the EU, the company has since established headquarters in Ireland. The initial fine could have been imposed by any EU member state, however, any subsequent investigations must be handled by the Irish Data Protection Commission. The Dutch Data Protection Authority can only be expected to assess the privacy statement related violation, which had ended by the time headquarters had been established in Ireland. When companies have no European headquarters, any EU member states can oversee its activities, however if there are European headquarters, this responsibility would fall on the country which houses the company‘s headquarters.

TikTok has made changes to their app to make it safer for child users. 

Since last October, when the Dutch DPA submitted the results of its investigations to TikTok, certain key changes have been made to protect users under 16 while they use this app. While these changes are not entirely foolproof because children can still pretend to be older by creating their account with false information, the DPA welcomes the adjustments made by TikTok to reduce the risk for child users. Partents are now able to manage their children’s accounts through their own accounts, or through the ‘Family Pairing’ feature. This will not prevent children from putting themselves at risk by lying about their age, however it will give parents the power to monitor their children’s accounts and provide greater security to them. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

LinkedIn users’ data for sale

LinkedIn users’ data for sale on hacking forum – 700 million affected

The details of 700 million LinkedIn users were recently posted for sale on a notorious hacking forum. 

 

The details of 700 million LinkedIn users were recently posted for sale on a popular hacking forum. Last month, a user put information for sale on RaidForums, where it was spotted by Privacy Sharks, a news site. The seller provided a sample of 1 million records, which Privacy Sharks viewed and investigated, confirming the validity of the records which included names, gender, phone numbers, email addresses and work information. This is the second instance this year of LinkedIn user information being scraped and posted for sale online. In April, a total of 500 million LinkedIn users were affected in a similar event. 

 

LinkedIn’s investigation revealed that the data was scraped from LinkedIn as well as other other sources. 

 

LinkedIn maintains that this compilation of information of 700 million users was not the result of a data breach, and that the information is all publicly available. The company reported that no private LinkedIn member data was exposed. The ongoing investigation has so far uncovered in an initial analysis, that the data includes information scraped from LinkedIn as well as other sources. LinkedIn has released a statement, stating that they determined that the information which was posted for sale was “an aggregation of data from a number of websites and companies.” The company also states that scraping, and other misuse of members’ data violates its terms of service, and that it will work to stop any entities misusing LinkedIn members’ data, and hold them accountable. 

 

LinkedIn has sought legal action in the past for violation of its terms of service, by data scraping. 

 

While no one has been named as being responsible in this case, LinkedIn is currently in an almost 2-year legal battle to protect its user data and terms of service by seeking litigation over data scraping. In September of 2019, LinkedIn sought legal action against data analytics organization hiQ Labs in the United States Court of Appeals for the Ninth Circuit. At the time, hiQ Labs was found to have been using automated bots to scrape information from public LinkedIn profiles, at which time LinkedIn served them with a cease and desist, claiming that this violated their terms of service. In this case the court ruled that data scraping was legal. The information was all publicly available and was being collected by this data analytics organization. However, LinkedIn once again brought this case before the courts last month, in this instance, going to The Supreme Court. The Supreme Court threw out the lower court’s original ruling, giving LinkedIn another opportunity to plead its case in the 9th circuit. No statement has been made as to whether legal action will also be taken in this instance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.