publishable_dk_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR

Background information
Date of final decision: 25 October 2019
LSA: DK
CSAs: AT, BE, CY, DE, ES, FI, FR, HU, IT, LU, NL, NO, SE, SK, UK
Controller: PANDORA A/S
Legal Reference: Principles relating to processing of personal data (Article 5), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR and a reprimand to the controller.
Key words: Right to erasure, Data subjects’ rights, Transparency

Summary of the Decision

Origin of the case
The complainant requested to have his personal data deleted from the controller’s database. The controller replied that, before processing his erasure request, a proof of identification was necessary to confirm his identity. As the complainant refused to comply with the controller’s demand, his data were not deleted.

Findings
The LSA found that the controller’s procedure under which ID validation was required without exception when processing a data subject’s request was not in conformity with Article 12(6) and Article 5(1)(c) GDPR. The LSA also found that, under the controller’s procedure, data subjects had to provide more information than initially collected in order to have their request processed.
Consequently, the controller’s procedure for ID validation went beyond what was required and made burdensome for data subjects to exercise their rights.

Decision
The LSA criticized that the processing by the controller had not been done not in accordance with Article 12(6) and Article 5(1)(c) GDPR. It ordered the controller to decide within two weeks whether the conditions for erasure present in Article 17 GDPR were met and, if so, delete the complainant’s data.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_dk_2019-10_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_saarland_2019-05_deletionofaccount_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Closure of proceedings

Background information
Date of final decision: 7 March 2019
LSA: DE -Saarland
CSAs: DK, FR, NO, SE
Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Closure of proceedings
Key words: Right to erasure, Exercise of the rights of data subjects

Summary of the Decision

Origin of the case
The complainant sent two emails to the controller requesting the deletion of this account on the controller’s website and servers. The controller did not answer the request.

Findings
The data controller acknowledged that it had failed to delete the complainant’s data, and proved that, following the inquiry sent by the LSA, the account was deleted. The controller also demonstrated that it had adopted appropriate organisational measures to ensure compliance with erasure requests in the future.

Decision
The LSA decided to not take further measures since the controller had acted promptly and had taken the appropriate measures to ensure the effectiveness of future requests related to the GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_saarland_2019-05_deletionofaccount_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_north_rhine_west2018-12_lawfulnessoftreatment_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 21 December 2018
LSA: DE – North Rhine-Westphalia
CSAs: DE – Rhineland-Palatinate, DE – Mecklenburg-Western Pomerania, DE – Bavaria (priv), DE – Lower Saxony, DE – Saarland, ES
Legal Reference: Lawfulness of the processing (Article 6)

Decision: No violation
Key words: Direct Marketing, Legitimate interest, publicly available data

Summary of the Decision

Origin of the case
Complainant states they received postal advertisement and tried to exercise their right of access and right to erasure. The contacted branch stated that the letter was not sent to the correct recipient, as they do not manage personal data. The correct establishment is in Germany. The complainant contacted their local SA as they deem that the controller is wrongfully processing their personal data, which is stored in a publicly accessible register.

Findings
According to recital 47 and Art 6.1.f GDPR legitimate interest of the controller or of a third party may be used as legal basis, also when the processing is carried out for marketing purposes. LSA argues the data subject did not present any prevailing fundamental rights and freedoms and neither are prevailing rights and freedoms apparent, as the data is already publicly accessible. As such, the aforementioned legal basis “can be considered as an allowing legal basis.”

The original request of access and to erasure were filed before the 25 May 2018. Articles 13 and 14 GDPR were thus not yet applicable. However, under the GDPR the data subjects are to be informed from which source the personal data originate. The enterprise should be informed about this for future advertising mails”.

Decision
The LSA deems this not be an infringement. The processing of publically available personal data for
direct marketing purposes may constitute lawful processing according to Art 6.1.f GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_north_rhine_west2018-12_lawfulnessoftreatment_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_hessen_2019-09_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 12 September 2019
LSA: DE-Hessen
CSAs: CY, DK, ES, FR, SE
Legal Reference: Right of Access (Article 15), Exercise of Data Subject Rights (Article 12)

Decision: No infringement of the GDPR
Key words: Right of access, Exercise of data subject rights

Summary of the Decision

Origin of the case
The complainant alleged that he did not receive a response to his request to access a copy of his personal data, processed by the controller, within the one-month timeframe set by the GDPR.

Findings
The LSA found that at the time of the complaint, the controller was faced with an important amount of data protection related queries, justifying the need for an extension of the timeframe.
In a first reply to the request, the controller gave access only to a part of the personal data requested. The complainant reiterated the request for the remaining personal data. A second reply was sent to the complainant, which the complainant never received. Once the complaint was made to the LSA, the controller sent the letter again, which the complainant received this time. The controller also improved their internal processes for future responses to such requests.

Decision
No infringement of the GDPR was found, since appropriate action had been undertaken by the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_hessen_2019-09_right_of_access_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_hessen_2019-09_right_of_access_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 12 September 2019
LSA: DE-Hessen
CSAs: CY, DK, ES, FR, SE
Legal Reference: Right of Access (Article 15), Exercise of Data Subject Rights (Article 12)

Decision: No infringement of the GDPR
Key words: Right of access, Exercise of data subject rights

Summary of the Decision
Origin of the case
The complainant alleged that he did not receive a response to his request to access a copy of his personal data, processed by the controller, within the one-month timeframe set by the GDPR.

Findings
The LSA found that at the time of the complaint, the controller was faced with an important amount of data protection related queries, justifying the need for an extension of the timeframe.
In a first reply to the request, the controller gave access only to a part of the personal data requested. The complainant reiterated the request for the remaining personal data. A second reply was sent to the complainant, which the complainant never received. Once the complaint was made to the LSA, the controller sent the letter again, which the complainant received this time. The controller also improved their internal processes for future responses to such requests.

Decision
No infringement of the GDPR was found, since appropriate action had been undertaken by the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_hessen_2019-09_right_of_access_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_de-brandenburg_2019-10_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 2 October 2019
LSA: DE-Brandenburg
CSAs: AT, BE, DE-Berlin, DE-Hesse, DE-Lower Saxony, DE-Mecklenburg-Western Pomerania, DE-North Rhine-Westphalia, DE-Saarland, DE-Thuringia, DK, ES, FR, HU, IT, LU, NO, PL

Legal Reference: Right of access (Article 15), Principles relating to processing of personal data
(Article 5)

Decision: No infringement of the GDPR
Key words: Right of Access, Legal Age, Verification Process

Summary of the Decision
Origin of the case
The complainant requested access to his personal data processed by the controller. The controller verified the data subject’s identity, and subsequently informed the complainant that his account had been suspended due to a discrepancy between the information concerning his age on his account and the information he had provided for the verification of his identity for the request.
Since he was 15 years old at the time and thus a minor, he was also asked to send parental consent, a copy of his ID card and of his birth certificate, in order to access his personal data. The complainant filed a complaint to the CSA on the basis that the information he had provided for the verification process was wrongly used to suspend his account, instead of being used for the process of giving access to personal information.

Findings
The controller underlined that at the time of the request there was no standardised process in place within the company for requests by minors, since the contractual relationship between the controller and the data subjects depends on the fact that the data subjects are adults. Quickly after the controller requested additional documentation for parental consent, this request was set aside and access to personal data was in fact given to the complainant. Finally, further measures were taken by the controller to improve the data access process.

Decision
The request for information was answered in due time and the controller’s verification process has been modified in a suitable manner. The LSA therefore found that there was no infringement of the GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de-brandenburg_2019-10_right_of_access_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de-berlin_2019_12_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Data Breach Notification

No Infringement of the GDPR

Background information
Date of final decision: 17 December 2019
LSA: DE-Berlin
CSAs: BE, DE-Rhineland-Palatinate, DE-Saarland, DE-Lower Saxony, DK, ES, FR, HU, LU, NO, SE, SK DE-Berlin
Controller: Schwarzkopf-Stiftung Junges Europa
Legal Reference: Personal Data Breach (Articles 33 and 34)

Decision: No infringement of the GDPR
Key words: Personal data breach, Hacker attack

Summary of the Decision
Origin of the case
One of the controller’s member platforms was attacked by a malicious code, which enabled unauthorised redirect to third party websites. The controller immediately asked the processor to inactivate the platform.

Findings
The LSA found that appropriate security measures, such as the update of number of software components and the request to change users’ passwords, were taken by the controller after the incident. Additionally, specific technical and organisational measures were undertaken by the controller to remedy the data breach. Such measures included the automatic check of the content uploaded by users, as well as regular manual check of the platform activity.
The LSA found that all the security measures were appropriate. Additionally, the LSA found that a second data breach that followed did not occur because of inadequate security measures and that data breaches in the future could be avoided to a reasonable degree, based on these measures.

Decision
The LSA found that the controller complied with their obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de-berlin_2019_12_data_breach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de-berlin_2019-08_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 3 September 2019
LSA: DE-Berlin
CSAs: AT, BE, CY, DE-Lower Saxony, DE-Saarland, DK, ES, FI, FR, HU, IT, NO, PL, SK
Controller: MZ Denmark GmbH (Mozilla)
Legal Reference: Transparency (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Information to be provided where personal data have not been obtained from the data subject (Article 14), Right of access (Article 15)

Decision: No infringement of the GDPR
Key words: Right of access, Transparency and Information

Summary of the Decision
Origin of the case
The complainant requested to have access to his information without having to send a postal request to the controller’s address in the United States. No other contact options such as an email address or web form were listed in the controller’s privacy policy.

Findings
The controller communicated to the LSA that, due to a human error, the email address was not included in the privacy policy. This error was immediately rectified following the correspondence with the LSA. The controller also created a portal for enquiries from data subjects. A link to this portal was integrated in the privacy policy.

Decision
The LSA did not find it necessary to establish whether an infringement had taken place, as the controller had complied with his obligations under the GDPR.
Furthermore, the LSA was informed by the SA receiving the complaint that the complainant had withdrawn his complaint.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de-berlin_2019-08_right_of_access_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_berlin_2019-07_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 2 July 2019
LSA: DE-Berlin
CSAs: AT, DE-Rhineland-Palatinate, DE-Hesse, DE-Saarland, DE-North Rhine-Westphalia, FR
Controller: Billpay GmbH
Legal Reference: Right of access (Article 15), Responsibility of the controller (Article 24), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Reprimand to controller
Key words: Right of access, Exercise of the rights of the data subjects, Reprimand, Data Subject Rights not respected

Summary of the Decision
Origin of the case
The complainant sent an e-mail to the controller, stating his current address, requesting access to his personal data in accordance with Article 15 GDPR. The controller attempted to provide the complainant with the requested information by a registered letter, but it used another postal address than the one specified by the complainant. Therefore, the letter was not delivered to the complainant.
The controller sent an e-mail to the complainant requesting his current address. As a result, the complainant was provided with the information about his personal data four months after the deadline established under Article 12 (3) GDPR.

Findings
The LSA determined that the controller infringed Article 12(3) GDPR by exceeding the deadline to answer the complainant’s access request, since it was technically possible and reasonable for the controller to send the information to the address given by the complainant, without further delay.

Decision
Taking into account the circumstances of the case and the fact that the controller, after being contacted by the LSA, showed understanding and its willingness to comply with data protection regulations, the LSA issued a reprimand based on Article 58(2)(b) GDPR for violating the complainant’s right of access under Article 15 GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-07_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page