Published 1 February 2016
What does this cover?
During the proceedings it was demonstrated that Google collected personal information through nearly a hundred services and products offered in Spain, in many cases not providing adequate information about what data were collected, the purposes it was used for and without obtaining a valid consent of data subjects. In addition, Google combined the personal information obtained through the different services or products in order to use it for multiple purposes that were not clearly determined, thus violating the prohibition to use data for purposes other than those for which those data were collected. Moreover, Google stored and maintained data for periods of time indeterminate or unjustified, thereby contravening the legal requirement to delete data when it ceases to be necessary for the purpose for which it was collected. The DPA concluded that Google hindered, and in some cases prevented, the exercise of the data subject rights of access, rectification, cancellation and opposition.
The DPA demonstrated that Google unlawfully collected and processed personal information of both authenticated (those who log into their Google accounts) and non-authenticated users, as well as of those who act as “passive users” because they have not requested Google’s services but accessed web pages that included elements managed by Google.
The WP29 agreed to continue the coordinated action initiated in this respect by the DPAs of Germany, Spain, France, Holland, Italy and the UK.
A press release from the Spanish DPA is available here (Spanish).
Article submitted by Irene Robledo de Castro, Spanish counsel – Spain
What action could be taken to manage risks that may arise from this development?
None – for information only.