right of access – Privacy Design®

June 28, 2020June 29, 2020

publishable_uk_2019-08_identity_check_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 3 August 2019

LSA: UK
CSAs: AT, BE, BG, CY, CZ, DE, DK, EL, ES, FI, FR, HR, HU, IE, IT, NO, PL, PT, SE

Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided (Articles 13-14), Right of access (Article 15)

Decision: No violation

Key words: Data subject rights, right of access

Summary of the Decision

Origin of the case
A French complainant asked the controller how to download all of his personal data and the controller went on with the necessary identification verification checks.

Findings
Upon receipt of the identity verification, the controller escalated the request promptly and supplied the data subject with an encrypted file containing his personal data via email, and subsequently with the decryption password. The initial delay in dealing with the matter was due to the fact that the emails from the controller had been sent to the data subject’s spam folder.

Decision
The UK SA found that the controller complied with its obligations under the GDPR.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_identity_check_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_mt_2019-10_right_of_access_request_art_15_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 28 October 2019
LSA: MT
CSAs: PL
Legal Reference: Right of access (Article 15)
Decision: Infringement of Article 15 GDPR
Key words: Right of access, Data subjects’ rights, Data subject access request, Bank, Technical and organisational measures

Summary of the Decision

Origin of the case
The complainant filed a complaint with the CSA contending that the controller did not comply with her access request within the established 30 days’ period.

Findings
The LSA found that a letter and a file containing the copy of the complainant’s data were supposed to be sent to her on the day following the request. However, the email was erroneously categorised as “internal only”, which resulted in a failure to send such letter and file to the complainant.
Furthermore, the employee with access to the relevant mailbox left the company without ensuring that the complainant received a reply. Following the LSA’s investigation and the discovery of the mistake, the controller provided the complainant with a letter giving details about the processing of her data and the file containing the requested information.
Furthermore, the LSA requested the controller to submit details on the organizational and security measures implemented to avoid similar incidents in the future. To ensure an adequate follow-up of the access requests, the controller improved its back-up continuity procedure under which the back-up person would intervene if the main contact was not capable of complying with the client’s request.

Decision
The LSA found that the controller infringed Article 15 GDPR by not having adequate procedures in place to deal with subject access request, thus depriving the complainant of the right to access her data within the established timeframe. As a result, and also in light of several mitigating circumstances, the controller received an administrative fine of 8,000 euros. The LSA also instructed the controller to implement the appropriate technical measures to enhance the organizational and security measures already put in place.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_lu_2019-05_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CY, CZ, DE – Berlin, DE – Lower Saxony, DE – Rhineland-Palatinate, DE- Bavaria (Private sector), DE – Mecklenburg-Western Pomerania, DK, ES, FI, FR, IE, IT, PL, SE, SK, NO

Legal Reference: Right of access by the data subject (Article 15), Transparent information,communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement

Key words: Right of access, exercise of the rights of the data subject, e-commerce

Summary of the Decision

Origin of the case
The complainant requested access to his personal data held by the controller because his national ID number, his address and his IP had been blocked by the controller’s platform and he was thus unable to use its services. He wanted to know the reason and thus requested access to his data.

Findings
The controller demonstrated that it had provided the complainant with access to the data concerning him and his seller account. The controller provided the relevant communication to the LSA and it also clarified that the blockage of the complainant’s information was due to a violation of the controller’s selling policies. The controller also explained that it had granted the complainant the right to appeal the blockage, but instead he tried to circumvent the decision by opening new seller accounts, which were blocked. However, the controller allowed him to create a customer account.

Decision
The LSA found that there had been no violation of the GDPR, since the controller had granted the complainant the right to access to his data. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019

LSA: LU
CSAs: ES, FR, CZ

Legal Reference: Lawfulness of the processing (Article 6), Principles relating to the processing of personal data (Article 5), Right of access (Article 15), Security of processing (Article 32)

Decision: No violation
Key words: Lawfulness of processing, Third party access to personal data, Rights of data subjects, Right of access, Security of processing, e-commerce

Summary of the Decision
Origin of the case
The complainant received a parcel by an unknown person who wanted to return an item that she had purchased on the controller’s website. The complainant’s name and address had been indicated to the third individual as the place to return the parcel he had purchased.

Findings
The third-party was a customer of the controller that bought an item from a seller located in China, from which the complainant had also made a purchase. The personal data of the complainant had been disclosed to the third-party by the seller. After conducting an internal inquiry, the controller took corrective measures against the seller and informed the complainant.

Decision
The LSA found that there had been no violation of the GDPR. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_li_2019-08rightofaccessnotgranted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance Order to Controller

Background information
Date of final decision: 27 August 2019

LSA: LI

CSAs: DE-Lower Saxony

Legal Reference: Principles relating to processing of personal data (Article 5), Right of access (Article 15)

Decision: Compliance order to controller

Key words: Right of access, Information to data subjects

Summary of the Decision

Origin of the case
The complainant alleged that the controller infringed Article 15 GDPR by providing him with incomplete information concerning the purposes of the processing, the storage period and the right to appeal to a supervisory authority.

Findings
Concerning the processing purpose, the LSA found that the information provided by the controller was incomplete. In fact, it stated that personal data were processed solely for the purpose of participating in a prize competition. However, personal data were also transferred to sponsors for marketing purposes. The controller should have included this additional purpose of the processing when providing information to the data subject.

Concerning the storage period, the LSA found that the information provided by the controller was also incomplete. In particular, there was no specification on the storage period or the criteria according to which the storage period would be determined.

Concerning the right of appeal to a supervisory authority, the LSA found that the controller was under no legal obligation to specify which supervisory authority was competent. Nonetheless, the controller was advised to do so in order to facilitate the exercise of data subjects’ rights.

Decision
The LSA found that the controller infringed Article 15 GDPR by not providing the complainant with correct and sufficient information regarding the purposes of the processing and the storage period of the data and therefore ordered compliance.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2020_rights_of_the_data_subject_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to the controller

Background information
Date of final decision: 25 February 2020
LSA: FR
CSAs: BE, DE Berlin, DE Hesse, DE Lower Saxony, DE Mecklenburg-Western Pomerania, DK, ES, FI, SE, UK
Legal Reference: Responsibility of the controller (Article 24), Security of processing (Article 32)

Decision: Reprimand
Key words: Password, Right of access, Marketing preferences, Data security

Summary of the Decision

Origin of the case
The complainants have encountered difficulties during exercise of the right to object to direct marketing and rights of access and portability.

Findings
The LSA found out during the investigation that an incident arose during the migration of the controller’s consent management tool for marketing communications, causing consents not given/withdrawn considered as given/not withdrawn, and the users’ communication preferences not to be taken into account in the controller’s communication campaigns.

Although the LSA noted that the problem had been solved and that the users’ communication preferences had been restored, it stems from this incident that, prior the migration of its consent management tool, the controller had not implemented the necessary measures as required by the Article 24 GDPR

The LSA also found that the controller’s procedure to process access requests was not fully compliant with the Article 32 GDPR. Indeed, the LSA noted that, in absence of a client account, the username and password for connection to content containing data personal data were sent to data subjects via one and the same channel.

Thus, the controller has been asked to modify this procedure. The LSA determined that the controller had improved the procedures to handle data subject rights requests and trained employees on such procedures.

Decision
The LSA issued a reprimand to the controller.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de_hessen_2019-09_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 12 September 2019
LSA: DE-Hessen
CSAs: CY, DK, ES, FR, SE
Legal Reference: Right of Access (Article 15), Exercise of Data Subject Rights (Article 12)

Decision: No infringement of the GDPR
Key words: Right of access, Exercise of data subject rights

Summary of the Decision

Origin of the case
The complainant alleged that he did not receive a response to his request to access a copy of his personal data, processed by the controller, within the one-month timeframe set by the GDPR.

Findings
The LSA found that at the time of the complaint, the controller was faced with an important amount of data protection related queries, justifying the need for an extension of the timeframe.
In a first reply to the request, the controller gave access only to a part of the personal data requested. The complainant reiterated the request for the remaining personal data. A second reply was sent to the complainant, which the complainant never received. Once the complaint was made to the LSA, the controller sent the letter again, which the complainant received this time. The controller also improved their internal processes for future responses to such requests.

Decision
No infringement of the GDPR was found, since appropriate action had been undertaken by the controller.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de_hessen_2019-09_right_of_access_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 12 September 2019
LSA: DE-Hessen
CSAs: CY, DK, ES, FR, SE
Legal Reference: Right of Access (Article 15), Exercise of Data Subject Rights (Article 12)

Decision: No infringement of the GDPR
Key words: Right of access, Exercise of data subject rights

Summary of the Decision
Origin of the case
The complainant alleged that he did not receive a response to his request to access a copy of his personal data, processed by the controller, within the one-month timeframe set by the GDPR.

Decision
No infringement of the GDPR was found, since appropriate action had been undertaken by the controller.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de-brandenburg_2019-10_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 2 October 2019
LSA: DE-Brandenburg
CSAs: AT, BE, DE-Berlin, DE-Hesse, DE-Lower Saxony, DE-Mecklenburg-Western Pomerania, DE-North Rhine-Westphalia, DE-Saarland, DE-Thuringia, DK, ES, FR, HU, IT, LU, NO, PL

Legal Reference: Right of access (Article 15), Principles relating to processing of personal data
(Article 5)

Decision: No infringement of the GDPR
Key words: Right of Access, Legal Age, Verification Process

Summary of the Decision
Origin of the case
The complainant requested access to his personal data processed by the controller. The controller verified the data subject’s identity, and subsequently informed the complainant that his account had been suspended due to a discrepancy between the information concerning his age on his account and the information he had provided for the verification of his identity for the request.
Since he was 15 years old at the time and thus a minor, he was also asked to send parental consent, a copy of his ID card and of his birth certificate, in order to access his personal data. The complainant filed a complaint to the CSA on the basis that the information he had provided for the verification process was wrongly used to suspend his account, instead of being used for the process of giving access to personal information.

Findings
The controller underlined that at the time of the request there was no standardised process in place within the company for requests by minors, since the contractual relationship between the controller and the data subjects depends on the fact that the data subjects are adults. Quickly after the controller requested additional documentation for parental consent, this request was set aside and access to personal data was in fact given to the complainant. Finally, further measures were taken by the controller to improve the data access process.

Decision
The request for information was answered in due time and the controller’s verification process has been modified in a suitable manner. The LSA therefore found that there was no infringement of the GDPR.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de-berlin_2019-08_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 3 September 2019
LSA: DE-Berlin
CSAs: AT, BE, CY, DE-Lower Saxony, DE-Saarland, DK, ES, FI, FR, HU, IT, NO, PL, SK
Controller: MZ Denmark GmbH (Mozilla)
Legal Reference: Transparency (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Information to be provided where personal data have not been obtained from the data subject (Article 14), Right of access (Article 15)

Decision: No infringement of the GDPR
Key words: Right of access, Transparency and Information

Summary of the Decision
Origin of the case
The complainant requested to have access to his information without having to send a postal request to the controller’s address in the United States. No other contact options such as an email address or web form were listed in the controller’s privacy policy.

Findings
The controller communicated to the LSA that, due to a human error, the email address was not included in the privacy policy. This error was immediately rectified following the correspondence with the LSA. The controller also created a portal for enquiries from data subjects. A link to this portal was integrated in the privacy policy.

Decision
The LSA did not find it necessary to establish whether an infringement had taken place, as the controller had complied with his obligations under the GDPR.
Furthermore, the LSA was informed by the SA receiving the complaint that the complainant had withdrawn his complaint.