After conducting a formal proceeding, on 7 October 2021 the Polish Data Protection Authority ("DPA") issued a decision (number: ZSPR.440.331.2019.PR.PAM) towards one of the largest online media provider in Poland. The decision is a result of a proceeding launched by the DPA after a formal complaint was made against the online media provider by one of its readers.
The company, being a "controller" in the meaning of article 4 (7) of the GDPR, collected the reader's personal data, stored in cookies, using the device owned by the reader, in connection with browsing the company's website providing news and other information. These data were saved automatically once the reader visited the website.
In mid-2018 the reader asked the company for a copy of the reader's data, along with the following information: (i) what categories of data is processed by the company, (ii) what are the legal grounds and purposes of the processing in the context of cookie files, (iii) what are the sources of data, (iv) who are so-called "data recipients" of the readers' data, (v) information about profiling and automated decision making in light of the content displayed to the complainant based on its personal data, as well as (vi) what "marketing categories" (behavioral profile) was assigned to the complainant based on cookie files. The request of the reader and the issued decision were based on article 15(1) of the GDPR. Under this provision, the reader shall have the right to obtain from the controller (the company) confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and some other information mentioned in this provision of the GDPR.
The company verified the reader's identity and provided the reader with the following information:
- company's details, purposes of processing of data i.e. providing an access to the website, services and applications offered by the company, identifying and prevention of network abuse, analytics and matching the ads that are displayed to the reader;
- sources of the reader's data (the user itself and the user's device);
- categories of the processed data: identifiers stored in cookies technology,
- data recipients,
- data retention periods applicable to the reader's data,
- information about rights arising from the GDPR,
- information about profiling, including about automated decision making. The company confirmed that in its view, no such processing took place, and
- transferring the reader's data to third countries.
After the reader received a response from the company, the reader questioned the completeness of the above information and submitted its request to the controller once again. In the re-submitted request, the reader demanded from the company information in scope of data related to marketing categories (behavioral profile) that was connected to the reader based on cookie files, as well as information about other data connected with the reader and related to cookie files. As a response to the re-submitted request, the company argued that all the requested information was already provided to the reader. Afterwards the reader complained to the DPA arguing that the company did not provide him/her with all of the requested data.
After reviewing the case, the authority issued its decision ordering the company to provide the complainant (the reader) with information about marketing categories (behavioral profile) assigned to the complainant based on cookie files, as well as indicate what information related to the complainant were connected to the information arising from cookie files.
The Polish DPA underlined in its decision that article 15 (1) of the GDPR does not limit the amount of information that shall be provided to the "data subject" (the reader in our case) within the access right nor it limits the number of access requests that can be submitted to the controller (company) from a data subject. In view of the authority, behavioral profile is created by matching the internet ads to personal interests of the data subject and such process is based on the data subject behavior. Collecting of such information by the company, in view of the authority, is part of the profiling, whereas main purpose of such profiling is matching relevant ads to the right readers. The profiling is based on inference about the expected features of the media reader.
Further, what seems to be crucial in this matter from the perspective of the controller (company), when fulfilling the access right based on article 15 (1)of the GDPR, the company should take into consideration and apply article 12 and article 5 (1)(a) of the GDPR: the principle of fairness and transparency. According to article 5(1)(1) of the GDPR, personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. As stated by the DPA, the lack of a uniform, transparent and reliable position of the controller as to the content of the processed data, in particular what marketing categories (behavioral profile) have been assigned to the reader based on cookies and with what other information about a specific person the information resulting from these files has been combined, creates uncertainty on the side of the reader.
Further, the DPA is of the view that the controller, within the information provided to the complainant, should describe in detail the behavioral profile of the reader, created by the company, including it should describe in detail the marketing categories that were assigned to the complainant. If the company does not process the reader's personal data in this way, it should clearly inform the reader, together with an indication of how its personal data obtained in the form of identifiers saved in cookie technology are processed and what the processing of the reader's personal data consists of in order to adjust the display of online advertising.
While the decision was not published by the Polish Data Protection Authority, the author received it based on freedom of information law and would be happy to share its full content by email (Marcin.Lewoszewski@KLMAW.PL).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.