HH Invest SIA, an online store, was fined by the Latvian DPA (Datu valsts inspekcija) for insufficiently informing a data subject about the processing of their data.
Excerpt
Our analysis
During a self-initiated assessment of the HH Invest SIA website, the Latvian DPA uncovered violations related to data subject control and the provision of information required by the GDPR. Specifically, the DPA found that HH Invest SIA had not provided its privacy policy to data subjects in a systematic and comprehensible way, as required by Article 13 of the GDPR. The right to receive information related to data processing is essential for data subject control over a company's use of personal data. Without access to this information, data subjects are unable to make informed decisions about a company's actions with their data.
The Data State Inspectorate, within the framework of its own initiative, assessed the content of HH Invest SIA's privacy policy and found that the information provided to data subjects was not presented in an easy-to-understand manner and was unsystematic. Some aspects of data processing, which are required to be explained to data subjects under Article 13 of the GDPR, were not adequately explained. This lack of clear and comprehensive information prevented data subjects from being fully informed about the processing of their personal data and from exercising their rights under the GDPR.
Overall, the Latvian DPA found that HH Invest SIA had violated Article 13 of the GDPR by failing to provide sufficient and clear information to data subjects regarding the processing of their personal data. The use of deceptive patterns such as hidden information prevented data subjects from fully understanding and controlling the processing of their personal data, in violation of the GDPR.
Outcome
An online store was fined €15,000 by the DPA for violations related to personal data processing. However, the DPA took into account the store's active cooperation during the investigation and efforts to remedy the issues identified. The DPA acknowledged that the store had improved the information provided to data subjects as a result of the inspection. The store is one of the largest online stores in Latvia.
Parties
SIA “HH Invest" and Latvian DPA
Case number
Press Release 15.12.2020
Decision
Related deceptive patterns
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.