EDPB-Art60-summaries – Page 4

June 28, 2020June 29, 2020

publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 23 September 2019
LSA: FR
CSAs: DE-Mecklenburg-Western Pomerania, DE-Rhineland-Palatinate, ES
Legal Reference: Right to erasure (Article 17)

Decision: No infringement of the GDPR
Key words: Right to erasure, Electronic communications, Payment data

Summary of the Decision

Origin of the case
The complainant asked for the deletion of his user account on the Spanish version of the controller’s website. In its reply, the controller stated that it was required to keep some of his data. However, it informed the complainant of the date on which all of his data would be entirely deleted.

Findings
The LSA found that, pursuant to national law, the controller was required to retain the complainant’s payment data in an intermediate archive upon the deletion of his user account in order to manage claims and disputes related to a payment made on its platform. In consequence, the controller acted in accordance with Article 17 (3) GDPR when it kept some of the complainant’s data.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 29 August 2019
LSA: FR
CSAs: BE
Legal Reference: Right to erasure (Article 17), Right to object (Article 21)

Decision: No violation
Key words: Right to erasure, Right to object, Anonymisation

Summary of the Decision

Origin of the case
In a complaint filed with the CSA, the complainant alleged that personal data in her email correspondence with the controller was published on the controller’s website without her consent.

Findings
After communicating with the LSA, the controller took action to anonymise the complainant’s first and last names from the correspondence.

Decision
The LSA invited the controller to anonymise the copies of all the letters published on its website.

No further action towards the controller was taken.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-08_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 26 August 2019
LSA: FR
CSAs: AT, BE, DE-Rhineland-Palatinate, DE-Saxony-Anhalt, DE-North Rhine-Westphalia, NL, UK
Legal Reference: Right of access (Article 15); Right to erasure (Article 17); Right to object (Article 21)

Decision: No violation of the GDPR
Key words: Right to object, right to access, direct marketing

Summary of the Decision

Origin of the case
The complainant alleged that the controller had not taken his objection to direct marketing into account and that his request to access his personal data had not been granted.

Findings
The LSA found that both requests had been granted. The complainant’s email address had been erased from the controller’s marketing tools and an unsubscribe confirmation message had been sent.

Decision
No violation of the GDPR was found.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-08_lawfulness_of_the_processing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 9 August 2019
LSA: FR
CSAs: ES, IT
Legal Reference: Lawfulness of the processing (Article 6 GDPR)

Decision: No violation
Key words: lawfulness of the processing, right to object, spam emails, unsolicited communication, rights of the data subject

Summary of the Decision

Origin of the case
The complainant alleged he faced difficulties when he tried to exercise his right to object to unsolicited marketing emails.

Findings
The LSA found that the complainant had consented to receiving marketing emails and that the controller removed the complainant’s data from their database, following the request. The controller’s reaction to the request was delayed, due to an internal dysfunction, which has since been resolved.

Decision
The LSA found no infringement.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-06_art_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 17 June 2019
LSA: FR
CSAs: BE, ES, LU, DE-Lower Saxony, DE-Rhineland-Palatinate, DE-Berlin, IT
Legal Reference: Security of processing (Article 32)

Decision: No violation of art. 32 GDPR and recommendation on the adoption of technical measures
Key words: Consumers, e-commerce, security of data

Summary of the Decision

Origin of the case
This case concerned a complaint lodged by a data subject regarding the fact that the username and password for access to a website operated by the controller were given to him via a plain text email.

Findings
After correspondence with the controller, the LSA reached the conclusion that it did not communicate to its users or store in its databases plaintext passwords. However, the LSA found that, despite its assertions to the contrary, the controller did not operate a captcha system and only operated an access temporization system of 1 second.

Decision
The LSA closed the case regarding the complaint and recommended to the controller to introduce a captcha system and enhance access temporization to 1 minute after 5 failed attempts and introducing a limit of 25 attempts within 24 hours.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-03_transparency_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 20 March 2019
LSA: FR
CSAs: AT, DE – Rhineland-Palatinate, DE – North-Westphalia, DE – Lower Saxony, DE- Saarland, DE – Mecklenburg-Western Pomerania, DE – Bavaria
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Information to be provided where personal data have not been obtained from the data subject (Article 14)

Decision: No violation
Key words: Transparency, Privacy statement, Consent

Summary of the Decision

Origin of the case
The complaint concerned the information delivered to individuals visiting the controller’s websites as well as the conditions for processing personal data for the purposes of direct marketing. It was alleged that the controller collects data for advertising purposes without having privacy statement on its websites.

Findings
Following examination of the complaint, a series of exchanges between LSA services and the marketing service of the controller took place. The controller updated the information delivered to individuals visiting its websites, in accordance with Articles 13 and 14 of the GDPR, by the publication of a document entitled ‘General Data Protection Regulation (GDPR)’. The LSA noted controller’s commitment in pursuing a consent campaign for the collection and the use of personal data for the purposes of direct marketing from data subjects, prior to sending newsletters.

Lastly, it was observed that the controller undertakes measures to ensure that every data subject has ‘the possibility to unsubscribe easily and for free’.

Decision
After having observed that the controller responded appropriately and demonstrated compliance with the GDPR, the LSA together with the CSAs agreed to proceed to the closure of the complaint.

Comments
Submitted by a citizen, but not a formal complaint (Art. 77 GDPR)

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-03_lawfulness_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 March 2019
LSA: FR
CSAs: AT, BE, DE-Berlin, DE-Mecklenburg-Western Pomerania, DE-Bavaria (private sector), DE-Lower Saxony
Legal Reference: Right to object (Article 21), Principles relating to processing of personal data (Article 5), Lawfulness of the processing (Article 6), Conditions for consent (Article 7)

Decision: No violation
Key words: Rights of data subjects, Right to object, Lawfulness of processing, e-Commerce, Marketing

Summary of the Decision

Origin of the case
The data subject filed a complaint after facing difficulties in pursuing his right to object and in relation to the information required on the product order form.

Findings
The LSA found that the delay in complying with the right to object was due to the 72 hours required to process the relevant request, of which the data subject was informed. Besides, the request was submitted on a Saturday and Monday was a holiday. The data controller also took measures to clarify the e-mail address to which such requests can be submitted, and it also set up a dedicated email address to handle such requests more efficiently. In addition, the data controller no longer requires the date of birth to be provided for an order to be placed. Moreover, the consent to receive promotional offers from the controller and third parties must be explicitly given by checking the respective boxes when ordering a product.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The data controller did not delay to comply with the request beyond what was reasonable and adjusted the information required to avoid collecting more data than necessary.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 18 January 2019
LSA: FR
CSAs: AT, BE, BG, CZ, DE – Bavaria (priv), DE – Lower Saxony, DE – Rhineland Palatinate, DE – Saarland, DE – Thuringia, EE, EL, ES, HR, HU, IE, IT, LT, LU, LV, NO, PL, RO, SE, SK, SI, UK
Legal Reference: Transparency and information and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Reprimand to controller
Key words: Right to Erasure, Data Subject Rights not respected, proportionality for proof of identity, Reprimand

Summary of the Decision

Origin of the case
Complainant states that the right to erasure has been refused by the controller. Controller requested a scan of the ID and a specimen of the signature of the data subject. Complainant argues that neither of the two were required upon the creation of the account.

Findings
By the time of the decision, the controller had already granted the right to erasure to the complainant without the complainant needing to provide further proof of identity.

However:
1. the Controller systematically requested individuals to provide a copy of an identity document for exercising their rights, regardless of their country of residence, without providing a basis for reasonable doubts as to the identity of the complainant according to Art 12.6 GDPR. “The level of verification to be carried out is depending on the nature of the request, sensibility of the communicated information and the context within which the request is being made.”
Thus, the controller required disproportionate information for the purpose of verifying the identity of the data subject.
The SA stated for “illustrative purposes, it is disproportionate to require a copy of an identity document in the event where the claimant made his request within an area where he is already authenticated. An identity document can be requested if there is a suspicion of identity theft or of account piracy for instance.”

2. A controller may only store information needed for the exercise of individuals’ rights until “the end of legal limitation applicable periods.” During this period, “the data have to be subject to an “intermediary” archiving on a support separate from the active base with a restricted access to authorized persons.”

The LSA references https://www.cnil.fr/fr/limiter-la-conservation-des-donnees.

The SA highlights under “Finally”, that it acknowledges that the new data protection rules applicable are leading “to “significant adaptations inside the”” controller, “concerning the exercise of data subjects’ rights.”

Decision
The SA reprimands “the controller for lack of compliance with the law” on the points above.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_dk_2020-02_security_of_processing_article_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Dismissal of the case

Background information
Date of final decision: 5 February 2020

LSA: DK
CSAs: DE-Schleswig-Holstein, FR, SE

Controller: Garnio ApS/Hobbii Aps (Garnio ApS changed its name on 8 April 2019).

Legal Reference: Right of access by the data subject (Article 15), Security of processing (Article 32), Personal data breach (Articles 33 and 34), and Tasks of the Data Protection Officer (Article 39).

Decision: Dismissal of the case

Key words: Data breach, security

Summary of the Decision

Origin of the case
The complainant requested access to his data processed by the controller. As a result of this request, the controller provided the personal data of another individual. The complainant contacted the controller again about the breach but the controller did not reply to the inquiry.

Findings
The LSA found that the data subject in this case was not entitled to complain, as the processing of personal data did not relate to that individual.

Decision
The LSA took notice of the security issue and the occurred breach of personal data. This will be taken into consideration during the planning of audits.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_dk_2020-02_security_of_processing_article_32_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_dk_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR

Background information
Date of final decision: 25 October 2019
LSA: DK
CSAs: AT, BE, CY, DE, ES, FI, FR, HU, IT, LU, NL, NO, SE, SK, UK
Controller: PANDORA A/S
Legal Reference: Principles relating to processing of personal data (Article 5), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR and a reprimand to the controller.
Key words: Right to erasure, Data subjects’ rights, Transparency

Summary of the Decision

Origin of the case
The complainant requested to have his personal data deleted from the controller’s database. The controller replied that, before processing his erasure request, a proof of identification was necessary to confirm his identity. As the complainant refused to comply with the controller’s demand, his data were not deleted.

Findings
The LSA found that the controller’s procedure under which ID validation was required without exception when processing a data subject’s request was not in conformity with Article 12(6) and Article 5(1)(c) GDPR. The LSA also found that, under the controller’s procedure, data subjects had to provide more information than initially collected in order to have their request processed.
Consequently, the controller’s procedure for ID validation went beyond what was required and made burdensome for data subjects to exercise their rights.

Decision
The LSA criticized that the processing by the controller had not been done not in accordance with Article 12(6) and Article 5(1)(c) GDPR. It ordered the controller to decide within two weeks whether the conditions for erasure present in Article 17 GDPR were met and, if so, delete the complainant’s data.