IAB Europe has been Fined by the Belgian DPA because of not Complying with GDPR

The Belgian Data Protection Authority (“BE DPA”) has published a press release on its website that the Transparency and Consent Framework ("TCF"), developed by IAB Europe, fails to comply with a number of provisions of the GDPR.

The TCF is a widespread mechanism that facilitates the management of users’ preferences for online personalised advertising, and that plays a pivotal role in the so-called Real-Time Bidding ("RTB").

The BE DPA identified a series of GDPR infringements by IAB Europe:

  • Lawfulness: IAB Europe failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by adtech vendors are inadequate;
  • Transparency and information of the users : the information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data;
  • Accountability, security and data protection by design/by default : In the absence of organisational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices, the conformity of the TCF with the GDPR is not adequately warranted nor demonstrated;
  • Other obligations pertaining to a controller processing personal data on a large-scale: IAB Europe has failed to keep a register of processing activities, to appoint a DPO and to conduct a “DPIA” (data protection impact assessment).

The BE DPA imposed a €250.000 fine to the company, and gives IAB Europe two months to present an action plan to bring its activities into compliance.

You can reach the full text of the press release here.

Kind regards,

Zumbul Attorneys at Law

info@zumbul.av.tr