Summary Final Decision Art 60

Infringement of the GDPR

Background information
Date of final decision: 28 October 2019
Legal Reference: Right of access (Article 15)
Decision: Infringement of Article 15 GDPR
Key words: Right of access, Data subjects’ rights, Data subject access request, Bank, Technical and organisational measures

Summary of the Decision

Origin of the case
The complainant filed a complaint with the CSA contending that the controller did not comply with her access request within the established 30 days’ period.

The LSA found that a letter and a file containing the copy of the complainant’s data were supposed to be sent to her on the day following the request. However, the email was erroneously categorised as “internal only”, which resulted in a failure to send such letter and file to the complainant.
Furthermore, the employee with access to the relevant mailbox left the company without ensuring that the complainant received a reply. Following the LSA’s investigation and the discovery of the mistake, the controller provided the complainant with a letter giving details about the processing of her data and the file containing the requested information.
Furthermore, the LSA requested the controller to submit details on the organizational and security measures implemented to avoid similar incidents in the future. To ensure an adequate follow-up of the access requests, the controller improved its back-up continuity procedure under which the back-up person would intervene if the main contact was not capable of complying with the client’s request.

The LSA found that the controller infringed Article 15 GDPR by not having adequate procedures in place to deal with subject access request, thus depriving the complainant of the right to access her data within the established timeframe. As a result, and also in light of several mitigating circumstances, the controller received an administrative fine of 8,000 euros. The LSA also instructed the controller to implement the appropriate technical measures to enhance the organizational and security measures already put in place.

This text has been converted automatically from the PDF available via
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at

Please see also EDPB Copyright page