Tag: Data Subject Rights not respected

Posted on

publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 18 January 2019
LSA: FR
CSAs: AT, BE, BG, CZ, DE – Bavaria (priv), DE – Lower Saxony, DE – Rhineland Palatinate, DE – Saarland, DE – Thuringia, EE, EL, ES, HR, HU, IE, IT, LT, LU, LV, NO, PL, RO, SE, SK, SI, UK
Legal Reference: Transparency and information and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Reprimand to controller
Key words: Right to Erasure, Data Subject Rights not respected, proportionality for proof of identity, Reprimand

Summary of the Decision

Origin of the case
Complainant states that the right to erasure has been refused by the controller. Controller requested a scan of the ID and a specimen of the signature of the data subject. Complainant argues that neither of the two were required upon the creation of the account.

Findings
By the time of the decision, the controller had already granted the right to erasure to the complainant without the complainant needing to provide further proof of identity.

However:
1. the Controller systematically requested individuals to provide a copy of an identity document for exercising their rights, regardless of their country of residence, without providing a basis for reasonable doubts as to the identity of the complainant according to Art 12.6 GDPR. “The level of verification to be carried out is depending on the nature of the request, sensibility of the communicated information and the context within which the request is being made.”
Thus, the controller required disproportionate information for the purpose of verifying the identity of the data subject.
The SA stated for “illustrative purposes, it is disproportionate to require a copy of an identity document in the event where the claimant made his request within an area where he is already authenticated. An identity document can be requested if there is a suspicion of identity theft or of account piracy for instance.”

2. A controller may only store information needed for the exercise of individuals’ rights until “the end of legal limitation applicable periods.” During this period, “the data have to be subject to an “intermediary” archiving on a support separate from the active base with a restricted access to authorized persons.”

The LSA references https://www.cnil.fr/fr/limiter-la-conservation-des-donnees.

The SA highlights under “Finally”, that it acknowledges that the new data protection rules applicable are leading “to “significant adaptations inside the”” controller, “concerning the exercise of data subjects’ rights.”

Decision
The SA reprimands “the controller for lack of compliance with the law” on the points above.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

publishable_de_berlin_2019-07_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 2 July 2019
LSA: DE-Berlin
CSAs: AT, DE-Rhineland-Palatinate, DE-Hesse, DE-Saarland, DE-North Rhine-Westphalia, FR
Controller: Billpay GmbH
Legal Reference: Right of access (Article 15), Responsibility of the controller (Article 24), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Reprimand to controller
Key words: Right of access, Exercise of the rights of the data subjects, Reprimand, Data Subject Rights not respected

Summary of the Decision
Origin of the case
The complainant sent an e-mail to the controller, stating his current address, requesting access to his personal data in accordance with Article 15 GDPR. The controller attempted to provide the complainant with the requested information by a registered letter, but it used another postal address than the one specified by the complainant. Therefore, the letter was not delivered to the complainant.
The controller sent an e-mail to the complainant requesting his current address. As a result, the complainant was provided with the information about his personal data four months after the deadline established under Article 12 (3) GDPR.

Findings
The LSA determined that the controller infringed Article 12(3) GDPR by exceeding the deadline to answer the complainant’s access request, since it was technically possible and reasonable for the controller to send the information to the address given by the complainant, without further delay.

Decision
Taking into account the circumstances of the case and the fact that the controller, after being contacted by the LSA, showed understanding and its willingness to comply with data protection regulations, the LSA issued a reprimand based on Article 58(2)(b) GDPR for violating the complainant’s right of access under Article 15 GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-07_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page

Posted on

de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 12 September 2018
LSA: DE – Berlin
CSAs: AT, DE – Bavaria (priv), DE – Mecklenburg-Western Pomerania, DE – Saarland, DE – Hesse, DE – Lower Saxony, DK, ES, FR, SE

Controller: Just Fabulous GmbH
Legal Reference: Right to erasure (Art 17)

Decision: Reprimand to Controller
Key words: Right to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Summary of the DecisionRight to Erasure, e-commerce, Data Subject Rights not respected, Reprimand

Origin of the case
Complainant requested deletion of personal data to the controller on 11 January 2018 and received a confirmation of the deletion on 15 January 2018. Despite this, s/he received e-mails on the 1 June (“Updating our data protection guidelines”) and 16 June 2018 (“Your feedback is important to us”) from the controller.

Findings
The controller did not fulfil its obligation under Article 17 para. 1 letter a GDPR. Controller showed understanding and announced that it would comply with GDPR and put an end to the reprimanded conduct.

Decision
Considering the specific circumstances a reprimand was considered appropriate.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/de_berlin_2019-08_righttoobjectandrighttoerasure_summarypublic.pdf

Please see also EDPB Copyright page