Details:
Summary | The Belgian DPA has imposed a fine of EUR 250,000 on IAB Europe. The DPA had received several complaints against IAB Europe since 2019. In the context of this complaint, the compliance of the ‘Transparency & Consent Framework (TCF)’ with the GDPR was mainly questioned. The TCF was developed by IAB to promote compliance with the GDPR by organizations using the OpenRTB protocol.
The OpenRTB protocol is a protocol for ‘real-time bidding,’ which is the automated online auction of user profiles for the sale and purchase of advertising space on the Internet. When users visit a website that contains an ad space, technology companies, through an automated auction system, can bid in real time for that ad space to display personalized advertising. When users visit a website for the first time, an interface appears through which they can consent to the collection and sharing of their personal information or object to various types of processing. As part of the TCF, a consent management tool appears during this process. The tool allows the user to object to certain types of data processing. The TCF registers the user’s preferences through the tool by generating a TC string and sends it to all partners participating in the OpenRTB system. Based on this TC string, user profiles are compiled, which are then passed on to advertisers. This makes it visible to them what kind of data processing the users have agreed to. Within the scope of its investigation against IAB, the DPA identified a number of violations of the GDPR. It found that the TC strings already constituted personal data and therefore IAB was required to have a legal basis for processing these data. However, IAB was unable to demonstrate any such legal basis. In addition, IAB did not properly inform users about the functioning of the TCF. For example, the information provided to users was too generic and vague to understand the scope of the data processing. Furthermore, IAB had not maintained a register of its processing activities, had not appointed a data protection officer, as well as had not conducted a data protection impact assessment. |
Link: | link |
Related articles: | Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 6 (1) GDPR, Art. 9 (1), (2) GDPR, Art. 12 (1) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 24 (1) GDPR, Art. 30 GDPR, Art. 31 GDPR, Art. 32 (1), (2) GDPR, Art. 37 GDPR |
Type: | Insufficient legal basis for data processing |
Fine: | EUR 250,000 |
Sector | Media, Telecoms and Broadcasting |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/