Background information

• Date of final decision: 10 April 2024
• Cross-border case
• LSA: Czech SA
• and CSAs: all SAs
• Legal Reference (s): Article 6 (Lawfulness of processing), Article 13 (Information to be provided where personal data are collected from the data subject)
• Decision: Violation identified, Administrative fine
• Key words: Lawfulness of processing,   Anonymisation,  Clients, Definition of personal data,  Big Data, Administrative fine, internet browsing history as personal data 

Summary of the Decision

Origin of the case  

The case concerns the transfer by the controller of the personal data collected by the controller from the users of its antivirus software to its sister company. The proceedings were initiated based on media reports dating from end of 2019/beginning of 2020 and an anonymous filing. The period under review was between April and July 2019. The controller is a company registered in the Czech Republic.

First-instance decision in the case was issued on 14 March 2022 by the Czech Supervisory Authority (SA) as Lead Supervisory Authority (LSA), following an one-stop-shop procedure. The said decision was challenged by administrative appeal of the controller, as permitted by the Czech administrative procedural rules. The current administrative appellate decision, addressing the appellant’s objections expressed in the administrative appeal, was issued by the LSA (namely by the President of the Czech SA) on 10 April 2024, following another OSS procedure, and was notified to the controller.

Key Findings 

The Czech SA found that the controller transferred personal data of the users of its antivirus software and its browser extensions to its sister company without due legal title for such processing. The transferred data related to roughly 100 million users and comprised especially pseudonymized internet browsing history of the users, tied to a unique identifier. Further, the LSA found that the controller misinformed its users (data subjects) about the said data transfers, as it claimed that the transferred data were anonymized and used solely for statistical trend analytics. The LSA concluded that internet browsing history, even if not complete, may constitute personal data, since re-identification of at least some of the data subjects could occur. The controller’s infringement is even graver considering that it is one of the foremost experts on cybersecurity that offers tools for data and privacy protection to the public.

Decision 

The decision of the Czech SA is an appellate decision, rejecting the administrative appeal of the controller   and confirming the preceding first-instance decision both as to the controller being found liable for infringing Art. 6 and Art. 13 (1) of GDPR and as to the imposition of administrative fine of approx. EUR 13.9 million (CZK 351 million). The decision is final and enforceable.
 

For further information: 

• National decision (Czech)
• National decision (English)