A Data Protection Authority (DPA) in Europe has recently issued Facebook with a significant €1.2 million fine for two ‘serious’ and one ‘very serious’ breaches of data protection law.
The investigation, which formed part of a joint initiative by Data Protection authorities across Belgium, France, Hamburg, and The Netherlands, revealed that Facebook users’ personal data, e.g. political views, religious beliefs, location, and other personal preferences had been collected without the users’ informed consent. Data subjects were also left unaware as to the purpose of sharing their information with Facebook (and other third-party web pages), and the use of it thereafter.
The breach equating to ‘very serious’ in the eyes of the DPA, which amounted to €600,000 of the total fine, was the discovery that Facebook did not ‘obtain unequivocal consent, specific and informed’ from its users before processing types of data (known as ‘special categories’ of data in legislative speak) for marketing purposes.
Finally, The DPA were able to prove that Facebook did not, in fact, delete personal data upon user request (e.g. termination of account), but instead retained the data via cookies for up to seventeen months – a time period which extends way beyond the original purpose for collecting it in the first place.
Is your organisation fully aware of Data Protection directives and the right to be forgotten legislation?
For more information on DeltaNet International’s Data protection, GDPR, and Information Security courses and microlearning courses, please don’t hesitate to get in touch.