Disclosure of behavioral profile information: the Polish cookie case

In October 2021, the Polish data protection authority, the Urząd Ochrony Danych Osobowych, published its first-ever cookie notice in a decision (reference number ZSPR.440.331.2019.PR PAM) following a complaint from a data subject. Previously, no decision or guidelines had been published on this subject. Thus, any decision on this issue is eagerly awaited in Poland.

The UODO stated that the use of cookies involved the processing of personal data and ordered the online media company Interia Group (the company’s name was disclosed in the Panoptykon Foundation article), which is one of the main players in the Polish internet media market – to duly explain to the data subject how cookies work on their website in the context of personal data, and in particular to describe how they are used to create a behavioral profile to marketing purposes. The reader who filed the complaint belongs to the Panoptykon Foundation, a Polish non-governmental organization focused on privacy issues. The complaint was filed in the broader context of illegal profiling practices on the Internet.

Although the decision has not been published publicly by the UODO, we have requested access to its contents on the basis of the Freedom of Information Act. It’s available here (Polish only).

The background

In mid-2018, the data subject visited the Interia website. His personal data has been stored automatically in cookies for the purposes of enabling website access, fraud prevention, analytics and marketing.

In July 2018, the complainant asked the company for a copy of her personal data and information on data processing (i.e. to fulfill the information obligation). In particular, she requested information about profiling and automated decision-making after noticing advertisements based on information supposedly collected by Interia. From the complainant’s perspective, the most important information she was looking for was the marketing categories (behavioral profile) assigned to her using cookies and other information about her combined with the processed data.

In response to his request, after confirming the identity of the data subject, receiving the statement that he did not interfere with cookies and obtaining the information that he did not use any ad blocking software, Interia sent various information regarding the processing. The response did not satisfy the complainant. Among other things, it did not include behavioral profile information and what was specifically done with his personal data. The complainant reiterated her request, but Interia’s second response also did not satisfy her as it did not provide a complete answer. Thus, in January 2019, the reader filed a complaint with the DPA arguing that Interia had not provided her with all the data requested.

DPA’s thoughts on the nature of a behavioral profile

After investigating the case from mid-2019 to October 2021 and defining the problem, the UODO pointed out in its final decision that a behavioral profile is created by using the reader’s online behavior to tailor advertisements to interests. detected. The UODO has explicitly stated that such collection of user information is “inextricably linked” to profiling, which aims to tailor relevant advertisements to a specific person based on inferences made about them.

The company did not fulfill its obligation

The UODO agrees with the complainant’s view that she did not receive a response that complied with the terms of the EU General Data Protection Regulation. The DPA found that “the absence of a uniform, transparent and reliable position of the company as to the content of the personal data processed, in particular which marketing categories (behavioral profile) have been assigned on the basis of cookies and with what other information relating to a specific person, the information resulting from these cookies has been combined, creates (…) uncertainty. The UODO referred to the judgment of the Court of Justice of the European Union in the case C-673/17, according to which the information must be clear, understandable and sufficiently precise to allow the functions of cookies to be understood.

In particular, the UODO considered that it was the company’s obligation to provide information on the marketing categories (behavioral profile) assigned to the complainant through cookies and what other data was combined with this information. .

Conflicting testimonies

The UODO noted that Interia had explained during the procedure that it processes personal data in order to adapt the display of online advertisements. This is inconsistent with his assertions that, at the same time, the cookies provided by the data subject (which he sent to prove processing by Interia) do not indicate that Interia is carrying out targeting activities with regard to of the complainant. Interia appeared not to understand the details of the processing carried out via the website and ultimately took the position that it had not created a behavioral profile of the reader or qualified her for any segment, despite indicating otherwise. in its policy and in its responses to the complainant. and DPA.

The UODO saw a contradiction in Interia’s statements. According to the DPA, the company’s explanations that personal data is used to create a behavioral profile in order to personalize advertisements obliges Interia to acknowledge that the processing of personal data alleged by the complainant exists, but Interia simply cannot not “identify it unambiguously” (in other words, Interia itself has trouble reconstructing the process and compiling information consistently). However, this does not exempt him from the obligation to inform.

What information to provide and what it should clarify

Interia was therefore obliged to provide the complainant with information regarding the marketing categories (behavioral profile) assigned to it using the collected cookies. It was also required to provide what other information about it was combined with the information resulting from these cookies.

The UODO also outlined the standards that Interia’s explanation must meet: the information must accurately describe the behavioral profile created by Interia based on the data subject’s online activity, specifically indicating marketing categories assigned to it based on cookies.

In addition, the UODO stated that if Interia does not process personal data for the purpose of creating a behavioral profile, it must clearly inform the complainant. It should also outline how the complainant’s personal data – collected in the form of identifiers stored in cookie technology – is processed in this case and what the processing of personal data for online advertising consists of.

What about cookies from other companies?

The UODO also noted that on the Interia website, other organizations have included their scripts in the website code. Since Interia allowed this to happen, it should highlight the possibility of behavioral profiles being created by these entities. In other words, if the company has allowed the publication of scripts that can be used to create behavioral profiles by other entities, it should explain to those affected how this process works.


Data controllers must explain precisely and clearly each problem regarding technological matters. At the same time, according to the UODO, the creation of a behavioral profile of an Internet user by collecting information about him inextricably involves the processing of personal data. The UODO decision confirmed that information about “marketing categories” assigned based on cookies, as well as information combined with data resulting from cookies, generally constitutes personal data and is subject to disclosure under the 15 GDPR. This view is consistent with the approach presented by other DPAs in Europe.

Photo by Clem Onojeghuo on Unsplash

Comments are closed.