Background

A representative of the Panoptykon Foundation, an organization established by a group of lawyers to protect freedom and human rights against threats resulting from surveillance practices, filed a complaint to the Polish Data Protection Authority (DPA) against one of the major online platforms in Poland. According to the complainant, the online platform failed to provide her with access to certain information under Article 15 sec. 1 GDPR, including the behavioral profile assigned to her based on cookies used by the online platform, and to indicate which personal data was combined with information stemming from those cookies.

The online platform explained that they obtained the complainant’s personal data, contained in cookies, through the end-device used by the complainant. The data on her device was recorded automatically while browsing the website. The personal data of the complainant was used by the online platform to provide her with access to the platform, websites, and apps, as well as to pursue the platform’s legitimate interests in detecting and preventing abuse in telecoms network, for analytical purposes, and to profile ads.

Further, the online platform explained that they do not share cookies with third parties but allow those entities to embed cookies in their domain by providing them with specific functionalities. Embedded cookie files constitute an internal mechanism of those entities and are under their control. The platform argues that they do not have access to contents of the cookies used by the third parties.

The Main Conclusions of the Decision

The DPA found that the online platform failed to provide the complainant with all requested information according to Article 15 sec. 1 GDPR. The online platform should have provided the user with the marketing categories (behavioral profile) which were assigned to her based on cookies and should have indicated which personal data was combined with information stemming from cookies. The DPA concluded that the online platform used the personal data of the complainant in order to create her behavioral profile to personalize ads on the platform. Therefore, the online platform owner (the controller of such personal data) should have fulfilled the information obligation towards the platform user. The DPA stressed the importance of the rule of transparency stemming from Article 12 sec. 1 GDPR.

In the matter at hand, the online platform should provide the user with a detailed description of her behavioral profile. If the online platform does not create a behavioral profile based on the cookies obtained to display ads tailored to the user’s needs, it should clearly inform the complainant about it, along with an indication of how her personal data obtained in the form of identifiers saved in cookies is processed and explain the nature of data processing as regards ad matching. The platform should also indicate the rules on how her behavioral profile is created by third parties (the platform’s partners) by using scripts embedded on the websites in the platform's domain.

Comments

According to the information disclosed on the Panoptykon Foundation’s website, the platform owner did not challenge the decision. However, they stated that they cannot provide the complainant with her marketing profile because they do not have access to such profiles. The platform owner claims that those profiles are created by third parties - companies from the advertising industry, from the data obtained by the platform’s websites. The platform has access only to aggregated profiles of a specific group of users.

The proceedings before the DPA are a part of wide-ranging activities of the Panoptykon Foundation and other similar organizations against using cookies. It should be noted that in an initial decision of the Belgian DPA, which is dealing with a complaint against IAB Europe, concerning the use of pop-ups forcing users to grant their consent to use cookies, the Belgian DPA concluded that such a practice violates the provisions of the GDPR.

Although the decision of the DPA concerns the online advertising industry, it may have an impact on other profiling practices, e.g. those pursued by banks or insurers.