Month: June 2020

Posted on

publishable_mt_2019-07_rightoferasurearticle_17_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 4 March 2019
LSA: MT
CSAs: IE
Legal Reference: Right to erasure (Article 17)
Decision: No violation
Key words: Right to erasure, right of access request, exercise of the rights of the data subjects

Summary of the Decision

Origin of the case
The complainant made a right to access/erasure request to the controller. The controller requested the complainant to confirm her identity but she failed to do so.
The controller has erased the complainant’s personal data accordingly to its privacy policy and taking into consideration a still existing “Compromise Agreement” between the controller and the complainant. Concerning the right of access request, the only reason why the information was not provided revolves around the complainant’s failure to verify her identity with the controller. The complainant then contended that the controller did not accede to the right of access request.

Findings
The LSA assessed that the controller satisfied the complainant’s right of erasure request to the extent permissible by the applicable laws, including but not limited to, employment legislation.

The LSA found that the controller took all the necessary steps to handle the complainant’s right of access. The only reason why the information was not provided, was due to the complainant’s failure to verify her identity with the controller (the email she was using was not known to the controller).

Decision
The LSA decided that the controller did not infringe the provisions of the GDPR, and consequently dismissed the compliant.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-07_rightoferasurearticle_17_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance Order to Controller

Background information
Date of final decision: 7 June 2019

LSA: MT
CSAs: ES

Legal Reference: Right to erasure (Article 17)

Decision: Compliance order to controller

Key words: Right to erasure, Data subject rights, Accuracy

Summary of the Decision

Origin of the case
A Spanish data subject filed a complaint with the Spanish SA as she was receiving unsolicited phone calls even after having filed an erasure request and such erasure had been confirmed by the data controller.

Findings
The complainant’s phone number was fraudulently provided to the controller by one of its clients.
Since the controller was not aware of this, it tried to contact the client on such phone number. The complainant filed a right of erasure request. During a phone call, the controller erroneously informed the complainant of the need to submit a second erasure request to delete the number from another database held by the controller, whereas only one database existed. Form the call logs provided by the controller it transpires that the complainant phone number was erased from the controller’s database immediately after the first erasure request. All the erasure requests from the complainant were followed by erasure confirmations sent by the controller. The controller couldn’t exclude the possibility that the complainant’s residence’s phone number was fraudulently provided by the same client, also to other entities/lenders and that these entities/lenders may make use of it.

Decision
The LSA instructed the data controller to implement the appropriate technical and organisational measures to make sure that personal data are accurate and, where necessary, kept up to date, and that every reasonable step is taken to ensure that personal data that are inaccurate, having regards to the purposes for which they are processed, are erased or rectified without delay.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 8 November 2019
LSA: LV
CSAs: All SAs

Legal Reference: Transparency (Article 12), Information (Articles 13 and 14)

Decision: Infringement of the GDPR, Fine

Key words: Transparency, Information, E-commerce, Identity of the controller

Summary of the Decision

Origin of the case
The complainant alleged that he did not receive information on the identity of the controller before submitting his order on the online retail platform. Moreover, the complainant contended that the privacy policy available on the website was not in conformity with the GDPR.

Findings
During its investigation, the LSA found that the controller was a Latvian company performing retails sales through several websites, including the one used by the complainant to order his goods.
After establishing the identity of the controller, the LSA found that the privacy policy on the website did not provide information on the identity of the controller, the legal basis of the data processing, its purposes and the way data subjects’ consent is collected.

Decision
The LSA found that the controller did not comply with his obligations under the GDPR and imposed a fine of 150,000 euros.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_lv_2020-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order

Background information
Date of final decision: 3 December 2019
LSA: LV
CSAs: DE-Berlin, DE-Hesse, DE-Rhineland-Palatinate, DK, FR, IE, IT, PL, NO

Legal Reference: Lawfulness of processing (Article 6), Right to erasure (Article 17), Right to be informed (Article 15)

Decision: Infringement of the GDPR, Order to comply

Key words: Right to erasure, Right to be informed, Blacklisted email

Summary of the Decision

Origin of the case
The complainant alleged that their request for deletion of their personal data had not been complied with.

Findings
After an investigation, the LSA found that after accidentally signing up to the controller’s services, the complainant had contacted the controller to ask for the deletion of two accounts made in his name.
The controller responded the next day that this would not be possible. The controller also blacklisted the complainant’s email address, thereby blocking reception of its emails.

Decision
The LSA found that the controller did not have a legal basis to continue processing and storing the complainant’s personal data on a blacklist. An administrative act was issued by the LSA, with the order for the controller to delete the complainant’s personal data from the blacklist or from any storage site or filling system by 20 December 2019.
In addition, the controller was given an order to assess the degree of risk to the rights and freedoms of natural persons, taking into account the nature, extent, context, purposes and technical and organizational measures taken to protect personal data and prevent their possible unlawful processing was issued, and to provide a mechanism to prevent such situations from happening in the future. The controller was asked to inform the LSA of the execution of the order by 20 December 2019.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lv_2020-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CZ, DE – Mecklenburg-Western Pomerania, DE – Berlin, DE – Lower Saxony, DE – Bavaria (Private sector), DE – Saarland, DE – North Rhine-Westphalia, DK, FR, IT, NO, PL, SE, SI, SK

Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement of the right to erasure

Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision

Origin of the case
The complainant requested the erasure of his customer account in the controller website, and he asserted that the controller did not respond within a month following his request.

Findings
The controller demonstrated that it did not delete the account because the request was lodged via a different email address than the one associated with the customer account. For security reasons, the controller contacted the complainant and asked him to submit the request from the same e-mail address associated with the customer account or, if not possible, to change his login details. The complainant did not take any action and therefore, the controller could not authenticate him as the owner of the customer account.
After receiving the letter from the LSA, the controller contacted the complainant on the e-mail address associated with the customer account and offered him to associate his other e-mail address to the customer account.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The CSA to which the complaint was lodged informed the LSA that the complainant was satisfied with the answer from the controller and that the cross-border complaint should be closed.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_lu_2019-05_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CY, CZ, DE – Berlin, DE – Lower Saxony, DE – Rhineland-Palatinate, DE- Bavaria (Private sector), DE – Mecklenburg-Western Pomerania, DK, ES, FI, FR, IE, IT, PL, SE, SK, NO

Legal Reference: Right of access by the data subject (Article 15), Transparent information,communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement

Key words: Right of access, exercise of the rights of the data subject, e-commerce

Summary of the Decision

Origin of the case
The complainant requested access to his personal data held by the controller because his national ID number, his address and his IP had been blocked by the controller’s platform and he was thus unable to use its services. He wanted to know the reason and thus requested access to his data.

Findings
The controller demonstrated that it had provided the complainant with access to the data concerning him and his seller account. The controller provided the relevant communication to the LSA and it also clarified that the blockage of the complainant’s information was due to a violation of the controller’s selling policies. The controller also explained that it had granted the complainant the right to appeal the blockage, but instead he tried to circumvent the decision by opening new seller accounts, which were blocked. However, the controller allowed him to create a customer account.

Decision
The LSA found that there had been no violation of the GDPR, since the controller had granted the complainant the right to access to his data. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019

LSA: LU
CSAs: CZ, DK, ES, FR

Legal Reference: Lawfulness of the processing (Article 6), principles relating to the processing of personal data (Article 5), Security of processing (Article 32)

Decision: No violation

Key words: Lawfulness of the processing, Third party access to personal data, Rights of data subjects, Security of processing, e-commerce

Summary of the Decision
Origin of the case
The complainant states that they received a telegram sent by a third party in which their full name and address were included, as well as an order number. The third party claimed that a parcel purchased by him on the controller website had been sent to the complainant. The complainant states that their personal data may have been provided by the controller to the third party, thus violating the claimant’s rights under GDPR.

Findings
Following an inquiry by the LSA, the controller has demonstrated that it was the courier who provided the complainant’s details to the third party. The controller did not find any account on its website containing the personal details of the complainant, and there was no further evidence that the controller provided the personal data of the complainant either to the third party or to the courier.
Therefore, it seems that the personal data relating to the complainant must have already been stored by the courier and got connected (by the courier) to the order made by the third party.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The data controller did not provide the third party with the complainant’s personal details and therefore the cross-border complaint should be closed, since no further action is required.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019

LSA: LU
CSAs: ES, FR, CZ

Legal Reference: Lawfulness of the processing (Article 6), Principles relating to the processing of personal data (Article 5), Right of access (Article 15), Security of processing (Article 32)

Decision: No violation
Key words: Lawfulness of processing, Third party access to personal data, Rights of data subjects, Right of access, Security of processing, e-commerce

Summary of the Decision
Origin of the case
The complainant received a parcel by an unknown person who wanted to return an item that she had purchased on the controller’s website. The complainant’s name and address had been indicated to the third individual as the place to return the parcel he had purchased.

Findings
The third-party was a customer of the controller that bought an item from a seller located in China, from which the complainant had also made a purchase. The personal data of the complainant had been disclosed to the third-party by the seller. After conducting an internal inquiry, the controller took corrective measures against the seller and informed the complainant.

Decision
The LSA found that there had been no violation of the GDPR. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic_0.pdf

Please see also EDPB Copyright page

Posted on

publishable_lt_2019-05_allegedillegalpersonaldataprocessing_summarypublic.pdf

Summary Final Decision Art 60
Investigation

Imposition of a fine

Background information
Date of final decision: 16 May 2019

LSA: LT
CSAs: LV

Legal Reference: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Information to be provided where personal data have not been obtained from the data subject (Article 14), Responsibility of the controller (Article 24), Security of processing (Article 32), Notification of a personal data breach to the supervisory authority (Article 33), General conditions for imposing administrative fines (Article 83).

Decision: Imposition of fine

Key words: Data breach, unlawful processing, security of the processing

Summary of the Decision

Origin of the case
This case concerned the taking of screenshots by the data controller when a user made an online payment using its service. The user, however, was not notified about the screenshots being taken. The screenshots recorded personal data of the payer, such as their name and surname, numbers, recent transactions, loans, amounts, mortgages, etc. Moreover, the data controller had provided access to individuals that were not authorised for that purpose and did not report the relevant data breach.

Findings
Regarding the processing of personal data in screenshots: The LSA considered that the processing of the personal data by the controller was beyond what is necessary for the performance of the payment service, and was also stored for a longer period that necessary. The controller failed to demonstrate the need to collect such amount of personal data. Thus, the processing violates the data minimisation and the storage limitation principles. Moreover, users are not informed of the
processing. Therefore, the LSA considers that the processing of personal data is deemed as unlawful.

Regarding the publicity of the personal data: Due to a security breach, unauthorised individuals had access to the data concerned, since access could be gained on the controller’s website merely by using the ID of the transaction number. The LSA found that the controller failed to implement the appropriate technical or organisational measures to ensure data security.

Regarding the notification of the personal data breach: The data controller failed to notify the relevant data breach as required by Art. 33 of the GDPR without providing a sufficient explanation of that failure to notify.

Decision
The LSA decided to impose a fine of 61.500 €(2,5% of the controller’s total annual worldwide turnover).

Comments
This is the first fine issued by this SA under OSS mechanism.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lt_2019-05_allegedillegalpersonaldataprocessing_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_li_2019-08rightofaccessnotgranted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance Order to Controller

Background information
Date of final decision: 27 August 2019

LSA: LI

CSAs: DE-Lower Saxony

Legal Reference: Principles relating to processing of personal data (Article 5), Right of access (Article 15)

Decision: Compliance order to controller

Key words: Right of access, Information to data subjects

Summary of the Decision

Origin of the case
The complainant alleged that the controller infringed Article 15 GDPR by providing him with incomplete information concerning the purposes of the processing, the storage period and the right to appeal to a supervisory authority.

Findings
Concerning the processing purpose, the LSA found that the information provided by the controller was incomplete. In fact, it stated that personal data were processed solely for the purpose of participating in a prize competition. However, personal data were also transferred to sponsors for marketing purposes. The controller should have included this additional purpose of the processing when providing information to the data subject.

Concerning the storage period, the LSA found that the information provided by the controller was also incomplete. In particular, there was no specification on the storage period or the criteria according to which the storage period would be determined.

Concerning the right of appeal to a supervisory authority, the LSA found that the controller was under no legal obligation to specify which supervisory authority was competent. Nonetheless, the controller was advised to do so in order to facilitate the exercise of data subjects’ rights.

Decision
The LSA found that the controller infringed Article 15 GDPR by not providing the complainant with correct and sufficient information regarding the purposes of the processing and the storage period of the data and therefore ordered compliance.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_li_2019-08rightofaccessnotgranted_summarypublic.pdf

Please see also EDPB Copyright page