Czech DPA imposed fine of 351 million CZK for GDPR infringement

Avast processes personal data of the users of its antivirus software when it provides services of this software. It transferred a part of these data, which related to roughly 100 million of its users, to Jumpshot INC. during the period under review in 2019, especially pseudonymized internet browsing history tied to a unique identifier. Jumpshot presented itself as a company that, among other things, granted data access to “marketers” who were provided with “insights into online consumer behaviour” and offered following of “user journeys at the atomic level”.

The users were erroneously informed about transfer of anonymous data for the purpose of trend analytics by Avast. Although Avast stated that it used robust anonymisation techniques, it was proved that data transferred from individual antivirus software installations were not anonymised, since reidentification of at least a part of the data subjects based on the transferred data could occur. Furthermore, the purpose of processing these data was not (merely) to create statistical analyses as Avast claimed.

"The Office put an emphasis in the decision on the fact that Avast is one of foremost experts on cybersecurity that offers tools for data and privacy protection to the public. Its customers could not have expected that this company in particular would transfer their personal data. That is, data based on which not only an identity of someone can be discovered but also their interests, personal preferences, residence, wealth, profession, and other data concerning their privacy,” 

stated about the decision President of the Czech Office for Personal Data Protection Jiří Kaucký.

Due to the fact that this was a case of cross-border processing of personal data of clients across the whole European Union, the case was handled together with other concerned EU supervisory authorities within cooperation mechanism (One Stop Shop).