SIA HH Invest's Investigation by Data State Inspectorate

HH Invest SIA, an online store, was fined by the Latvian DPA (Datu valsts inspekcija) for insufficiently informing a data subject about the processing of their data.

During a self-initiated assessment of the HH Invest SIA website, the Latvian DPA uncovered violations related to data subject control and the provision of information required by the GDPR. Specifically, the DPA found that HH Invest SIA had not provided its privacy policy to data subjects in a systematic and comprehensible way, as required by Article 13 of the GDPR. The right to receive information related to data processing is essential for data subject control over a company's use of personal data. Without access to this information, data subjects are unable to make informed decisions about a company's actions with their data.
The Data State Inspectorate, within the framework of its own initiative, assessed the content of HH Invest SIA's privacy policy and found that the information provided to data subjects was not presented in an easy-to-understand manner and was unsystematic. Some aspects of data processing, which are required to be explained to data subjects under Article 13 of the GDPR, were not adequately explained. This lack of clear and comprehensive information prevented data subjects from being fully informed about the processing of their personal data and from exercising their rights under the GDPR.
Overall, the Latvian DPA found that HH Invest SIA had violated Article 13 of the GDPR by failing to provide sufficient and clear information to data subjects regarding the processing of their personal data. The use of deceptive patterns such as hidden information prevented data subjects from fully understanding and controlling the processing of their personal data, in violation of the GDPR.