EDPB – Page 3 – Privacy Design®

June 28, 2020June 29, 2020

publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019

LSA: LU
CSAs: ES, FR, CZ

Legal Reference: Lawfulness of the processing (Article 6), Principles relating to the processing of personal data (Article 5), Right of access (Article 15), Security of processing (Article 32)

Decision: No violation
Key words: Lawfulness of processing, Third party access to personal data, Rights of data subjects, Right of access, Security of processing, e-commerce

Summary of the Decision
Origin of the case
The complainant received a parcel by an unknown person who wanted to return an item that she had purchased on the controller’s website. The complainant’s name and address had been indicated to the third individual as the place to return the parcel he had purchased.

Findings
The third-party was a customer of the controller that bought an item from a seller located in China, from which the complainant had also made a purchase. The personal data of the complainant had been disclosed to the third-party by the seller. After conducting an internal inquiry, the controller took corrective measures against the seller and informed the complainant.

Decision
The LSA found that there had been no violation of the GDPR. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic_0.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_lt_2019-05_allegedillegalpersonaldataprocessing_summarypublic.pdf

Summary Final Decision Art 60
Investigation

Imposition of a fine

Background information
Date of final decision: 16 May 2019

LSA: LT
CSAs: LV

Legal Reference: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Information to be provided where personal data have not been obtained from the data subject (Article 14), Responsibility of the controller (Article 24), Security of processing (Article 32), Notification of a personal data breach to the supervisory authority (Article 33), General conditions for imposing administrative fines (Article 83).

Decision: Imposition of fine

Key words: Data breach, unlawful processing, security of the processing

Summary of the Decision

Origin of the case
This case concerned the taking of screenshots by the data controller when a user made an online payment using its service. The user, however, was not notified about the screenshots being taken. The screenshots recorded personal data of the payer, such as their name and surname, numbers, recent transactions, loans, amounts, mortgages, etc. Moreover, the data controller had provided access to individuals that were not authorised for that purpose and did not report the relevant data breach.

Findings
Regarding the processing of personal data in screenshots: The LSA considered that the processing of the personal data by the controller was beyond what is necessary for the performance of the payment service, and was also stored for a longer period that necessary. The controller failed to demonstrate the need to collect such amount of personal data. Thus, the processing violates the data minimisation and the storage limitation principles. Moreover, users are not informed of the
processing. Therefore, the LSA considers that the processing of personal data is deemed as unlawful.

Regarding the publicity of the personal data: Due to a security breach, unauthorised individuals had access to the data concerned, since access could be gained on the controller’s website merely by using the ID of the transaction number. The LSA found that the controller failed to implement the appropriate technical or organisational measures to ensure data security.

Regarding the notification of the personal data breach: The data controller failed to notify the relevant data breach as required by Art. 33 of the GDPR without providing a sufficient explanation of that failure to notify.

Decision
The LSA decided to impose a fine of 61.500 €(2,5% of the controller’s total annual worldwide turnover).

Comments
This is the first fine issued by this SA under OSS mechanism.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lt_2019-05_allegedillegalpersonaldataprocessing_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_li_2019-08rightofaccessnotgranted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance Order to Controller

Background information
Date of final decision: 27 August 2019

LSA: LI

CSAs: DE-Lower Saxony

Legal Reference: Principles relating to processing of personal data (Article 5), Right of access (Article 15)

Decision: Compliance order to controller

Key words: Right of access, Information to data subjects

Summary of the Decision

Origin of the case
The complainant alleged that the controller infringed Article 15 GDPR by providing him with incomplete information concerning the purposes of the processing, the storage period and the right to appeal to a supervisory authority.

Findings
Concerning the processing purpose, the LSA found that the information provided by the controller was incomplete. In fact, it stated that personal data were processed solely for the purpose of participating in a prize competition. However, personal data were also transferred to sponsors for marketing purposes. The controller should have included this additional purpose of the processing when providing information to the data subject.

Concerning the storage period, the LSA found that the information provided by the controller was also incomplete. In particular, there was no specification on the storage period or the criteria according to which the storage period would be determined.

Concerning the right of appeal to a supervisory authority, the LSA found that the controller was under no legal obligation to specify which supervisory authority was competent. Nonetheless, the controller was advised to do so in order to facilitate the exercise of data subjects’ rights.

Decision
The LSA found that the controller infringed Article 15 GDPR by not providing the complainant with correct and sufficient information regarding the purposes of the processing and the storage period of the data and therefore ordered compliance.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_li_2019-08_noviolation_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 12 August 2019
LSA: LI
CSAs: DE-Brandenburg
Legal Reference: Lawfulness of the processing (Article 6), Conditions for consent (Article 7),

Principles relating to processing of personal data (Article 5)
Decision: No violation
Key words: Advertising, Lawfulness of the processing, Lack of evidence

Summary of the Decision

Origin of the case
The complainant alleged he had received unwanted advertising. After requesting access to his personal data, he received a screenshot from the controller showing the information he had allegedly shared in order to participate in an online competition. This included his address and contact details.
The complainant argued that he had in fact not participated in the online competition and did not provide his consent, so he lodged a complaint assuming that a third party entered his contact details.

Findings
The LSA sent a request for further information to the complainant, which remained unanswered.

Decision
The case was rejected as no evidence was submitted by the complainant.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 21 August 2019
LSA: LI
CSAs: DE-Lower Saxony
Legal Reference: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Conditions for consent (Article 7), Right of access by the data subject (Article 15, Security of processing (Article 32)

Decision: Compliance order to controller
Key words: Consent, Transparency

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the Commissioner for Data Protection of Lower Saxony, alleging he received unsolicited personalised advertising. In its reply to the data subject’s right of access request, the controller had stated that the complainant’s personal data was the result of a prize competition in which he had allegedly participated consenting to the use of his data for marketing purposes by the controller or its sponsors.

Findings
In its assessment of the validity of the consent provided by the complainant, the LI SA found that the text explaining the checkbox for consent was inconsistent with the privacy policy, which referred to a wider range of processing activities and a larger number of recipients: thus, the consent was not legally valid and Articles 5(1)(a), 6 and 7 GDPR were violated.
Furthermore, the LI SA found that the controller did not comply with Article 15 GDPR as it did not appropriately provide the data subject with information on the purposes of the processing of personal data, the recipients and the storage period.
In addition, violations of Article 32 GDPR were also identified: first, the technical and organizational measures implemented by the processor (e.g. double opt-in procedure) were not sufficient to prevent the misuse of personal data; secondly, the unauthorized entry of data could not be traced back due to the deletion of the link relating to the generated lead after a 30-day period.

Decision
The LI SA required the controller to take the following required steps within three months:

– seek consent in accordance with Article 7 GDPR and revise the Terms and Conditions and Privacy Notice of the prize competition;

– implement further technical and organisational measures;

– ensure that the author or source of the manipulation can be identified.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2020_rights_of_the_data_subject_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to the controller

Background information
Date of final decision: 25 February 2020
LSA: FR
CSAs: BE, DE Berlin, DE Hesse, DE Lower Saxony, DE Mecklenburg-Western Pomerania, DK, ES, FI, SE, UK
Legal Reference: Responsibility of the controller (Article 24), Security of processing (Article 32)

Decision: Reprimand
Key words: Password, Right of access, Marketing preferences, Data security

Summary of the Decision

Origin of the case
The complainants have encountered difficulties during exercise of the right to object to direct marketing and rights of access and portability.

Findings
The LSA found out during the investigation that an incident arose during the migration of the controller’s consent management tool for marketing communications, causing consents not given/withdrawn considered as given/not withdrawn, and the users’ communication preferences not to be taken into account in the controller’s communication campaigns.

Although the LSA noted that the problem had been solved and that the users’ communication preferences had been restored, it stems from this incident that, prior the migration of its consent management tool, the controller had not implemented the necessary measures as required by the Article 24 GDPR

The LSA also found that the controller’s procedure to process access requests was not fully compliant with the Article 32 GDPR. Indeed, the LSA noted that, in absence of a client account, the username and password for connection to content containing data personal data were sent to data subjects via one and the same channel.

Thus, the controller has been asked to modify this procedure. The LSA determined that the controller had improved the procedures to handle data subject rights requests and trained employees on such procedures.

Decision
The LSA issued a reprimand to the controller.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020_rights_of_the_data_subject_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 11 May 2020
LSA: FR
CSAs: ES, PT, UK

Legal Reference: Right to erasure (Article 17)
Decision: Reprimand
Key words: Right to erasure, Data retention

Summary of the Decision

Origin of the case
The data subject requested the controller to delete their personal data and received the controller’s confirmation of the deletion of the data subject’s account and their personal data. However, despite the confirmation, the data subject verified that he/she still had access to their customer account with the controller. Consequently, the data subject decided to lodge a complaint with the LSA.

Findings
In a first exchange of communications between the LSA and the data controller, the controller stated it had deactivated the complainant’s account the day after their request, but that the deactivation was not effective when the complainant tried access the account due to a technical malfunction, which was only resolved months after. In a second letter, the controller reported that one the members of its customer service team had previously obfuscated the sole complainant’s account ID to try to solve the data subject’s difficulty, which prevented the functioning of the script and overall, the deletion of the account.

When the LSA inquired the controller for the second time, the controller had subsequently restored the complainant’s account ID and restarted the script so that the account could effectively be unavailable. The LSA concluded that the controller had not been able to demonstrate the effectiveness of the deletion of the complainant’s data, despite a first confirmation to the complainant and a second one to the LSA.

The controller indicated that it would proceed with the definitive deletion of the complainant’s data at the end of the applicable limitation periods and domestic retention obligations.

Decision
The LSA reprimanded the controller on the need to sort through the complainant’s data to store, in intermediate archives with restricted access, solely the personal data necessary for the exercise of legal claims, or for compliance with legal obligations.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2020-02_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 20 February 2020
LSA: FR
CSAs: LU
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12) Right to object (Article 21)

Decision: Reprimand
Key words: Right to object, E- commerce

Summary of the Decision

Origin of the case
The complainant received SMS marketing on his phone. Following his objection to the controller, he received another marketing SMS.

Findings
The LSA has made note of the fact that there was a delay in deletion of the complainant’s data of 48 -72 hours. The controller will now inform individuals when exercising their right to object of the above mentioned delay.

Further, the LSA found out that the controller’s procedure for requests to exercise rights required complainants to systematically provide a copy of an identity document, in breach of Article 12(6) GDPR. Also, the information delivered to individuals at the registration stage and when sending direct marketing messages did not meet the objective of transparency, accessibility and clarity as set out in Article 12.2 GDPR.

The controller undertook the necessary actions to adjust its procedure to request an identity document only under specific circumstances and to improve the information delivered to individuals at the registration stage and when sending direct marketing messages, for instance detailing the contact addresses for exercising rights.

Decision
The LSA issued a reprimand in accordance with Article 58(2)(b) GDPR.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2020-01_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 27 January 2020
LSA: FR
CSAs: AT, BE, DE, ES, IT, NL, UK
Legal Reference: Transparency (Article 12), Right to erasure (Article 17), Right to object (Article 21)

Decision: Infringement of the GDPR
Key words: Erasure request, Objection, Direct marketing emails, Electronic communications, Reprimand

Summary of the Decision

Origin of the case
The complainant requested to have his account and personal data deleted and objected to the reception of direct marketing emails. According to the complainant, the controller did not comply with his requests.

Findings
The LSA found that, despite having deleted the complainant’s account and personal data a few days after receiving the erasure request, the controller did not inform the complainant of the erasure.
Moreover, in order for the complainant to unsubscribe from direct marketing emails, he had to have an account with the controller’s services. As his account was deleted, the complainant did no longer have the possibility to unsubscribe from direct marketing emails. However, the LSA found that the controller erased the complainant from the direct marketing databases, even though with a delay due to the lack of synchronisation between his direct marketing database and the tool used by his subsidiary to send emails to members.

Decision
The LSA found that the controller did not comply with his obligations under the GDPR and issued him a reprimand.