To conduct its investigation, the CNPD sent a questionnaire to a selection of Luxembourg companies offering web services and/or mobile app.
Nine objectives were defined to carry out the investigation to ensure whether (i) the information is available; (ii) the information is complete; (iii) the absence of information is justified by a valid exception; (iv) the information is transmitted by appropriate means (v) information is concise, transparent, understandable, and conveyed in clear and simple language;(vi) the information is adapted to the category of persons concerned (vii) the information is free of charge; (viii) the information is easily accessible; and (ix) the information is provided at key stages of processing.
Article 12.1. of the GDPR deals with the quality of information and the way this information has to be given to data subjects to enable them to exercise their rights provided by the GDPR. It requires controllers to take appropriate measures to provide "any" information under Articles 13, 14, 15 to 22 and 34 of the GDPR in a manner that is concise, transparent, intelligible and easily accessible, using clear and plain language, whatever its format.
The CNPD found breaches of the transparency obligation in the following cases:
- Information must be concise and transparent:
The data protection policy provided by the controller was broader than what is implemented in reality.
The CNPD considers that the provision of information to users that corresponds to processing that is not carried out, such as information on advertising based on the interests of the customer or on the collection of information on customer habits included in the data protection policy but which in reality are not processed by the data controller, prevents the required information from being presented to users in an effective and succinct manner.
Presenting illustrative examples in the data processing policy or using wording such as “included among the types of data (…)” or stating that “the data are processed and kept for as long as required for the purpose for which they are collected”give the impression that the information provided to users is not complete and is therefore not compliant.
- Information must be accessible, including policy changes
Substantial updates must be actively disclosed i.e. for example by using an informative email or a pop-up on the website together with a summary of the main changes and the consequences for data subjects.
A communication via a cookies banner which appears only at the time of the first connection to the Internet site does not constitute an appropriate communication support. The information must be given by an appropriate means such as an email, postal mail, contextual window on a web page, or any other means to effectively capture the user's attention.
- Information must be intelligible.
The information contained in the data protection policy must correspond to the information contained in data processing register:
In this decision, the data protection policy only mentioned that the controller can collect information on traffic for each call or internet session without indicating the collection of location data, although this was mentioned in the policy. A data subject should be able to determine in advance what the scope and consequences of the processing entails and they should not be surprised at a later point about the ways in which their personal data has been used.
- Information must be easily accessible
The fact that the information is provided in the App via hyperlinks is appropriate provided that the redirection link to the contact form and the privacy policy works (in the present case, the links were broken).
The information must be accessible at each point of collect i.e. on each concerned web page of the web site or the App.
Data subjects should not have to search for the information but should be able to access it immediately.
- Information must be providing using clear and plain language
The data protection policy must be available in the same languages as those offered on the website, namely the languages of the customers targeted by the services of the controller.
The amount of the penalties imposed in the decisions of December 13, 2022, remain relatively symbolic : between EUR 700 and EUR 3000.
The CNPD's approach is above all one of raising awareness and educating companies to enable them to comply and to accompany them on this complex but essential process.
Article provided by INPLP member: Michel Molitor and Virginie Liebermann (Molitor Avocats a La Cour, Luxembourg)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)