The processing of personal data must be carried out in accordance with the principle of lawfulness, and therefore every processing operation must have a relevant legal basis. One of the legal bases that allows the processing of personal data of data subjects is the consent given by the data subject themselves. However, consent as a legal basis must also comply with other principles of personal data processing (e.g., transparency of processing) in order to be considered relevant and applicable. But what if the basic conditions are not met?
The Office for Personal Data Protection of the Slovak Republic, as the supervisory authority, carried out an inspection of the personal data processing by the controller in accordance with the relevant provisions of Act No. 18/2018 Coll. on personal data protection and on amendments to certain acts (hereinafter referred to as "Act No. 18/2018 Coll."). Based on the results of the inspection, violations of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data which repeals Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR") – specifically, a violation of the principle of transparency by the controller.
The principle of transparency under Article 5(1)(a) of the GDPR was breached in that, in the section where the data subject expresses "consent to receiving information about products and news" and "consent to the processing of personal data," consent was pre-selected in the "yes" box without reference to further information on the processing of personal data, and therefore it was not clear to the data subject for what purpose they were giving their consent. A pre-ticked box with the consent of the data subject does not express the free will required for consent.
Based on the GDPR, consent to the processing of personal data must be freely given, specific, informed, and unambiguous. Specific consent means that the data subject must be able to understand, from the controller's explanation, the purpose for which the personal data are provided and the extent to which they will be processed. Another specification of consent is that it must be informed. For the controller, being informed means the obligation to provide basic and concise information to the data subject regarding the purpose and manner of processing their personal data. This brief description may include the type of data, the purpose of the processing, information that the data subject may withdraw their consent at any time, the period for which the data will be stored, and the risks that may arise during the transfer of the data, if this occurs. The controller should summarize this basic information as clearly as possible. Another condition is that consent must be unambiguous. This means that there must be no doubt about the consent given. At the same time, the granting of consent must reflect a free expression of will. Only an expression of will in which the data subject has a choice is considered a free expression of will. If the data subject has no choice, we assume that such an expression of will is invalid.
The controller also violated Article 12(1)(a) and Article 13(1) and (2) of the GDPR by failing to provide the data subjects with the information they should have been provided with when obtaining their personal data when requesting "consent to send information about products and news." it did not provide the data subjects with the information that should be provided when obtaining their personal data. None of the consents referred to other information relating to the protection of personal data. It was therefore not clear to the data subject for what purpose they were giving their consent. It should be transparent to data subjects that personal data relating to them are being collected, used, consulted or otherwise processed, as well as the extent to which such personal data are or will be processed. The principle of transparency requires that all information and communication relating to the processing of personal data be easily accessible and understandable. This principle applies in particular to information for data subjects about the identity of the controller and the purposes of the processing, as well as other information to ensure fair and transparent processing. Data subjects should be informed of the risks, rules, safeguards, and rights relating to the processing of personal data, as well as how to exercise their rights in relation to the processing. The specific purposes for which personal data are processed should be explicitly stated and legitimate and determined at the time of collection (i.e. before the processing itself). With regard to the infringement in question, the controller argued that in this specific case, the data subjects were who had the foreseeable intellectual capacity to assess the available information relating to the processing of personal data and that it had therefore complied with the requirement to provide easily accessible, understandable, clear and simple information. However, this statement is contrary to the principles of prevention and legitimate expectations.
In its statement, the controller stated that, following the findings of the authority, it had immediately taken corrective measures to ensure that the processing of personal data was lawful, fair and transparent. The Office considered as a mitigating circumstance that no intentional nature of the infringement was found. Similarly, the controller took corrective action during the inspection.
With regard to the infringement of the principle of transparency under Article 5(1)(a) of the GDPR as the most serious of the infringements found, since transparency, alongside lawfulness and fairness of processing, is one of the most important principles of personal data protection, the Office for Personal Data Protection decided to impose a fine on the controller. The controller has remedied the identified shortcomings and the website is now set up in accordance with the GDPR, specifically the box "I agree to the processing of personal data" has been replaced by the text "I declare that I have read the terms and conditions and the personal data processing policy", which links to the document "Terms and conditions of the controller". In the section "Personal Data Processing Policy", the operator has modified the information obligation to include all mandatory information for data subjects.
