GDPR fine: LinkedIn fined 310 million euros

The Irish Data Protection Commission (DPC) has imposed a fine of 310 million euros on the business network LinkedIn.
Categories:
, ,

The Irish Data Protection Commission (DPC) has taken legal action against the Microsoft-owned business network LinkedIn. Fine in the amount of 310 million euros. The subject of the investigation was the Processing personal data of LinkedIn users for behavioral analysis and targeting. Advertising. What other companies can learn from the fine notice.

CNIL forwards LinkedIn complaint to DPC

The DPC investigation was opened on August 20, 2018 after a Complaint of the French non-profit organization La Quadrature Du Net. The Complaint was first filed with the French data protection authority CNIL and then submitted to the DPC in its role as lead authority. Supervisory authority forwarded for LinkedIn.

According to the DPC's statement, the investigation concerned "the legality, fairness and Transparency the Processing personal data of users of the LinkedIn platform for the purpose of behavioral analysis and targeted Advertising". The DPC found that the personal data in question was data provided directly to LinkedIn by its members (first-party data) and data collected by LinkedIn through its third-party partners in relation to its members (third-party data).

Lack of consent from LinkedIn users

In its decision of October 22, 2024, the DPC found several violations of the GDPR fixed:

  • Art. 6 and Art. 5 para. 1 lit. a GDPR: LinkedIn could not find a valid legal basis for the Processing of member data for the purposes of behavioral analysis and targeted Advertising to show. Specifically, the DPC found that
    • The Consent was invalid because the information obtained from LinkedIn Consent was not voluntary, not sufficiently informed or not specific and unambiguous (Article 6(1)(a) GDPR).
    • LinkedIn could also not effectively rely on Article 6 (1) lit. f GDPR (legitimate interest) in order to personal data of its members for behavioral analyses and targeted Advertising or process third-party data for analytics. The interests and fundamental rights and freedoms of the data subjects outweigh the interests of LinkedIn.
  • LinkedIn was also unable to focus on the Necessity for the performance of the contract (Article 6 para. 1 lit. b GDPR), as the data processing for the behavioral analysis and Advertising was not necessary.
  • LinkedIn also did not provide sufficient information about the Legal basis available, which violates the transparency requirements of the GDPR violates Article 13 para. 1 lit. c and 14 para. 1 lit. c GDPR.
  • Article 5(1)(a) GDPR - Infringement against the principle of fairness: The DPC found that LinkedIn's data processing violated the principle of fairness, as the practices restricted users' trust and freedom of choice with regard to their personal data.

Reading tip: EDPB publishes guidelines on legitimate interest

DPC measures and sanctions against LinkedIn

In response to these violations, the DPC implemented various measures:

  1. A complaint against LinkedIn pursuant to Article 58 para. 2 lit. b GDPR.
  2. Three administrative penalties totaling 310 million euros pursuant to Article 58(2)(i) and Article 83 GDPR.
  3. An arrangement that ensures data processing in accordance with the GDPR pursuant to Article 58 para. 2 lit. d GDPR.

What companies can learn from the LinkedIn decision

This decision illustrates the enormous risks for companies that personal data without an appropriate legal basis. The consequences include not only financial sanctions, but also lasting reputational damage. There are various lessons and obligations for companies arising from this decision:

  • Increased compliance measures:
    Companies must ensure that they have a valid legal basis for the Processing personal data and that consent, where used, meets the strict requirements of the GDPR. GDPR are sufficient.
  • Clarity and Transparency:
    Companies are obliged to communicate their data processing practices clearly and comprehensibly so that users are informed about the purpose and consequences of data processing and can exercise their rights.
  • Fairness and user rights:
    Companies must not only ensure the legal basis of their data processing, but also guarantee fairness and the protection of the rights of data subjects.
  • Risk of sanctions:
    The decision shows that violations of the GDPR can not only have legal consequences, but can also entail considerable financial risks.

Compliance with the principles of fairness, Transparency and lawfulness in data processing is not only a legal requirement, but also a key factor in maintaining user trust. Companies should therefore regularly review their data processing processes and ensure that they meet the strict requirements of the GDPR to minimize legal risks and protect the rights of their users.

Source: Irish Data Protection Commission fines LinkedIn Ireland €310 million

Would you like to carry out a GDPR risk assessment for your company? Get in touch with us, we will be happy to advise you.

Contact us
Tags:
, , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts