A data subject (further also "the complainant") requested the reprimanded website operator via e-mail to provide him with information about the recipients of his personal data and the legal grounds justifying disclosure of his data to them. Furthermore, the data subject asked the website operator ("the company") to provide him with the copy of data conveyed to third parties and subsequently delete it from the website operator and its partners' databases.
The website operator refused to fulfil the data subject's request stating that it does not process information that would allow it to identify him. According to the company, the data subject's IP address and artificially attributed cookie ID did not fall under the definition of personal data pursuant to Article 4 (1) GDPR. The complainant was only informed about how he could delete cookies from its browser.
The data subject was dissatisfied with the company's response and decided to complain with the Polish DPA.
The Polish DPA's decision
The Polish DPA reminded that information associated with a person - even indirectly - carries a specific message about him and constitutes "personal data" under GDPR. The possibility to connect the information related to the objects or devices owned by a given person indirectly allow us to identify them. According to the Polish DPA, if an IP address is assigned for an extended time or permanently to a particular device, and that device is assigned to a specific user, it should be considered personal data pertaining to a particular individual. Thus the complainant's IP address and cookie ID constitute personal data under GDPR.
Thus the Polish DPA concluded that the website operator violated GDPR as it had no legal basis for processing the data subject's IP address and cookie ID. Consequently, the Polish DPA ordered the company to erase data subjects' personal data. The Polish DPA acknowledged that the copy of the cookies id should be provided to the data subject at his request but did not order the company to do so since the personal data ceased to be in possession of the company.
The Polish DPA recognized that the data subjects are entitled to receive a copy of their internet trackers. Since they constitute their data, The discussed decision signals a significant change in the enforcement strategy of the Polish DPA that until recently seemed to be avoiding adjudicating cases concerning processing of the personal data in the digital environment.
The Polish DPA is still to rule about the rationale of the NOYB's complaints regarding cookie banners. We are bound to see more decisions concerning internet trackers issued by the Polish DPA in the nearest future.
Article provided by INPLP member: Xawery Konarski (Traple Konarski Podrecki & Partners, Poland)
Co-Author: Mateusz Kupiec
Dr. Tobias Höllwarth (Managing Director INPLP)