June 2020 – Page 2 – Privacy Design®

June 28, 2020June 29, 2020

publishable_uk_2019-12_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 17 December 2019

LSA: UK

CSAs: AT, DE-Berlin, DE-Saarland, DE-Bavaria (Private sector), DK, ES, IT, NO, SE, SK

Legal Reference: Lawfulness of the processing (Article 6), Right to erasure (Article 17)

Decision: No infringement of the GDPR

Key words: Right of erasure, Legal obligation, Anti-Money Laundering Directive

Summary of the Decision

Origin of the case
The complainant requested to have his personal data erased, but his request was rejected.

Findings
The LSA found that the controller replied to the complainant’s erasure request within a month. In his reply, the controller explained that, in light of his legal obligation under the fourth Anti-Money Laundering Directive, he was obliged to retain the complainant’s personal data for 5 years after the end of the business relationship.
However, the LSA found that the controller did not properly inform the complainant of his right to complain to the relevant supervisory authority and his right to seek a judicial review. In fact, the LSA considered that providing a link to the privacy policy containing the contact details of the relevant supervisory authority was not enough.

Decision
The LSA asked the controller to improve the information given to all data subjects, by introducing relevant information on the data subjects’ rights to lodge complaint to an SA or seek for judicial review in the privacy policy.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-12_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_uk_2019-09_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement

Background information
Date of final decision: 11 September 2019

LSA: UK
CSAs: DE-Berlin

Legal Reference: Lawfulness of the processing (Article 6), Right to erasure (Article 17)

Decision: No infringement of the GDPR

Key words: Lawfulness of the processing, Right to erasure, Consumer protection, Anti-Money Laundering, Legal obligation

Summary of the Decision

Origin of the case
The complainant requested the deletion of her account on the controller’s website. Her request was not granted by the controller. The complainant filed a complaint with the CSA.

Findings
According to UK anti-money laundering legislation, the controller was required to retain customer information for a period of five years after the end of the business relationship. The LSA found that the complainant’s information had been retained in line with the controller’s legal obligations.

Decision
As the controller complied with his data protection obligations, no further action towards it was taken by the LSA.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_uk_2019-08_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Failure to comply with the accuracy principle

Background information
Date of final decision: 3 August 2019

LSA: UK

CSAs: DK, FR, IT, SE

Legal Reference: Principles relating to processing of personal data (Article 5), Right to rectification (Article 16), Right to object (Article 21)

Decision: Failure to comply; no regulatory action.

Key words: Accuracy, e-commerce, individual rights

Summary of the Decision

Origin of the case
A French complainant contacted the controller three times between July and October 2018 asking for his phone number to be disassociated from another person’s account, as he had been receiving text message updates on orders he had never made.

Findings
Although the complainant’s phone number was eventually removed from the other user’s account, the UK SA found that the controller did not comply with its obligations under the GDPR as it did not take sufficient action to assure itself of the accuracy of the personal data it was processing. However,
the UK SA recognised that the controller’s standard operating policies and procedures were not followed by the staff in this case and that the controller provided assurances that it reminded its staff of the importance of adhering to such policies.

Decision
The UK SA decided not to take any regulatory action on this complaint.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_uk_2019-08_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final Decision 7 August 2019

LSA: UK
CSAs: AT

Legal Reference: Right to erasure (Article 17)

Decision: Violation identified; No regulatory action.

Key words: Right to erasure, Marketing

Summary of the Decision

Origin of the case
The complainant stated that he asked the controller not to send him marketing emails, yet he continued to receive them.

Findings
The UK SA found that the controller did not comply with its data protection obligations.
The controller stated that the complainant send his request to unsubscribe to a ‘no-reply’ email address, instead of using the ‘unsubscribe’ button. However, the email address was not clearly recognisable as a ‘no-reply’ email address.

Decision
The UK SA took note of the actions taken by the controller, including a change to its processes so that the email address from which marketing communications are sent is now monitored. No regulatory action was taken.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_uk_2019-08_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Failure to comply with the accuracy principle

Background information
Date of final decision: 3 August 2019

LSA: UK

CSAs: DK, FR, IT, SE

Legal Reference: Principles relating to processing of personal data (Article 5), Right to rectification (Article 16), Right to object (Article 21)

Decision: Failure to comply; No regulatory action.

Key words: Accuracy, E-commerce, Individual rights

Summary of the Decision

Findings
Although the complainant’s phone number was eventually removed from the other user’s account, the UK SA found that the controller did not comply with its obligations under the GDPR as it did not take sufficient action to assure itself of the accuracy of the personal data it was processing. However, the UK SA recognised that the controller’s standard operating policies and procedures were not followed by the staff in this case and that the controller provided assurances that it reminded its staff of the importance of adhering to such policies.

Decision
The UK SA decided not to take any regulatory action on this complaint.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_uk_2019-08_identity_check_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 3 August 2019

LSA: UK
CSAs: AT, BE, BG, CY, CZ, DE, DK, EL, ES, FI, FR, HR, HU, IE, IT, NO, PL, PT, SE

Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided (Articles 13-14), Right of access (Article 15)

Decision: No violation

Key words: Data subject rights, right of access

Summary of the Decision

Origin of the case
A French complainant asked the controller how to download all of his personal data and the controller went on with the necessary identification verification checks.

Findings
Upon receipt of the identity verification, the controller escalated the request promptly and supplied the data subject with an encrypted file containing his personal data via email, and subsequently with the decryption password. The initial delay in dealing with the matter was due to the fact that the emails from the controller had been sent to the data subject’s spam folder.

Decision
The UK SA found that the controller complied with its obligations under the GDPR.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_uk_2019-06_personaldatabreach_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 June 2019

LSA: UK
CSAs: IE

Legal Reference: Personal data breach (Articles 33 and 34)

Decision: No violation

Key words: Data Breach

Summary of the Decision

Origin of the case
A third party ordered products from the Living Social website. The cost of the products was mistakenly charged to the data subject. On discovery of the error, the third party was able to access the data subjects personal data (name, email address etc.) from Living Social’s website.
The third party then contacted the data subject regarding what had happened. The Controller has refunded the data subject, but the data subject is not satisfied with their response as the Controller states that they do not believe a breach has occurred.

Findings
The LSA, after consulting with the controller, reached the conclusion that no breach had taken place since the controller only stores the last two digits of credit cards in its databases and uses payment tokens instead.

Decision
No violation.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: MT
CSAs: DE-Berlin, NL, NO, SE
Legal Reference: Right to object (Article 21), Cooperation with the supervisory authority(Article 31)
Decision: Infringement of Article 21 and Article 31 GDPR
Key words: Right to object, Cooperation with the supervisory authority, Exercise of data subjects’ rights, Marketing communications

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the CSA alleging that the controller kept sending marketing communications to the complainant even though he had previously objected to the processing of his data for marketing purposes.

Findings
The preliminary investigation by the LSA was aimed at ensuring that the controller’s main establishment was in its country.
The controller as internal procedure accepted any requests from data subjects only when the requests were made by using the same email address the users have used to open their account.
Through its investigations, the LSA found out that the controller could not find the first email sent by the complainant to object to the processing of his data for marketing purposes even if this email was sent from the email address used by the user to open his account. The data controller admitted that there was a possibility that the email had not been received or had not been dealt with properly.

Following the receipt of further unsolicited marketing communications, the complainant objected several more times. These emails were sent from email addresses different from the one used to open his account. Even if the controller was thus not able to comply with the data subject’s request as he could not identify him, the controller decided to block the complainant’s account from receiving marketing communications. From the investigation it transpired that the controller did not have any internal procedures for the handling of data subjects’ requests.
In addition the controller did not cooperate with the LSA that had to wait months to receive the requested submissions.

Decision
The LSA found that the controller infringed Article 21 by not having adequate procedures put in place to deal with the complainant’s request to exercise his right to object. The controller also infringed Article 31 GDPR by not cooperating with the LSA. Consequently, the LSA imposed an administrative fine of 15,000 euros on the controller. A 2,000 euro administrative fine was also imposed on the controller for having breached several provisions of national law relating to unsolicited communications.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_mt_2019-10_right_of_access_request_art_15_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 28 October 2019
LSA: MT
CSAs: PL
Legal Reference: Right of access (Article 15)
Decision: Infringement of Article 15 GDPR
Key words: Right of access, Data subjects’ rights, Data subject access request, Bank, Technical and organisational measures

Summary of the Decision

Origin of the case
The complainant filed a complaint with the CSA contending that the controller did not comply with her access request within the established 30 days’ period.

Findings
The LSA found that a letter and a file containing the copy of the complainant’s data were supposed to be sent to her on the day following the request. However, the email was erroneously categorised as “internal only”, which resulted in a failure to send such letter and file to the complainant.
Furthermore, the employee with access to the relevant mailbox left the company without ensuring that the complainant received a reply. Following the LSA’s investigation and the discovery of the mistake, the controller provided the complainant with a letter giving details about the processing of her data and the file containing the requested information.
Furthermore, the LSA requested the controller to submit details on the organizational and security measures implemented to avoid similar incidents in the future. To ensure an adequate follow-up of the access requests, the controller improved its back-up continuity procedure under which the back-up person would intervene if the main contact was not capable of complying with the client’s request.

Decision
The LSA found that the controller infringed Article 15 GDPR by not having adequate procedures in place to deal with subject access request, thus depriving the complainant of the right to access her data within the established timeframe. As a result, and also in light of several mitigating circumstances, the controller received an administrative fine of 8,000 euros. The LSA also instructed the controller to implement the appropriate technical measures to enhance the organizational and security measures already put in place.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_mt_2019-08_article13_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 5 August 2019
LSA: MT
CSAs: DK, ES, FI, FR, LV, NO, SE
Legal Reference: Information to be provided where personal data are collected from the data subject (Article 13 GDPR)
Decision: No violation
Key words: Right to information, prior information, rights of data subjects

Summary of the Decision

Origin of the case
The complainant contended that her personal data were inserted in the insolvency register of a third party without having been provided the required information, in accordance with Article 13 GDPR, at the time her data were obtained.

Findings
The LSA found that all relevant information was provided to the complainant through the general Terms and Conditions of the loan contract, which she accepted before the loan was granted to her. Additionally, the information that her personal data would be inserted in the insolvency register was communicated to her through a ‘requirement of payment’ letter and warning emails and SMS texts.
The same information is also available on the controller’s website.

Decision
The LSA found that the complainant was adequately informed pursuant to Article 13 GDPR.