- Date of final decision: 7 July 2022
- Cross-border case or national case: National case
- Controller: TikTok Technology Ltd.
- Legal Reference: Access to and storage of information on users’ terminal equipment (Article 5(3) of directive 2002/58/EC; Section 122 of Italy’s legislative decree No 196/2003); controller’s legitimate interest (Article 6(1)(f) GDPR)
- Decision: Issuance of warning to controller that intended processing is likely to infringe national legislation transposing directive 2002/58/EC and Article 6(1)(f) GDPR;
- Key words: Personalised advertising; legal basis; legitimate interest; confidentiality of communications; user’s consent; warning to controller; Article 58(2)(a) GDPR; Section 154(1)(f) of Italian personal data protection law.
Summary of the Decision
Origin of the case:
Following the information made available by the company, the Italian SA concluded that the change in legal basis was incompatible with Article 5(3) of EU directive 2002/58 as well as with Section 122 of the Italian personal data protection law which transposed that directive. Both legal instruments set out explicitly that the data subjects’ consent is the only legal basis for ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’. The Italian SA was also concerned by the protection of child users registered with the platform since the difficulties encountered by TikTok in implementing adequate age verification measures to access the platform entailed the risk that ‘personalised’ ads including unsuitable contents would be served to children aged below 14 years based on the company’s legitimate interest.
The Italian SA issued a formal ‘warning’ to TikTok under Article 58(2)a GDPR and Section 154(1)(f) of Italy’s data protection law that processing data on the basis of its ‘legitimate interest’ would be in conflict with the current regulatory framework (Article 5(3) of directive 2002/58/EC and national law transposing it), at least with regard to the information stored in users’ devices, and would carry all the consequences envisaged in the applicable legislation on the protection of personal data including the imposition of fines. The Italian SA reserved its right to take additional measures, including urgent measures, if this proved necessary.
For further information: decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.