publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No ongoing infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Rhineland-Palatinate, DK, ES, FR, HU, IT, LT, PL, PT, SE, SK
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to object (Article 21)

Decision: No ongoing infringement of the GDPR
Key words: Right of access, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision

Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with this requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 13 June 2019
LSA: CY
CSAs: AT, DE-Hessen, DK, ES, FR, NL, NO, SK, SE
Controller: IQ OPTION EUROPE LTD
Legal Reference: Right to Erasure (Article 17)
Decision: No violation
Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision
Origin of the case
The complainant alleged that he was denied erasure of his data due to his earlier consent to the general terms and conditions. The general terms and conditions, however, do not elaborate on the data subjects’ rights but only refer in a general manner to the GDPR.

Findings
After seeking information from the data controller, the LSA found that the controller was regulated by AML national legislation, which requires the retention of data for at least five years to ensure that regulators, companies, and customers have access to key business records regarding financial transactions.

Decision
No violation as the processing was lawful under the provision Art 17(1)(b) GDPR providing that “the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-06_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_be_2019-01_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: Before 29 January 2019
LSA: BE
CSAs: DK, ES, NO
Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Compliance order to controller
Key words: Transparency, Compliance order

Summary of the Decision
Origin of the case
The complainant received an email on the update of the privacy policy of the controller. The complainant sent a mail to the controller requesting the erasure of the complainant’s data. The controller informed that it would need 60 more days to execute the request. By September 2018, the complainant hadn’t received any confirmation, despite the obligation to the controller in Art 12.3 GDPR.

Findings
The period in which the Controller has to inform the complainant on the action taken to exercise the right of erasure has expired. The SA stated that “it is obvious that the deadline has been exceeded at all levels”.

Decision
The SA has issued a Data subject rights compliance order to the controller on the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 29 January 2019
LSA: BE
CSAs: DE (Rhineland-Palatinate), FR
Legal Reference: Right of Access (Article 15), Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subjects (Article 12)

Decision: Compliance order to controller
Key words: Data subject rights, Right of access, right to erasure, transparency

Summary of the Decision
Origin of the case
The complainant requested that the controller shall grant his right to access and following this, grant the right to erasure. The complainant did not receive any reply at all until the date of the complaint, despite the obligation provided in Article 12.3 GDPR, according to which the controller shall inform the data subject about the follow-up of the request within one month since the receipt thereof.

Findings
So far, the controller has not reacted to the initial request for the exercise of the right of access and the right to erasure.

Decision
The SA issued a data subject rights compliance order to the controller on the Right to Access and following this the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Please see also EDPB Copyright page

de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 12 September 2018
LSA: DE – Berlin
CSAs: AT, DE – Bavaria (priv), DE – Mecklenburg-Western Pomerania, DE – Saarland, DE – Hesse, DE – Lower Saxony, DK, ES, FR, SE

Controller: Just Fabulous GmbH
Legal Reference: Right to erasure (Art 17)

Decision: Reprimand to Controller
Key words: Right to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Summary of the DecisionRight to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Origin of the case
Complainant requested deletion of personal data to the controller on 11 January 2018 and received a confirmation of the deletion on 15 January 2018. Despite this, s/he received e-mails on the 1 June (“Updating our data protection guidelines”) and 16 June 2018 (“Your feedback is important to us”) from the controller.

Findings
The controller did not fulfil its obligation under Article 17 para. 1 letter a GDPR. Controller showed understanding and announced that it would comply with GDPR and put an end to the reprimanded conduct.

Decision
Considering the specific circumstances a reprimand was considered appropriate.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Please see also EDPB Copyright page