Logo Logo
Cookiebot

 

The General Data Protection Regulation (GDPR) affects how your website may track visitors from the EU.

 

Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

On May 25, 2018, The General Data Protection Regulation was enforced as the strictest and most encompassing data protection law ever to be passed. Its scope reaches far beyond the borders of the EU, in so far as it applies to all organizations and all websites globally, that process data of EU citizens. 

Furthermore, the GDPR has set a high standard for data protection, that is being followed as an example for other data protection authorities in the world, as they update their legislations to correspond to the demands of a digital and data driven society.

Up to the enforcement deadline, the million-dollar question was how (and whether, even) the GDPR would actually be enforced in practice. Now, six months later, various national data protection authorities and supervisory authorities as well as privacy activists and offended parties have taken action.

Read about GDPR convictions, fines, investigations, complaints and warnings below. Find out what to be especially aware of and how to avoid trouble in our checklist at the end of the article.

GDPR fines so far

Timeline: What GDPR related actions have taken place since May 25, 2018?


The cases that have attained public attention are only the tip of the iceberg.

As a rule of thumb, cases are only made public if one of the involved parties for some reason choose to do so, e.g. to gain momentum, as in the case of Privacy International, to set an example and a warning, as in the warnings by the CNIL and the fined Portuguese hospital, or if the convicted company wishes to dispute the conviction.

At the time of writing, an estimated 30 to 60 cases are being investigated by the data protection authorities of the different EU member states.

The number of complaints is way higher. For example, four months into the enforcement, the French supervisory authority CNIL had received 742 notifications of violations

All in all, 6 months after the enforcement, the European DPA's had received an estimated 57.000 complaints!

The cases that for one reason or another have made it to the public or have received media attention can leave no doubt as to if the GDPR is taken seriously.

Quite the contrary, the cases prove how important it is to have a proper consent mechanism with clear, transparent and accurate information, to ensure that the consent is obtained prior to the initial processing, and to have an adequate documentation of consents, amongst other things.

The GDPR is very much to be reckoned with, and has been adopted by national authorities, privacy activists and offended parties alike as a potent instrument to improve transparency and ensure the enforcement and respect of privacy rights.

Check if your website’s use of cookies and tracking is compliant with our Cookiebot scan. The free audit scans up to five pages of your website and detects all cookies and tracking on these pages. Receive the full report on the provenance, purpose and duration of the trackers and the recipients of the collected data. Find out if you obtain consent prior to the initial tracking, and whether the collected data is sent to adequate countries.

CNIL issues formal warnings for lack of prior consent and inadequate information

On June 25, 2018, just a month into the enforcement of the GDPR, the French supervisory authority CNIL (acronym for Commission Nationale de l'Informatique et des Libertés) issued a formal warning to the two French mobile app companies Fidzup and Teemo for lack of consent, for inadequate information about the duration of the data storage, and for lack of free choice.

CNIL issues formal warnings under the GDPR for lack of prior consent
Geodata targeted advertising is advertising based on the person’s specific geographical location, often discovered by means of apps installed on their smartphone.

The two companies specialize in geo-targeted advertising. They make use of a technology called “SDK”, that is integrated into the mobile app codes of their partners, usually advertisers and shops. SDK enables the localization of the device and therefore to track personal geodata.

Geodata can be transmitted even when the app is not in use, - in the case of Teemo every 5 minutes - and constitutes precious information for advertisers, especially when coupled with other user profiling data, enabling for very precisely targeted ad campaigns based on the user’s profile and location.

Example:
Let’s say your user profile suggests you are a man in your mid-thirties living in a lasting relationship, you might be targeted with ads for engagement rings on your phone while you are in the proximity of a jewelry store.

See also the infographic made by the CNIL explaining how targeted advertising based on smart phone geolocation works (in French).

The CNIL issued its warnings due to faulty consent: In the case of Teemo, CNIL found that the user was not informed about the geodata collecting SDK when downloading the apps. During their controls, CNIL revealed that when Fidzup’s partners’ apps were downloaded, the user was not informed about the purpose of the tracking or about the identity of the tracker. Furthermore, the general terms and conditions were provided after the download of the app was completed, hence after the initial data collection had taken place, thereby infringing the requirement for prior consent. The data was kept for too long, infringing the GDPR requirement that data that is no longer needed for the original and declared purpose be deleted.

Finally, in the case of both companies, the consent was not freely given, as it was not possible to download the app without the SDK. Therefore, downloading the apps in question automatically meant that the user data was transmitted to the companies.

The CNIL issued a formal warning based on the following infractions of the GDPR:

See the official warnings issued by the CNIL here (in French):

Dutch Supervisory Authority investigates corporations’ GDPR compliance

Dutch DPA announces review of data processing activities
Autoriteit Persoongegevens (AP), the Dutch supervisory authority, announced their GDPR compliance review of thirty randomly selected Dutch corporations from different economic sectors.

On July 17, 2018, the Dutch Supervisory Authority, Autoriteit Persoongegevens, announced that it would review the records of processing activities from thirty corporations, randomly selected from ten different economic sectors across the Netherlands, namely: metal industry, water supply, construction, trade, catering, travel, communications, financial services, business services and healthcare.

According to the authority, the correct maintenance of records of processing activities is an important first indication of an organization’s compliance with the EU data protection rules.

Article 30 of the GDPR requires data controllers and processors to maintain a record of their processing activities. These records must, among other things, include a description of the categories of data subjects and types of personal data processed, as well as the recipients of the data and the transfer mechanisms used. Small organizations with less than 250 employees are generally exempted from this rule, but there are several exceptions to the exemption which may still cause this obligation to apply to them as well.

Portugal GDPR fine of 400,000 euro to hospital for breach

Portugal GDPR fine
Too many people had access to patient data, and the hospital was not able to document compliant processes for the handling of the data. Centro Hospitalar Barreiro Montijo got the dubious honor of being the first recipient of a large GDPR fine, thereby definitely proving the validity of the new regulation.

On October 22, 2018, the Portuguese data protection authority CNPD (Comissão Nacional de Protecção de Dados) announced that Centro Hospitalar Barreiro Montijo (CHBM) was fined for two violations of the GDPR:

The fine was disclosed following an inspection carried out by CNPD, after an alert issued by the Medical Association.

Privacy International accuses data brokers and credit scorers of GDPR breaches

Privacy international fils GDPR complaints against data trackers
The UK based charity, Privacy International, advocates for transparency and for strong legal and technological protection of personal privacy.

On November 8, 2018, Privacy International (PI) filed complaints against seven data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK.

The UK based charity urged the data protection authorities to investigate these companies and to protect individuals from the mass exploitation of their data.

In their complaints, PI stated that the seven companies Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast, and Tapad, are not compliant with Data Protection Principles, namely the principles of “transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy”.

They claimed that all of the above companies systematically process personal data in an unlawful manner, referring in particular to their extensive practice of profiling. They claim that they do not have a legal basis for the way they use people's data, and underline that neither consent nor legitimate interest are satisfactory conditions for the kind of processing taking place.

“Where they claim that consent is a valid basis for processing, they fail to demonstrate how it was collected and that the consent was freely given, specific, informed, and unambiguous,” says PI in its press release, and continues:

“Where they rely on legitimate interest, they have molded this to fit their self-determined interests without demonstrating the necessity nor sufficient consideration of the impact on individuals’ rights.”

Privacy International also state that there are obstacles to individuals exercising their data subject rights under GDPR against these companies, including:

                    • the rights to information (Article 13 and 14 of GDPR)
                    • to access (Article 15)
                    • to erasure (Article 17),
                    • and in relation to automated decision-making, including profiling (Article 22 GDPR)

Formal warning from the CNIL IAB Framework-implemented consent 

CNIL issues formal warning to company in the IAB consent Framework
The French supervisory authority CNIL has proven to be very proactive when it comes to GDPR enforcement. On November 9, they issued their third formal warning to a private company for lack of valid consent in spite of there being implemented a consent solution from the IAB-framework.

On November 9, 2018, the CNIL issued a formal warning to the advertising network Vectaury, giving the company three months to change its consent experience for customers and to purge all data collected on the basis of invalid consent previously obtained. If they fail to do so, they will be fined.

As in the cases of the companies Teemo and Fizdup described above, the warned company Vectaury used SDK technology in order to collect geolocation data of the users.

It is worth noting that Vectaury did have a consent mechanism in place and participated in the IAB Europe transparency & consent framework (TCF). The consent dialog consisted of a short message describing the data collection and offering three options: to accept, to refuse, and to customize the preferences.

However, based on their controls, the CNIL still found that the obtained consent was not compliant due to the following:

1. The consent was not informed: Due to unclear language and the use of complex terms, and due to faulty accessibility to information, in particular the list of third parties receiving the data.

2. The given consent had insufficient options: At the time of installation of the app, the dialog only gave users the option to consent or to refuse. Users were not asked to specifically consent to the processing of their geolocation data for targeted marketing purposes.

3. The consent was not obtained through an affirmative action: Users selecting “customize my preferences” were directed to a separate pop-up with pre-checked options.

CNIL’s decision to issue a formal warning to Vectaury has provoked vast reactions in the Adtech industry. It is being interpreted as an important first step towards proving that consent frameworks based on contractual passing-on of consents are not valid under the GDPR.

Read the article by TechCrunch for an interesting and enlightening walk-through of the case, the reactions and analysis of its possible consequences for the industry: How a small French privacy ruling could remake adtech for good.

Overview: Public attention to GDPR fines, warnings, complaints and investigations in the EU so far


Updated December 3, 2018

                    • June 25, 2018: Formal warning by the CNIL (FR) to Teemo & Fidzup for Lack of prior consent, inadequate information, Excess data collection, data kept for too long, consent not freely given

                    • July 17, 2018: Investigation by Autoriteit Persoongegevens (NL) of 30 randomly selected Dutch companies checking (in)correct maintenance of records of processing activities

                    • October 22, 2018: Fine of 400,000 € administered by Comissão Nacional de Protecção de Dados (PO) to Centro Hospitalar Barreiro Montijo for violation of the principle of data integrity and confidentiality, violation of the principle of data minimization that should prevent indiscriminate access to clinical data, inability to ensure the confidentiality and integrity of the data

                    • October 23, 2018: Formal warning given by CNIL (FR) to SingleSpot for lack of consent for data tracking and incomplete information

                    • November 8, 2018: Filed complaints by Privacy International (to UK, FR & IE) about Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, Experian for lack of lawful basis for data tracking and profiling and lack of valid, informed and transparent consent.

                    • November 9, 2018: Formal warning issued by CNIL (FR) to Vectaury for inadequate information and invalid consent.

                      • November 22, 2018: Fine of 20.000 € administered by the German DPA of Baden-Wüttemberg to the "cuddly" german chat app Knuddels.de for user passwords saved in plain text

                        • November 29, 2018: Formal complaint by Forbrukerrådet (NO) and 7 other European Consumer Organizations to DPA's in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia, and Sweden against Google for user tracking in massive scale without free, specific, informed and unambiguous consent to the collection and use of location data

Visual overview, updated November 22, 2018

overview of GDPR fines, complaints and warnings so far

Who is enforcing the GDPR?


The GDPR was issued by the European Commission in 2016 and came into force on May 25, 2018.

The European Data Protection Board (EDPB), formerly known as the Working Party 29 (WP29), acts as the regulatory body of the GDPR.

EDPB is made up of the presidents of the member states’ data protection authorities. The EDPB issues guidelines and recommendations, and advises the European Commission, ensuring consistency of the application of GDPR.

On a national level, each EU member state has designated a supervisory authority or data protection authority (DPA) to be responsible for monitoring the application of the GDPR and addressing non-compliance.

In most cases, the DPA plays an (often difficult) double role as an institution offering GDPR guidance and advise on the one hand, and as GDPR enforcement authority on the other.

List of 28 member states’ Data Protection Authorities (DPA):

Austria: Österreichische Datenschutzbehörde

Belgium: Data Protection Authority

Bulgaria: Commission for personal data protection

Croatia: Croatian data protection agency

Cyprus: Commissioner for personal data protection

Czech Republic: The office for personal data protection

Denmark: Datatilsynet

Estonia: Inspectorate

Finland: Ombudsman

France: CNIL

Greece: Hellenic Data Protection Authority (HDPA)

Hungary: Hungarian National Authority for Data Protection and Freedom of Information

Italy: Garante privacy

Ireland: Data protection commission

Latvia: Data State Inspectorate

Lithuania: State data protection inspectorate

Luxembourg: CNPD

Malta: Information and data protection commissioner

the Netherlands: Autoriteit Persoongegevens

Poland: Personal data protection office

Portugal: Comissão Nacional de Protecção de Dados

Romania: Data protection

Spain: AEPD

Slovakia: Office for Personal Data Protection of the Slovak Republic

Slovenia: IC

Sweden: Datainspektionen

United Kingdom (UK): ICO

Germany: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit 
NB: in the Federal Republic of Germany, the responsibility for monitoring and supervising the enforcement of the GDPR is distributed amongst the 16 states of the federation. See the list of German data protection supervisory authorities.

Checklist of GDPR enforcement and compliance: What conclusions can be drawn so far?


The General Data Protection Regulation, a law text of 88 pages and 99 articles is, like any other piece of legislation, a complex document to interpret into the everyday life and reality of an organization.

Many companies and organizations have therefore been biding their time, waiting to see how the regulation would be enforced in practice.

The enforcement is still in its early stages and the different data protection authorities still have to find their stance in between advising companies for compliance and administering fines for infractions.

In terms of take-aways however, these early cases highlighted above show us that especially the following types of GDPR infractions have been struck upon so far:

                          • Related to cookies and online data tracking (websites and apps)
                            • Prior consent: lack of or incomplete implementation
                            • pre-ticked checkboxes o bundling of consents
                            • partial, faulty or unclear information

                        • Data registers:
                          • incomplete safeguarding of data
                          • lack of documentation of data handling procedures
                          • unauthorized persons’ access to data

The cases leave no doubt as to whether the GDPR affects “normal” companies, middle-sized and smaller, startups, as well as public institutions. It is in other words enforced as a regulation that regards us all and not only the tech giants such as Google, Facebook, Amazon and Apple.

In terms of making a conclusion on what to be aware of, one might list the following:

1. “Less is more”: Your mantra when it comes to processing data. Collect as few data as possible, keep them only for as long as they are relevant for the purpose to which they were collected, and give as few people as possible access to the data.

2. Secondly, documentation is essential: Keep registers and clean procedures for all of the data processing taking place.

3. Enable informed consent (and make sure it is prior): One of the trickiest parts of ensuring compliance is cookies and online tracking on your website. It’s difficult to know what is going on “under the hood” of a website, in fact, most website owners don’t even know it themselves!

Most websites have large numbers of cookies and online tracking technologies coming from third parties, most of which do track personal data of the website users.

Social media buttons, embedded content, analytics etc. all can (and usually do) set cookies, that collect personal data and send them off “into the world” where they are processed by whomever they are sent to.

In doubt about what is considered personal data in the GDPR? Read our introduction of the GDPR.

Even so, as the owner of the website, you are the responsible party for the tracking going on on your website, for enabling prior consent to all of the tracking, and to inform about it in a clear and specific manner.

To our best knowledge, Cookiebot is the only consent management solution fully capable of helping you in doing so at this stage.

Read our explanation why below.

How Cookiebot helps


Cookiebot provides an easy and effective way for website owners to make their use of cookies and online tracking fully compliant with the GDPR.

The main features of the solution are:

Website scanner: Detects all cookies and tracking in use on a website

Enabled prior consent: All cookies and tracking are effectively held back until consent to them has been given by the user

The consent banner: Displays accurate information about the cookies and tracking and gives the user the possibility to opt in and out

Registry: All received consents are securely stored as documentation that consent has been given

The website scan

The monthly scan discovers, locates, and identifies all tracking scripts that are active on all sub-pages of your domain — irrespective of its size and complexity.

Think of it as a number of users (7-8 to be more specific) that visit your website simultaneously and perform all the actions possible. The users will go through up to 10,000 subpages, will click all the links, menu points and buttons, move around the cursor, they’ll play embedded videos, look at photos – in other words do everything that it is possible for a real website visitor to do on your website.

While this user simulation is taking place, the scanner collects information about all the cookies and various tracking technology that is being used – i.e. the exact same cookies and trackers that a real website user would encounter – and gathers all this information in the scan report along with a lot of other useful information.

The scan report can be published as an integrated part of your privacy policy or cookie policy.

The consent banner

The list of cookies and tracking in operation on the website folds out directly from the consent banner, providing true transparency.

The user can easily opt in and out of the four categories: Necessary, Preferences, Statistics and Marketing.

All received consents are securely stored as documentation and renewed upon the user’s first returning visit once 12 months have elapsed.

Cookiebot cookie consent banner

Resources

Bryancave.com: Are regulators really enforcing the GDPR? -Ask Portugal
                                                                     

Mondaq.com: GDPR 6 Months after implementation: Where are we now?

Cuatrecasas.com: Hospital do Barreiro fined by comissao nacional proteccao dados in 400000 euro for allowing improper access to clinical files

Omada.net: GDPR Fine of EUR 400,000 to Portuguese Hospital

DLA Piper’s blog: France: website publisher fined for violation of the cookie

Inside Privacy: French Supervisory Authority Issues 2 GDPR Warnings

Inside Privacy: CNIL imposes GDPR consent in online advertising space

CNIL: Applications mobiles mise en demeure absence de consentement geolocalisation ciblage publicitaire 2

CNIL: Violations de données personnelles 1er bilan après l'entrée en application du RGPD

Insideprivacy.com: Dutch supervisory authority announces GDPR-investigation

Techcrunch: How a small French privacy ruling could remake adtech for good

Financial Times: Data brokers and credit scorers accused of GDPR breaches

The Register: 'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine

Forbrukerrådet: New study: Google manipulates users into constant tracking

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free