Dublin, 24.10.2024: The Irish Data Protection Commission (DPC) has announced on Thursday its final decision following an inquiry into LinkedIn Ireland Unlimited Company (LinkedIn). This inquiry was launched by the DPC, in its role as the lead supervisory authority for LinkedIn, following a complaint initially made to the French Data Protection Authority, according to ”dataprotection.ie” .
The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members). The decision, which was made by the Commissioners for Data Protection concerns the lawfulness, fairness and transparency of this processing. The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million.
The DPC’s final decision records the following findings of infringement of the GDPR:
- Article 6 GDPR and Article 5(1)(a) GDPR, insofar as it requires the processing of personal data to be lawful, as LinkedIn:
– Did not validly rely on Article 6(1)(a) GDPR (consent) to process third party data of its members for the purpose of behavioural analysis and targeted advertising on the basis that the consent obtained by LinkedIn was not freely given, sufficiently informed or specific, or unambiguous.
– Did not validly rely on Article 6(1)(f) GDPR (legitimate interests) for its processing of first party personal data of its members for behavioural analysis and targeted advertising, or third party data for analytics, as LinkedIn’s interests were overridden by the interests and fundamental rights and freedoms of data subjects.
– Did not validly rely on Article 6(1)(b) GDPR (contractual necessity) to process first party data of its members for the purpose of behavioural analysis and targeted advertising. - Articles 13(1)(c) and 14(1)(c) GDPR, in respect of the information LinkedIn provided to data subjects regarding its reliance on Article 6(1)(a), Article 6(1)(b) and Article 6(1)(f) GDPR as lawful bases.
- Article 5(1)(a) GDPR, the principle of fairness.
DPC Deputy Commissioner Graham Doyle commented: “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”
The GDPR requires processing of personal data to be based on one of the legal bases outlined in Article 6(1) GDPR, such as consent, contractual necessity or legitimate interests. Depending on the lawful basis selected by controllers, certain conditions must to be met.
The GDPR also requires that processing is carried out in a fair manner. Fairness is an overarching principle, which requires that personal data may not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject.
Transparency is another crucial aspect of data protection, and gives data subjects control over the processing of their personal data.
The DPC’s final decision exercised the following corrective powers:
– a reprimand pursuant to Article 58(2)(b) GDPR;
– three administrative fines totalling €310 million pursuant to Articles 58(2)(i) and 83 GDPR;
– an order to LinkedIn to bring its processing into compliance with the GDPR pursuant to Article 58(2)(d).
Source: ”dataprotection.ie” .
Foto: ”freepik.com”
