Facts
A data subject (further also "the complainant") requested the reprimanded website operator via e-mail to provide him with information about the recipients of his personal data and the legal grounds justifying disclosure of his data to them. Furthermore, the data subject asked the website operator ("the company") to provide him with the copy of data conveyed to third parties and subsequently delete it from the website operator and its partners' databases.
The website operator refused to fulfil the data subject's request stating that it does not process information that would allow it to identify him. According to the company, the data subject's IP address and artificially attributed cookie ID did not fall under the definition of personal data pursuant to Article 4 (1) GDPR. The complainant was only informed about how he could delete cookies from its browser.
The website operator stressed that it complied with the requirements for the use of cookies stipulated in the national law. According to the company, the applicant consented to have cookies implemented on his device using the software settings. The website operator acknowledged that it handed the data subject's IP address and cookie ID to its partners.
The data subject was dissatisfied with the company's response and decided to complain with the Polish DPA.
The Polish DPA's decision
The Polish DPA reminded that information associated with a person - even indirectly - carries a specific message about him and constitutes "personal data" under GDPR. The possibility to connect the information related to the objects or devices owned by a given person indirectly allow us to identify them. According to the Polish DPA, if an IP address is assigned for an extended time or permanently to a particular device, and that device is assigned to a specific user, it should be considered personal data pertaining to a particular individual. Thus the complainant's IP address and cookie ID constitute personal data under GDPR.
The Polish DPA also criticized the website operator for the mechanism is used to collect the visitors' consents. The data subject's consent through their internet browsers is invalid since it was not affirmative. The authority also determined that the website visitors' data was disclosed to the third parties before the data subject was informed about the cookies' installation. Furthermore, The privacy policy used by the website operator did not include the complete information regarding the data transfer to ist partners.
Thus the Polish DPA concluded that the website operator violated GDPR as it had no legal basis for processing the data subject's IP address and cookie ID. Consequently, the Polish DPA ordered the company to erase data subjects' personal data. The Polish DPA acknowledged that the copy of the cookies id should be provided to the data subject at his request but did not order the company to do so since the personal data ceased to be in possession of the company.
Comment
The Polish DPA recognized that the data subjects are entitled to receive a copy of their internet trackers. Since they constitute their data, The discussed decision signals a significant change in the enforcement strategy of the Polish DPA that until recently seemed to be avoiding adjudicating cases concerning processing of the personal data in the digital environment.
The Polish DPA is still to rule about the rationale of the NOYB's complaints regarding cookie banners. We are bound to see more decisions concerning internet trackers issued by the Polish DPA in the nearest future.
Article provided by INPLP member: Xawery Konarski (Traple Konarski Podrecki & Partners, Poland)
Co-Author: Mateusz Kupiec
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)