The processing of personal data must be carried out in accordance with the principle of lawfulness; therefore, every processing operation must have a relevant legal basis. One of the legal bases that allows for the processing of data subjects’ personal data is consent, which is given by the data subject themselves. However, consent as a legal basis must also comply with other principles of personal data processing (e.g., transparency of processing) to be considered valid and applicable. But what if the basic conditions are not met?
The Office for Personal Data Protection of the Slovak Republic, acting as the supervisory authority, conducted an inspection of the controller’s processing of personal data in accordance with the relevant provisions of Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts (hereinafter “Act No. 18/2018 Coll.”). Based on the results of the inspection, violations were found of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “GDPR”)—specifically, a violation of the principle of transparency by the controller.
The violation of the principle of transparency under Article 5(1)(a) of the GDPR occurred because, in the section where the data subject expresses “consent to receiving information about products and news” and “consent to the processing of personal data,” the consent was pre-checked in the “yes” box without any reference to further information regarding the processing of personal data; thus, it was not clear to the data subject for what purpose they were providing consent. Such a pre-checked consent box does not constitute an expression of free will, which is required for consent.
Based on the GDPR, consent to the processing of personal data must be free, specific, informed, and unambiguous. Specific consent means that the data subject must be able to clearly understand, from the controller’s explanation, the purpose for which they are providing personal data, as well as the scope within which such data will subsequently be processed. Another requirement for consent is that it must be informed. For the controller, this means the obligation to provide basic and concise information to the data subject regarding the purpose and manner of processing their personal data. This brief description should include the type of data, the purpose of processing, information that the data subject may withdraw their consent at any time, the data retention period, as well as the risks that may arise during data transfer, if such transfer occurs. The controller should summarize this basic information as clearly as possible. Another condition is that consent must be unambiguous. This means that there must be no doubt regarding the consent given. At the same time, the granting of consent must reflect a free expression of will. Only an expression in which the data subject has a choice is considered a free expression of will. If the data subject has no choice, we assume that such an expression of will is invalid.
The controller also violated Article 12(1)(a) and Article 13(1) and (2) of the GDPR by failing, when requesting “consent to send information about products and news,” , it failed to provide data subjects with the information that must be provided when collecting their personal data. Neither consent form included a reference to other information regarding personal data protection. It was therefore not clearly evident to the data subject for what purpose they were giving their consent. It should be transparent to data subjects that personal data concerning them is being collected, used, consulted, or otherwise processed, as well as the extent to which such personal data is or will be processed. The principle of transparency requires that all information and communication related to the processing of personal data be easily accessible and understandable. This principle applies in particular to information provided to data subjects regarding the identity of the controller and the purposes of the processing, as well as other information to ensure fair and transparent processing. Data subjects should be made aware of the risks, rules, safeguards, and rights regarding the processing of personal data, as well as how to exercise their rights in relation to such processing. The specific purposes for which personal data are processed should be explicitly stated, legitimate, and determined at the time of collection of the personal data (i.e., prior to the actual processing). With regard to the infringement in question, the controller argued that in this specific case, the data subjects for whom a reasonable capacity to assess the available information regarding the processing of personal data is foreseeable, and therefore that the requirement for information that is easily accessible, understandable, and clearly and simply formulated had been met on its part. However, this statement is contrary to the principles of prevention and the principle of legitimate expectations.
In its statement, the controller indicated that, following the Authority’s findings, it immediately implemented corrective measures to ensure that the processing of personal data was lawful, fair, and transparent. The Office considered as a mitigating circumstance that no intentional nature of the violation was found. Likewise, the controller took steps to remedy the situation during the inspection.
Given the violation of the principle of transparency under Article 5(1)(a) of the GDPR—as the more serious of the identified violations, since transparency, alongside the lawfulness and fairness of processing, represents one of the most important principles of personal data protection—the Office for Personal Data Protection decided to impose a fine on the controller. The controller has rectified the identified deficiencies, and the website is now configured in accordance with the GDPR; specifically, the checkbox “I consent to the processing of personal data” has been replaced with the text “I declare that I have read the terms and conditions and the personal data processing policy,” which includes a link to the document “Operator’s Terms and Conditions.” In the section “Personal Data Processing Policy,” the controller has amended the information obligation to ensure it contains all mandatory information for data subjects.
