publishable_cy_2020-01_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 22 January 2020
LSA: CY
CSAs: DE-Berlin, DK, ES, FR, PL, UK
Controller: Royal Forex Limited (GMO Trading)
Legal Reference: Transparency (Article 12), Right of access (Article 15)

Decision: Infringement of the GDPR, Order to comply
Key words: Access request

Summary of the Decision

Origin of the case
The complainant requested to have access to any copy of letters, emails, telephone or text messages she and the controller exchanged. After having receiving no reply, she sent a reminder to the controller. As the controller did not acknowledge this reminder, she lodged a complaint to one ofthe CSAs.

Findings
The LSA found that the controller complied with the complainant’s access request only after a year since the request has been lodged. The controller’s failure to provide any information on the actions taken within the timeframe provided by the GDPR was due to the misplacement of the complainants’ file during the handover of open GDPR related enquiries. Moreover, the controller had to communicate with external advisors regarding the possible interference of the access request with third party data protection rights, thus delaying further any action.

Decision
The LSA found that the controller did not comply with its obligations under the GDPR and instructed it to adopt appropriate technical and organisational measures to comply with Article 12 GDPR and respond to all data subjects’ requests within the timeframe provided for by this Article.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2020-01_right_of_access_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-11_right_of_access_and_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order

Background information
Date of final decision: 12 November 2019
LSA: CY
CSAs: DE-Lower Saxony, DE-Rhineland Palatinate, ES, FR, HU, NO
Controller: Marikit Holdings Ltd.
Legal Reference: Right to erasure (Article 17), Information to be provided to the data subject (Articles 13 and 14)

Decision: Compliance order
Key words: Right to erasure, Compliance with legal obligations, Data subject rights

Summary of the Decision
Origin of the case
The complainant alleged that after opening an account on the controller’s website to participate in a competition, he was not given the possibility to exercise his right to erasure and delete his account.
When the complainant contacted the controller to request the erasure of his account, the controller initially replied that deletion was not possible, proposing to block the account for one year instead.

Findings
In its initial reply to the LSA, the controller alleged that the data subject could not be identified as s/he did not provide the relevant email address. Subsequently, the controller informed the LSA that it would retain the data until it would be reasonably sure that such data would not need to be produced as supporting evidence before regulatory bodies, which could request data for a wide range of purposes. The erasure request was eventually granted after verification that deleting the complainant’s personal data would not lead to an infringement of other legal obligations.

In addition, the LSA found that the information provided to the data subjects in the privacy policy was
insufficient to facilitate the exercise of their rights.

Decision
Since the controller reacted to the erasure request within the timeframe provided in the GDPR and eventually granted it, the LSA found that no corrective measures should be imposed.

Nevertheless, the LSA ordered the controller to revise their privacy policy accordingly and to inform
the LSA of the revision.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-11_right_of_access_and_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Hamburg
Controller: Seachefs Cruises Ltd
Legal Reference: Right to erasure (Article 17), Lawfulness of processing (Article 6)
Decision: No infringement of the GDPR
Key words: Right to erasure, Data retention, Legal claims, Compliance with a legal obligation

Summary of the Decision
Origin of the case
The complainant submitted an erasure request to the controller, who was his previous employer. The HR department of the controller replied that some of his data (e.g. his passport information, employment contract, salary information and dismissal records) were to be kept in order to comply with national law obligations and be able to exercise or defend legal claims. As a result, the complainant lodged a complaint requesting the deletion of all his data.

Findings
The LSA found that, pursuant to the applicable national social insurance and tax law, the controller was required to keep records of all expenses including salaries. In order to comply with this obligation, the controller was obliged to keep the complainant’s passport information, employment contract and salary information. Moreover, according to the national law on statute of limitations, the controller was allowed to keep the complainant’s dismissal records for a period of six years after the dismissal as the complainant could appeal the decision of the controller to the relevant court.

Decision
The LSA found no infringement of the GDPR made by the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-10_erasure_request_ignored_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE, DK, ES, FR, HU, IT, LT, SK, NO
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to erasure (Article 17), Right to object (Article 21)

Decision: No infringement of the GDPR
Key words: Right to erasure, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision
Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with their requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_erasure_request_ignored_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No ongoing infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Rhineland-Palatinate, DK, ES, FR, HU, IT, LT, PL, PT, SE, SK
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to object (Article 21)

Decision: No ongoing infringement of the GDPR
Key words: Right of access, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision

Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with this requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 13 June 2019
LSA: CY
CSAs: AT, DE-Hessen, DK, ES, FR, NL, NO, SK, SE
Controller: IQ OPTION EUROPE LTD
Legal Reference: Right to Erasure (Article 17)
Decision: No violation
Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision
Origin of the case
The complainant alleged that he was denied erasure of his data due to his earlier consent to the general terms and conditions. The general terms and conditions, however, do not elaborate on the data subjects’ rights but only refer in a general manner to the GDPR.

Findings
After seeking information from the data controller, the LSA found that the controller was regulated by AML national legislation, which requires the retention of data for at least five years to ensure that regulators, companies, and customers have access to key business records regarding financial transactions.

Decision
No violation as the processing was lawful under the provision Art 17(1)(b) GDPR providing that “the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-06_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_be_2019-01_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: Before 29 January 2019
LSA: BE
CSAs: DK, ES, NO
Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Compliance order to controller
Key words: Transparency, Compliance order

Summary of the Decision
Origin of the case
The complainant received an email on the update of the privacy policy of the controller. The complainant sent a mail to the controller requesting the erasure of the complainant’s data. The controller informed that it would need 60 more days to execute the request. By September 2018, the complainant hadn’t received any confirmation, despite the obligation to the controller in Art 12.3 GDPR.

Findings
The period in which the Controller has to inform the complainant on the action taken to exercise the right of erasure has expired. The SA stated that “it is obvious that the deadline has been exceeded at all levels”.

Decision
The SA has issued a Data subject rights compliance order to the controller on the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 29 January 2019
LSA: BE
CSAs: DE (Rhineland-Palatinate), FR
Legal Reference: Right of Access (Article 15), Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subjects (Article 12)

Decision: Compliance order to controller
Key words: Data subject rights, Right of access, right to erasure, transparency

Summary of the Decision
Origin of the case
The complainant requested that the controller shall grant his right to access and following this, grant the right to erasure. The complainant did not receive any reply at all until the date of the complaint, despite the obligation provided in Article 12.3 GDPR, according to which the controller shall inform the data subject about the follow-up of the request within one month since the receipt thereof.

Findings
So far, the controller has not reacted to the initial request for the exercise of the right of access and the right to erasure.

Decision
The SA issued a data subject rights compliance order to the controller on the Right to Access and following this the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Please see also EDPB Copyright page

de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 12 September 2018
LSA: DE – Berlin
CSAs: AT, DE – Bavaria (priv), DE – Mecklenburg-Western Pomerania, DE – Saarland, DE – Hesse, DE – Lower Saxony, DK, ES, FR, SE

Controller: Just Fabulous GmbH
Legal Reference: Right to erasure (Art 17)

Decision: Reprimand to Controller
Key words: Right to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Summary of the DecisionRight to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Origin of the case
Complainant requested deletion of personal data to the controller on 11 January 2018 and received a confirmation of the deletion on 15 January 2018. Despite this, s/he received e-mails on the 1 June (“Updating our data protection guidelines”) and 16 June 2018 (“Your feedback is important to us”) from the controller.

Findings
The controller did not fulfil its obligation under Article 17 para. 1 letter a GDPR. Controller showed understanding and announced that it would comply with GDPR and put an end to the reprimanded conduct.

Decision
Considering the specific circumstances a reprimand was considered appropriate.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Please see also EDPB Copyright page