Skip to main content

The Polish DPA rules about the right to access the personal data contained in trackers

|

The Polish DPA (the President of the Personal Data Protection Office, further as "the Polish DPA") has reprimanded a webiste operator for infringing article 6(1), article 15 (1) and article 15 (3) GDPR. The Polish DPA also ordered the webiste operator to erase data subject’s IP adress and artificially attributed cookie id.

Facts

A data subject (further also "the complainant") requested the reprimanded website operator via e-mail to provide him with information about the recipients of his personal data and the legal grounds justifying disclosure of his data to them. Furthermore, the data subject asked the website operator ("the company") to provide him with the copy of data conveyed to third parties and subsequently delete it from the website operator and its partners' databases.

The website operator refused to fulfil the data subject's request stating that it does not process information that would allow it to identify him. According to the company, the data subject's IP address and artificially attributed cookie ID did not fall under the definition of personal data pursuant to Article 4 (1) GDPR. The complainant was only informed about how he could delete cookies from its browser.

The website operator stressed that it complied with the requirements for the use of cookies stipulated in the national law. According to the company, the applicant consented to have cookies implemented on his device using the software settings. The website operator acknowledged that it handed the data subject's IP address and cookie ID to its partners.

The data subject was dissatisfied with the company's response and decided to complain with the Polish DPA.

 

The Polish DPA's decision

The Polish DPA reminded that information associated with a person - even indirectly - carries a specific message about him and constitutes "personal data" under GDPR. The possibility to connect the information related to the objects or devices owned by a given person indirectly allow us to identify them. According to the Polish DPA, if an IP address is assigned for an extended time or permanently to a particular device, and that device is assigned to a specific user, it should be considered personal data pertaining to a particular individual. Thus the complainant's IP address and cookie ID constitute personal data under GDPR.

The Polish DPA also criticized the website operator for the mechanism is used to collect the visitors' consents. The data subject's consent through their internet browsers is invalid since it was not affirmative. The authority also determined that the website visitors' data was disclosed to the third parties before the data subject was informed about the cookies' installation. Furthermore, The privacy policy used by the website operator did not include the complete information regarding the data transfer to ist partners.

Thus the Polish DPA concluded that the website operator violated GDPR as it had no legal basis for processing the data subject's IP address and cookie ID. Consequently, the Polish DPA ordered the company to erase data subjects' personal data. The Polish DPA acknowledged that the copy of the cookies id should be provided to the data subject at his request but did not order the company to do so since the personal data ceased to be in possession of the company.

 

Comment

The Polish DPA recognized that the data subjects are entitled to receive a copy of their internet trackers. Since they constitute their data, The discussed decision signals a significant change in the enforcement strategy of the Polish DPA that until recently seemed to be avoiding adjudicating cases concerning processing of the personal data in the digital environment.

The Polish DPA is still to rule about the rationale of the NOYB's complaints regarding cookie banners. We are bound to see more decisions concerning internet trackers issued by the Polish DPA in the nearest future.

 

Article provided by INPLP member: Xawery Konarski (Traple Konarski Podrecki & Partners, Poland)

Co-Author: Mateusz Kupiec

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

 

 

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}