Category: EDPB-Art60-summaries

Summaries of Art 60 final decisions

Posted on

publishable_cy_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Hamburg
Controller: Seachefs Cruises Ltd
Legal Reference: Right to erasure (Article 17), Lawfulness of processing (Article 6)
Decision: No infringement of the GDPR
Key words: Right to erasure, Data retention, Legal claims, Compliance with a legal obligation

Summary of the Decision
Origin of the case
The complainant submitted an erasure request to the controller, who was his previous employer. The HR department of the controller replied that some of his data (e.g. his passport information, employment contract, salary information and dismissal records) were to be kept in order to comply with national law obligations and be able to exercise or defend legal claims. As a result, the complainant lodged a complaint requesting the deletion of all his data.

Findings
The LSA found that, pursuant to the applicable national social insurance and tax law, the controller was required to keep records of all expenses including salaries. In order to comply with this obligation, the controller was obliged to keep the complainant’s passport information, employment contract and salary information. Moreover, according to the national law on statute of limitations, the controller was allowed to keep the complainant’s dismissal records for a period of six years after the dismissal as the complainant could appeal the decision of the controller to the relevant court.

Decision
The LSA found no infringement of the GDPR made by the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_cy_2019-10_erasure_request_ignored_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE, DK, ES, FR, HU, IT, LT, SK, NO
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to erasure (Article 17), Right to object (Article 21)

Decision: No infringement of the GDPR
Key words: Right to erasure, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision
Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with their requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_erasure_request_ignored_summarypublic_0.pdf

Please see also EDPB Copyright page

Posted on

publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No ongoing infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Rhineland-Palatinate, DK, ES, FR, HU, IT, LT, PL, PT, SE, SK
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to object (Article 21)

Decision: No ongoing infringement of the GDPR
Key words: Right of access, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision

Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with this requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-10_article_21_and_15_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_cy_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 13 June 2019
LSA: CY
CSAs: AT, DE-Hessen, DK, ES, FR, NL, NO, SK, SE
Controller: IQ OPTION EUROPE LTD
Legal Reference: Right to Erasure (Article 17)
Decision: No violation
Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision
Origin of the case
The complainant alleged that he was denied erasure of his data due to his earlier consent to the general terms and conditions. The general terms and conditions, however, do not elaborate on the data subjects’ rights but only refer in a general manner to the GDPR.

Findings
After seeking information from the data controller, the LSA found that the controller was regulated by AML national legislation, which requires the retention of data for at least five years to ensure that regulators, companies, and customers have access to key business records regarding financial transactions.

Decision
No violation as the processing was lawful under the provision Art 17(1)(b) GDPR providing that “the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-06_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_be_2019-01_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: Before 29 January 2019
LSA: BE
CSAs: DK, ES, NO
Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Compliance order to controller
Key words: Transparency, Compliance order

Summary of the Decision
Origin of the case
The complainant received an email on the update of the privacy policy of the controller. The complainant sent a mail to the controller requesting the erasure of the complainant’s data. The controller informed that it would need 60 more days to execute the request. By September 2018, the complainant hadn’t received any confirmation, despite the obligation to the controller in Art 12.3 GDPR.

Findings
The period in which the Controller has to inform the complainant on the action taken to exercise the right of erasure has expired. The SA stated that “it is obvious that the deadline has been exceeded at all levels”.

Decision
The SA has issued a Data subject rights compliance order to the controller on the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 29 January 2019
LSA: BE
CSAs: DE (Rhineland-Palatinate), FR
Legal Reference: Right of Access (Article 15), Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subjects (Article 12)

Decision: Compliance order to controller
Key words: Data subject rights, Right of access, right to erasure, transparency

Summary of the Decision
Origin of the case
The complainant requested that the controller shall grant his right to access and following this, grant the right to erasure. The complainant did not receive any reply at all until the date of the complaint, despite the obligation provided in Article 12.3 GDPR, according to which the controller shall inform the data subject about the follow-up of the request within one month since the receipt thereof.

Findings
So far, the controller has not reacted to the initial request for the exercise of the right of access and the right to erasure.

Decision
The SA issued a data subject rights compliance order to the controller on the Right to Access and following this the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 12 September 2018
LSA: DE – Berlin
CSAs: AT, DE – Bavaria (priv), DE – Mecklenburg-Western Pomerania, DE – Saarland, DE – Hesse, DE – Lower Saxony, DK, ES, FR, SE

Controller: Just Fabulous GmbH
Legal Reference: Right to erasure (Art 17)

Decision: Reprimand to Controller
Key words: Right to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Summary of the DecisionRight to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Origin of the case
Complainant requested deletion of personal data to the controller on 11 January 2018 and received a confirmation of the deletion on 15 January 2018. Despite this, s/he received e-mails on the 1 June (“Updating our data protection guidelines”) and 16 June 2018 (“Your feedback is important to us”) from the controller.

Findings
The controller did not fulfil its obligation under Article 17 para. 1 letter a GDPR. Controller showed understanding and announced that it would comply with GDPR and put an end to the reprimanded conduct.

Decision
Considering the specific circumstances a reprimand was considered appropriate.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Please see also EDPB Copyright page