导读:近日,谷歌因严重违反欧盟通用数据保护条例 (GDPR) 而被西班牙数据保护部门(AEPD)罚款 1000 万欧元。
谷歌在没有法律依据的情况下,向位于美国的第三方传输个人信息,无视了个人信息主体的删除权。
除了被罚款外,谷歌还被要求修改其程序以使其符合 GDPR 的要求,并删除其仍持有的与此次执法相关的任何个人数据。
导读源自个人信息与数据保护实务评论。
The Spanish Data Protection Agency (AEPD) has imposed a penalty of ten million euros on Google for transferring data to third parties without a legal base to do so and for hindering citizens’ right to erasure. According to the Agency, these contravene Articles 6 and 17 of the European General Data Protection Regulation (GDPR).
AEPD said it found out that Google had passed information that could be used to identify citizens requesting deletion of their personal data under EU law, including their email address; the reasons given; and the URL claimed, to a U.S.-based third party without a valid legal basis for this further processing.
In addition to the financial penalty, the Agency also ordered Google to adjust its procedures for the exercise of the right of erasure in relation to requests for the removal of content from its products and services, and the information it offers to its users, in line with data protection rules.
What the Agency is saying
AEPD in a statement announcing the sanction said: “Google LLC acted as controller of the analysed processing, which was conducted in the US. In the case of disclosure of data to third parties, the AEPD has found that Google LLC sent information of requests made to it by citizens, including their identification, e-mail address, the reasons given, and the URL claimed to the Lumen Project. The task of this project is to collect and make available requests for the removal of content, and the Agency therefore considers that, since all the information contained in the citizen’s request is sent for inclusion in another publicly accessible database and for dissemination via a website, “the purpose of exercising the right of erasure results in practice frustrated”.
“This communication of data by Google LLC to the Lumen Project is imposed on the user who intends to use Google forms, without the option of objecting to it and, therefore, without a valid consent for such communication to be made. Establishing such a condition for the exercise of the right to erasure granted to data subjects is in breach of the General Data Protection Regulation by generating “an additional processing of the data contained in the request for erasure when communicating them to a third party,” the Agency added.
Reacting to the sanction in a statement, Google said: “We are reviewing the decision and continually engage with privacy regulators, including the AEPD, to reassess our practices. We’re always trying to strike a balance between privacy rights and our need to be transparent and accountable about our role in moderating content online. We have already started reevaluating and redesigning our data sharing practices with Lumen in light of these proceedings.”(本文源自:Nairametrics)