June 2020 – Page 5 – Privacy Design®

June 28, 2020June 29, 2020

publishable_fr_2019-08_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 26 August 2019
LSA: FR
CSAs: AT, BE, DE-Rhineland-Palatinate, DE-Saxony-Anhalt, DE-North Rhine-Westphalia, NL, UK
Legal Reference: Right of access (Article 15); Right to erasure (Article 17); Right to object (Article 21)

Decision: No violation of the GDPR
Key words: Right to object, right to access, direct marketing

Summary of the Decision

Origin of the case
The complainant alleged that the controller had not taken his objection to direct marketing into account and that his request to access his personal data had not been granted.

Findings
The LSA found that both requests had been granted. The complainant’s email address had been erased from the controller’s marketing tools and an unsubscribe confirmation message had been sent.

Decision
No violation of the GDPR was found.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-08_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-08_lawfulness_of_the_processing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 9 August 2019
LSA: FR
CSAs: ES, IT
Legal Reference: Lawfulness of the processing (Article 6 GDPR)

Decision: No violation
Key words: lawfulness of the processing, right to object, spam emails, unsolicited communication, rights of the data subject

Summary of the Decision

Origin of the case
The complainant alleged he faced difficulties when he tried to exercise his right to object to unsolicited marketing emails.

Findings
The LSA found that the complainant had consented to receiving marketing emails and that the controller removed the complainant’s data from their database, following the request. The controller’s reaction to the request was delayed, due to an internal dysfunction, which has since been resolved.

Decision
The LSA found no infringement.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-06_art_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 17 June 2019
LSA: FR
CSAs: BE, ES, LU, DE-Lower Saxony, DE-Rhineland-Palatinate, DE-Berlin, IT
Legal Reference: Security of processing (Article 32)

Decision: No violation of art. 32 GDPR and recommendation on the adoption of technical measures
Key words: Consumers, e-commerce, security of data

Summary of the Decision

Origin of the case
This case concerned a complaint lodged by a data subject regarding the fact that the username and password for access to a website operated by the controller were given to him via a plain text email.

Findings
After correspondence with the controller, the LSA reached the conclusion that it did not communicate to its users or store in its databases plaintext passwords. However, the LSA found that, despite its assertions to the contrary, the controller did not operate a captcha system and only operated an access temporization system of 1 second.

Decision
The LSA closed the case regarding the complaint and recommended to the controller to introduce a captcha system and enhance access temporization to 1 minute after 5 failed attempts and introducing a limit of 25 attempts within 24 hours.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-03_transparency_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 20 March 2019
LSA: FR
CSAs: AT, DE – Rhineland-Palatinate, DE – North-Westphalia, DE – Lower Saxony, DE- Saarland, DE – Mecklenburg-Western Pomerania, DE – Bavaria
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Information to be provided where personal data have not been obtained from the data subject (Article 14)

Decision: No violation
Key words: Transparency, Privacy statement, Consent

Summary of the Decision

Origin of the case
The complaint concerned the information delivered to individuals visiting the controller’s websites as well as the conditions for processing personal data for the purposes of direct marketing. It was alleged that the controller collects data for advertising purposes without having privacy statement on its websites.

Findings
Following examination of the complaint, a series of exchanges between LSA services and the marketing service of the controller took place. The controller updated the information delivered to individuals visiting its websites, in accordance with Articles 13 and 14 of the GDPR, by the publication of a document entitled ‘General Data Protection Regulation (GDPR)’. The LSA noted controller’s commitment in pursuing a consent campaign for the collection and the use of personal data for the purposes of direct marketing from data subjects, prior to sending newsletters.

Lastly, it was observed that the controller undertakes measures to ensure that every data subject has ‘the possibility to unsubscribe easily and for free’.

Decision
After having observed that the controller responded appropriately and demonstrated compliance with the GDPR, the LSA together with the CSAs agreed to proceed to the closure of the complaint.

Comments
Submitted by a citizen, but not a formal complaint (Art. 77 GDPR)

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-03_lawfulness_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 March 2019
LSA: FR
CSAs: AT, BE, DE-Berlin, DE-Mecklenburg-Western Pomerania, DE-Bavaria (private sector), DE-Lower Saxony
Legal Reference: Right to object (Article 21), Principles relating to processing of personal data (Article 5), Lawfulness of the processing (Article 6), Conditions for consent (Article 7)

Decision: No violation
Key words: Rights of data subjects, Right to object, Lawfulness of processing, e-Commerce, Marketing

Summary of the Decision

Origin of the case
The data subject filed a complaint after facing difficulties in pursuing his right to object and in relation to the information required on the product order form.

Findings
The LSA found that the delay in complying with the right to object was due to the 72 hours required to process the relevant request, of which the data subject was informed. Besides, the request was submitted on a Saturday and Monday was a holiday. The data controller also took measures to clarify the e-mail address to which such requests can be submitted, and it also set up a dedicated email address to handle such requests more efficiently. In addition, the data controller no longer requires the date of birth to be provided for an order to be placed. Moreover, the consent to receive promotional offers from the controller and third parties must be explicitly given by checking the respective boxes when ordering a product.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The data controller did not delay to comply with the request beyond what was reasonable and adjusted the information required to avoid collecting more data than necessary.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 18 January 2019
LSA: FR
CSAs: AT, BE, BG, CZ, DE – Bavaria (priv), DE – Lower Saxony, DE – Rhineland Palatinate, DE – Saarland, DE – Thuringia, EE, EL, ES, HR, HU, IE, IT, LT, LU, LV, NO, PL, RO, SE, SK, SI, UK
Legal Reference: Transparency and information and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Reprimand to controller
Key words: Right to Erasure, Data Subject Rights not respected, proportionality for proof of identity, Reprimand

Summary of the Decision

Origin of the case
Complainant states that the right to erasure has been refused by the controller. Controller requested a scan of the ID and a specimen of the signature of the data subject. Complainant argues that neither of the two were required upon the creation of the account.

Findings
By the time of the decision, the controller had already granted the right to erasure to the complainant without the complainant needing to provide further proof of identity.

However:
1. the Controller systematically requested individuals to provide a copy of an identity document for exercising their rights, regardless of their country of residence, without providing a basis for reasonable doubts as to the identity of the complainant according to Art 12.6 GDPR. “The level of verification to be carried out is depending on the nature of the request, sensibility of the communicated information and the context within which the request is being made.”
Thus, the controller required disproportionate information for the purpose of verifying the identity of the data subject.
The SA stated for “illustrative purposes, it is disproportionate to require a copy of an identity document in the event where the claimant made his request within an area where he is already authenticated. An identity document can be requested if there is a suspicion of identity theft or of account piracy for instance.”

2. A controller may only store information needed for the exercise of individuals’ rights until “the end of legal limitation applicable periods.” During this period, “the data have to be subject to an “intermediary” archiving on a support separate from the active base with a restricted access to authorized persons.”

The LSA references https://www.cnil.fr/fr/limiter-la-conservation-des-donnees.

The SA highlights under “Finally”, that it acknowledges that the new data protection rules applicable are leading “to “significant adaptations inside the”” controller, “concerning the exercise of data subjects’ rights.”

Decision
The SA reprimands “the controller for lack of compliance with the law” on the points above.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_dk_2020-02_security_of_processing_article_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Dismissal of the case

Background information
Date of final decision: 5 February 2020

LSA: DK
CSAs: DE-Schleswig-Holstein, FR, SE

Controller: Garnio ApS/Hobbii Aps (Garnio ApS changed its name on 8 April 2019).

Legal Reference: Right of access by the data subject (Article 15), Security of processing (Article 32), Personal data breach (Articles 33 and 34), and Tasks of the Data Protection Officer (Article 39).

Decision: Dismissal of the case

Key words: Data breach, security

Summary of the Decision

Origin of the case
The complainant requested access to his data processed by the controller. As a result of this request, the controller provided the personal data of another individual. The complainant contacted the controller again about the breach but the controller did not reply to the inquiry.

Findings
The LSA found that the data subject in this case was not entitled to complain, as the processing of personal data did not relate to that individual.

Decision
The LSA took notice of the security issue and the occurred breach of personal data. This will be taken into consideration during the planning of audits.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_dk_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR

Background information
Date of final decision: 25 October 2019
LSA: DK
CSAs: AT, BE, CY, DE, ES, FI, FR, HU, IT, LU, NL, NO, SE, SK, UK
Controller: PANDORA A/S
Legal Reference: Principles relating to processing of personal data (Article 5), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR and a reprimand to the controller.
Key words: Right to erasure, Data subjects’ rights, Transparency

Summary of the Decision

Origin of the case
The complainant requested to have his personal data deleted from the controller’s database. The controller replied that, before processing his erasure request, a proof of identification was necessary to confirm his identity. As the complainant refused to comply with the controller’s demand, his data were not deleted.

Findings
The LSA found that the controller’s procedure under which ID validation was required without exception when processing a data subject’s request was not in conformity with Article 12(6) and Article 5(1)(c) GDPR. The LSA also found that, under the controller’s procedure, data subjects had to provide more information than initially collected in order to have their request processed.
Consequently, the controller’s procedure for ID validation went beyond what was required and made burdensome for data subjects to exercise their rights.

Decision
The LSA criticized that the processing by the controller had not been done not in accordance with Article 12(6) and Article 5(1)(c) GDPR. It ordered the controller to decide within two weeks whether the conditions for erasure present in Article 17 GDPR were met and, if so, delete the complainant’s data.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de_saarland_2019-05_deletionofaccount_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Closure of proceedings

Background information
Date of final decision: 7 March 2019
LSA: DE -Saarland
CSAs: DK, FR, NO, SE
Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Closure of proceedings
Key words: Right to erasure, Exercise of the rights of data subjects

Summary of the Decision

Origin of the case
The complainant sent two emails to the controller requesting the deletion of this account on the controller’s website and servers. The controller did not answer the request.

Findings
The data controller acknowledged that it had failed to delete the complainant’s data, and proved that, following the inquiry sent by the LSA, the account was deleted. The controller also demonstrated that it had adopted appropriate organisational measures to ensure compliance with erasure requests in the future.

Decision
The LSA decided to not take further measures since the controller had acted promptly and had taken the appropriate measures to ensure the effectiveness of future requests related to the GDPR.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de_north_rhine_west2018-12_lawfulnessoftreatment_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 21 December 2018
LSA: DE – North Rhine-Westphalia
CSAs: DE – Rhineland-Palatinate, DE – Mecklenburg-Western Pomerania, DE – Bavaria (priv), DE – Lower Saxony, DE – Saarland, ES
Legal Reference: Lawfulness of the processing (Article 6)

Decision: No violation
Key words: Direct Marketing, Legitimate interest, publicly available data

Summary of the Decision

Origin of the case
Complainant states they received postal advertisement and tried to exercise their right of access and right to erasure. The contacted branch stated that the letter was not sent to the correct recipient, as they do not manage personal data. The correct establishment is in Germany. The complainant contacted their local SA as they deem that the controller is wrongfully processing their personal data, which is stored in a publicly accessible register.

Findings
According to recital 47 and Art 6.1.f GDPR legitimate interest of the controller or of a third party may be used as legal basis, also when the processing is carried out for marketing purposes. LSA argues the data subject did not present any prevailing fundamental rights and freedoms and neither are prevailing rights and freedoms apparent, as the data is already publicly accessible. As such, the aforementioned legal basis “can be considered as an allowing legal basis.”

The original request of access and to erasure were filed before the 25 May 2018. Articles 13 and 14 GDPR were thus not yet applicable. However, under the GDPR the data subjects are to be informed from which source the personal data originate. The enterprise should be informed about this for future advertising mails”.

Decision
The LSA deems this not be an infringement. The processing of publically available personal data for
direct marketing purposes may constitute lawful processing according to Art 6.1.f GDPR.