Meta Dataset - November 2022
| Year | 2022 |
| Date | 25 November 2022 |
| Section | Decisions made under data protection act 2018 |
1
In the matter of the General Data Protection Regulation
Data Protection Commission Reference: IN-21-4-2
In the matter of Meta Platforms Ireland Ltd.
(Formerly Facebook Ireland Ltd.)
Decision of the Data Protection Commission made pursuant to Section 111 of the Data
Protection Act 2018 and Article 60 of the General Data Protection Regulation
Further to an own-volition inquiry commenced pursuant to Section 110 of the Data
Protection Act 2018
DECISION
Decision-Maker for the Data Protection Commission:
Helen Dixon
________________________________
Commissioner for Data Protection
Dated the 25 November 2022
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, Ireland
2
TABLE OF CONTENTS
A. INTRODUCTION ...................................................................................................................................... 4
B. LEGAL FRAMEWORK FOR THE INQUIRY AND THE DECISIO N ................................................................... 4
B.1 LEGAL BASIS FOR THE INQUIRY ............................................................................................................................. 4
B.2 DATA CONTROLLER ........................................................................................................................................... 5
B.3 LEGAL BASIS FOR THE DECISION ........................................................................................................................... 6
C. FACTUAL BACKGROUND ......................................................................................................................... 7
D. SCOPE OF THE INQUIRY ........................................................................................................................ 11
D.1 TEMPORAL SCOPE ........................................................................................................................................... 11
D.2 MATERIAL SCOPE ........................................................................................................................................... 11
E. ISSUES FOR DETERM INATION ............................................................................................................... 12
F. APPLICATION OF THE GDPR .................................................................................................................. 13
G. ASSESSMENT OF CERTAIN MATTERS CONCERNING ARTICLE 25 GDPR .................................................. 15
G.1 NATURE OF PROCESSING .................................................................................................................................. 16
G.2 SCOPE OF PROCESSING .................................................................................................................................... 17
G.3 CONTEXT OF PROCESSING................................................................................................................................. 17
G.4 PURPOSES OF PROCESSING ............................................................................................................................... 17
G.5 RISK ............................................................................................................................................................. 18
H. TECHNICAL AND ORGANISATIONAL ME ASURES IMPLEMENTED BY MPIL ............................................. 30
I. FINDING REGARDING ARTICLE 25(1) GDPR ........................................................................................... 43
J. FINDING REGARDING ARTICLE 25(2) GDPR ........................................................................................... 54
K. CORRECTIVE POWERS ........................................................................................................................... 60
L. ORDER TO BRING PROCESSING INTO COMPLIANCE .............................................................................. 60
M. REPRIMAND.......................................................................................................................................... 61
N. ADMINISTRATIVE FINES ........................................................................................................................ 63
N.1 ARTICLE 83(2)(A): THE NATURE, GRAVITY AND DURATION OF THE INFRINGEMENT TAKING INTO ACCOUNT THE NATUR E SCOPE
OR PURPOSE OF THE PROCESSING CONCERNED AS WELL AS THE NUMBER OF DATA SUBJECTS AFFECTED AND THE LEVEL OF DAMAGE
SUFFERED BY THEM................................................................................................................................................ 65
The Nature of the Infringements ................................................................................................................. 66
The Gravity of the Infringements ................................................................................................................ 67
The Duration of the Infringements .............................................................................................................. 68
N.2 ARTICLE 83(2)(B): THE INTENTIONAL OR NEGLIGENT CHARACTER OF THE INFRINGEMENT .............................................. 69
N.3 ARTICLE 83(2)(C): ANY ACTION TAKEN BY THE CONTROLLER OR PROCESSOR TO MITIGATE THE DAMAGE SUFFERED BY DATA
SUBJECTS ............................................................................................................................................................. 72
N.4 ARTICLE 83(2)(D): THE DEGREE OF RESPONSIBILITY OF THE CONTROLLER OR PROCESSOR TAKING INTO ACCOUNT TECHNICAL
AND ORGANISATIONAL MEASURES IMPLEMENTED BY THEM PURSUANT TO ARTICLES 25 AND 32 ........................................... 72
N.5 ARTICLE 83(2)(E): ANY RELEVANT PREVIOUS INFRINGEMENTS BY THE CONTROLLER OR PROCESSOR ................................. 72
N.6 ARTICLE 83(2)(F): THE DEGREE OF COOPERATION WITH THE SUPERVISORY AUTHORITY, IN ORDER TO REMEDY THE
INFRINGEMENT AND MITIGATE THE POSSIBLE ADVERSE EFFECTS OF THE INFRINGEMENT ....................................................... 73
N.7 ARTICLE 83(2)(G): THE CATEGORIES OF PERSONAL DATA AFFECTED BY THE INFRINGEMENT ........................................... 73
N.8 ARTICLE 83(2)(H): THE MANNER IN WHICH THE INFRINGEMENT BECAME KNOWN TO THE SUPERVISORY AUTHORITY, IN
PARTICULAR WHETHER, AND IF SO TO WHAT EXTENT, THE CONTROLLER OR PROCESSOR NOTIFIED THE INFRINGEMENT ............... 74
N.9 ARTICLE 83(2)(I): WHERE MEASURES REFERRED TO IN ARTICLE 58(2) HAVE PREVIOUSLY BEEN ORDERED AGAINST THE
CONTROLLER OR PROCESSOR CONCERNED WITH REGARD TO THE SAME SUBJECT-MATTER, COMPLIANCE WITH THOSE MEASURES . 74
N.10 ARTICLE 83(2)(J): ADHERENCE TO APPROVED CODES OF CONDUCT PURSUANT TO ARTICLE 40 OR APPROVED CERTIFICATION
MECHANISMS PURSUANT TO ARTICLE 42 ................................................................................................................... 74
N.11 ARTICLE 83(2)(K): ANY OTHER AGGRAVATING OR MITIGATING FACTOR APPLICABLE TO THE CIRCUMSTANCES OF THE CASE,
SUCH AS FINANCIAL BENEFITS GAINED, OR LOSSES AVOIDED, DIRECTLY OR INDIRECTLY, FROM THE INFRINGEMENT ..................... 74
3
O. DECISIONS ON WHETHER TO IMPOSE ADMINISTRATIVE FINES ............................................................. 78
O.1 ARTICLE 83(3) & (4) ...................................................................................................................................... 82
P. SUMMARY OF ENVISAGED ACTION ...................................................................................................... 96
To continue reading
Request your trial