ARKTINOS” Publications Ltd – Complaint Upheld (Cyprus, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 12 August 2020, the data subject visited the website politis.com.cy while logged in to a Facebook account with his e-mail address. The private news company managing the website, the controller, integrated HTML code for Facebook Services, including Facebook Connect. Facebook Connect is a service used by third party websites, that allows Facebook users to log into other websites with their Facebook profile, without having to create separate accounts there. At the same time, this service enables the flow of user’s personal data between the site and Facebook. While the data subject visited the website, the controller processed their personal data of which at least some were transferred to Facebook Inc, in the United States. Because the CJEU has annulled the EU-US Privacy Shield in judgment C-311/18, the data transfer could not be based on the adequacy decision as per Article 45 GDPR. Yet, the data transfers were still based on the invalidated EU-US Privacy Shield, as was evident by section 4 of the Facebook Data Processing Terms. Facebook Inc. is subject to oversight by U.S. intelligence services in accordance with 50 U.S. Code § 1881 and therefore obliged to provide U.S. authorities with personal data. For this reason, the data subject filed a complaint against the controller for a breach of provisions of Chapter V concerning the transfer of personal data to third countries. Additionally, the data subject requested a clarification whether Facebook Business Tools Terms and Facebook Data Processing Terms met the requirements of Article 28 GDPR on the transfer of personal data to third countries. The controller claimed that they did not collect personal data of any users who visited the website from a Facebook link and the only use of Facebook tools made by the controller was to promote their news articles to more people on the basis of the criteria provided to them. After the DPA asked the controller to clarify whether the data received from the use of Facebook pi
GDPR Articles Cited
On 12 August 2020, the data subject visited the website politis.com.cy while logged in to a Facebook account with his e-mail address. The private news company managing the website, the controller, integrated HTML code for Facebook Services, including Facebook Connect. Facebook Connect is a service used by third party websites, that allows Facebook users to log into other websites with their Facebook profile, without having to create separate accounts there. At the same time, this service enables the flow of user’s personal data between the site and Facebook. While the data subject visited the website, the controller processed their personal data of which at least some were transferred to Facebook Inc, in the United States. Because the CJEU has annulled the EU-US Privacy Shield in judgment C-311/18, the data transfer could not be based on the adequacy decision as per Article 45 GDPR. Yet, the data transfers were still based on the invalidated EU-US Privacy Shield, as was evident by section 4 of the Facebook Data Processing Terms. Facebook Inc. is subject to oversight by U.S. intelligence services in accordance with 50 U.S. Code § 1881 and therefore obliged to provide U.S. authorities with personal data. For this reason, the data subject filed a complaint against the controller for a breach of provisions of Chapter V concerning the transfer of personal data to third countries. Additionally, the data subject requested a clarification whether Facebook Business Tools Terms and Facebook Data Processing Terms met the requirements of Article 28 GDPR on the transfer of personal data to third countries. The controller claimed that they did not collect personal data of any users who visited the website from a Facebook link and the only use of Facebook tools made by the controller was to promote their news articles to more people on the basis of the criteria provided to them. After the DPA asked the controller to clarify whether the data received from the use of Facebook pi
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for ARKTINOS” Publications Ltd in CY
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. ARKTINOS” Publications Ltd - Cyprus (2024). Retrieved from cookiefines.eu
Last updated: