Posted on by stefan

publishable_cz_2019-07_lawfulnessoftheprocessing_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Violation of Article 24(1)

Background information
Date of final decision: 11 July 2019
LSA: CZ
CSAs: All
Legal Reference: Principles relating to processing of personal data (Article 5); Lawfulness of the processing (Article 6); Responsibility of the controller (Article 24)

Decision: Violation
Key words: Concept of personal data, Accountability, Consumers

Summary of the Decision

Origin of the case
A complaint was filed with the Dutch SA concerning the processing of personal data of the users of the antivirus software provided by the controller, and specifically the protection granted to users of the free version of the software compared to that granted to the paying users.

Findings
In its inspection report, the LSA concluded that the inspected party failed to comply with Articles 5(2) and 24(1) GDPR, which was interpreted as the obligation to take into account all relevant circumstances surrounding the processing and to adopt a set of measures to ensure that all personal data processing is carried out exclusively under pre-defined conditions that the controller is able to regularly check and enforce. This stemmed from the conclusion that the inspected party, despite its assertions to the contrary, was indeed processing personal data (e.g. IP addresses), based on the Court of Justice case law, and was acting as a data controller.
The controller filed several objections to the inspection report, arguing inter alia that no processing of personal data was involved, that it was not to be universally considered as a data controller, and that sufficient information to properly show compliance with Articles 5(2) and 24(1) GDPR was provided.
The last objection was partially accommodated by the LSA, which concluded that only an infringement of Article 24(1) GDPR had been ascertained, whereas no specific breach of Article 5(2) followed from the documentation.

Decision
The controller was found to have violated Article 24(1) GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-07_lawfulnessoftheprocessing_summarypublic.pdf

Please see also EDPB Copyright page