Right to erasure – Privacy Design®

June 28, 2020June 29, 2020

updated_publishable_be_2019-05_rightoferasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 17 May 2019
LSA: BE
CSAs: NL, SE
Legal Reference: Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of data subjects (Article 12)
Decision: Compliance order to controller
Key words: Right to erasure, Exercise of the rights of the data subjects

Summary of the Decision
Origin of the case
The complaint concerned the failure of the controller to comply with the request of a data subject concerning the exercise of his right of erasure. After two submissions of the webform in order to have his data removed, the complainant also sent e-mails with the same request on 28/06/2018.
The complainant still did not receive any reply and asserted that the controller did not respond within a month following the request.

Findings
The controller has failed to comply with the request of the data subject, thus violating its obligations under Article 12.3 GDPR. The LSA considers that the deadline to answer the request “has been exceeded at all levels”.

Decision
The LSA decided to order the controller to comply with the data subject’s request concerning the exercise of the right of erasure.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/updated_publishable_be_2019-05_rightoferasure_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_uk_2019-08_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final Decision 7 August 2019

LSA: UK
CSAs: AT

Legal Reference: Right to erasure (Article 17)

Decision: Violation identified; No regulatory action.

Key words: Right to erasure, Marketing

Summary of the Decision

Origin of the case
The complainant stated that he asked the controller not to send him marketing emails, yet he continued to receive them.

Findings
The UK SA found that the controller did not comply with its data protection obligations.
The controller stated that the complainant send his request to unsubscribe to a ‘no-reply’ email address, instead of using the ‘unsubscribe’ button. However, the email address was not clearly recognisable as a ‘no-reply’ email address.

Decision
The UK SA took note of the actions taken by the controller, including a change to its processes so that the email address from which marketing communications are sent is now monitored. No regulatory action was taken.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_mt_2019-07_rightoferasurearticle_17_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 4 March 2019
LSA: MT
CSAs: IE
Legal Reference: Right to erasure (Article 17)
Decision: No violation
Key words: Right to erasure, right of access request, exercise of the rights of the data subjects

Summary of the Decision

Origin of the case
The complainant made a right to access/erasure request to the controller. The controller requested the complainant to confirm her identity but she failed to do so.
The controller has erased the complainant’s personal data accordingly to its privacy policy and taking into consideration a still existing “Compromise Agreement” between the controller and the complainant. Concerning the right of access request, the only reason why the information was not provided revolves around the complainant’s failure to verify her identity with the controller. The complainant then contended that the controller did not accede to the right of access request.

Findings
The LSA assessed that the controller satisfied the complainant’s right of erasure request to the extent permissible by the applicable laws, including but not limited to, employment legislation.

The LSA found that the controller took all the necessary steps to handle the complainant’s right of access. The only reason why the information was not provided, was due to the complainant’s failure to verify her identity with the controller (the email she was using was not known to the controller).

Decision
The LSA decided that the controller did not infringe the provisions of the GDPR, and consequently dismissed the compliant.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-07_rightoferasurearticle_17_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance Order to Controller

Background information
Date of final decision: 7 June 2019

LSA: MT
CSAs: ES

Legal Reference: Right to erasure (Article 17)

Decision: Compliance order to controller

Key words: Right to erasure, Data subject rights, Accuracy

Summary of the Decision

Origin of the case
A Spanish data subject filed a complaint with the Spanish SA as she was receiving unsolicited phone calls even after having filed an erasure request and such erasure had been confirmed by the data controller.

Findings
The complainant’s phone number was fraudulently provided to the controller by one of its clients.
Since the controller was not aware of this, it tried to contact the client on such phone number. The complainant filed a right of erasure request. During a phone call, the controller erroneously informed the complainant of the need to submit a second erasure request to delete the number from another database held by the controller, whereas only one database existed. Form the call logs provided by the controller it transpires that the complainant phone number was erased from the controller’s database immediately after the first erasure request. All the erasure requests from the complainant were followed by erasure confirmations sent by the controller. The controller couldn’t exclude the possibility that the complainant’s residence’s phone number was fraudulently provided by the same client, also to other entities/lenders and that these entities/lenders may make use of it.

Decision
The LSA instructed the data controller to implement the appropriate technical and organisational measures to make sure that personal data are accurate and, where necessary, kept up to date, and that every reasonable step is taken to ensure that personal data that are inaccurate, having regards to the purposes for which they are processed, are erased or rectified without delay.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CZ, DE – Mecklenburg-Western Pomerania, DE – Berlin, DE – Lower Saxony, DE – Bavaria (Private sector), DE – Saarland, DE – North Rhine-Westphalia, DK, FR, IT, NO, PL, SE, SI, SK

Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement of the right to erasure

Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision

Origin of the case
The complainant requested the erasure of his customer account in the controller website, and he asserted that the controller did not respond within a month following his request.

Findings
The controller demonstrated that it did not delete the account because the request was lodged via a different email address than the one associated with the customer account. For security reasons, the controller contacted the complainant and asked him to submit the request from the same e-mail address associated with the customer account or, if not possible, to change his login details. The complainant did not take any action and therefore, the controller could not authenticate him as the owner of the customer account.
After receiving the letter from the LSA, the controller contacted the complainant on the e-mail address associated with the customer account and offered him to associate his other e-mail address to the customer account.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The CSA to which the complaint was lodged informed the LSA that the complainant was satisfied with the answer from the controller and that the cross-border complaint should be closed.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 11 May 2020
LSA: FR
CSAs: ES, PT, UK

Legal Reference: Right to erasure (Article 17)
Decision: Reprimand
Key words: Right to erasure, Data retention

Summary of the Decision

Origin of the case
The data subject requested the controller to delete their personal data and received the controller’s confirmation of the deletion of the data subject’s account and their personal data. However, despite the confirmation, the data subject verified that he/she still had access to their customer account with the controller. Consequently, the data subject decided to lodge a complaint with the LSA.

Findings
In a first exchange of communications between the LSA and the data controller, the controller stated it had deactivated the complainant’s account the day after their request, but that the deactivation was not effective when the complainant tried access the account due to a technical malfunction, which was only resolved months after. In a second letter, the controller reported that one the members of its customer service team had previously obfuscated the sole complainant’s account ID to try to solve the data subject’s difficulty, which prevented the functioning of the script and overall, the deletion of the account.

When the LSA inquired the controller for the second time, the controller had subsequently restored the complainant’s account ID and restarted the script so that the account could effectively be unavailable. The LSA concluded that the controller had not been able to demonstrate the effectiveness of the deletion of the complainant’s data, despite a first confirmation to the complainant and a second one to the LSA.

The controller indicated that it would proceed with the definitive deletion of the complainant’s data at the end of the applicable limitation periods and domestic retention obligations.

Decision
The LSA reprimanded the controller on the need to sort through the complainant’s data to store, in intermediate archives with restricted access, solely the personal data necessary for the exercise of legal claims, or for compliance with legal obligations.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Summary Final Decision Art 60
Investigation

Compliance order

Background information
Date of final decision: 16 December 2019
LSA: FR
CSAs: BE, DE-Rhineland-Palatinate, DK, ES, IT, HU, LU, PL, PT, SE, SK
Legal Reference: Transparency and Information (Articles 12, 13 and 14), Right to erasure (Article 17), Right to object (Article 21), Security of processing (Article 32)

Decision: Order to comply
Key words: Transparency and Information, Right to Erasure, Right to Object, Security of Processing, E-Commerce, Direct Marketing, Children, Consumers

Summary of the Decision

Origin of the case
The LSA conducted two on-site investigations at the controller’s premises to audit the controller’s compliance with the GDPR and tested the procedure set up by the controller to create an account.

Findings
The controller is a company offering subscription to educational magazines for children. On the basis of the investigation, the LSA found several GDPR infringements. First of all, several breaches of the obligation to inform data subjects, enshrined in articles 12 and 13 GDPR, were identified. No information relating to data protection nor link to the controller’s Terms and Conditions was given to the data subjects upon registration or when placing an order. As a consequence, the information was considered to be not accessible enough.
The Terms and Conditions did not include any information on the legal basis for processing, on the retention period and on the individual rights to restriction of processing, data portability, or to submit a claim to a supervisory authority. Although the target audience was French-speaking and the website is fully in French, the “unsubscribe” button in the newsletter and marketing emails was hyperlinked to a text in English, asking for confirmation. An additional hypertext link was included in the final page (titled “Clicking here”): this is misleading for the user, as clicking on such link actually resulted in a new subscription.

Secondly, a breach of the obligation to comply with the request to erase data was identified, as personal data was not erased systematically when requested by data subjects although there was no legal requirement to keep it and although users had been informed of the erasure of the data.

Last, there was a breach of the obligation to ensure the security of data, concerning passwords, locking of workstations, and access to data. More specifically, the password requirements and methods for processing the passwords were found to be non-compliant with the obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, since authentication was based on insufficiently complex passwords and obsolete hash algorithms. Additionally, the computer used by one of the database’s administrators was configured to never automatically lock or go on sleep mode. With regard to access to data, the absence of specific identification (i.e. the use of the same account by several people) made it impossible to ensure access traceability.

Decision
The LSA ordered the controller to comply, within two months of the notification of the decision, with several specific instructions.
First, the controller was ordered to provide full information to data subjects about the processing activities, in an easily accessible manner. Additionally, the LSA ordered the controller to set up a procedure for unsubscribing that is compliant with Articles 12 and 21 GDPR.
Secondly, the controller was ordered to ensure the effectiveness of all requests to exercise the right of erasure.
Last, the authority ordered the controller to take appropriate security measures to protect personal data and prevent access thereto by unauthorised third parties (by setting up a new password policy, avoiding the transmission of passwords in clear text, ensuring that workstations go on sleep mode, and setting up individual accounts).

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 23 September 2019
LSA: FR
CSAs: DE-Mecklenburg-Western Pomerania, DE-Rhineland-Palatinate, ES
Legal Reference: Right to erasure (Article 17)

Decision: No infringement of the GDPR
Key words: Right to erasure, Electronic communications, Payment data

Summary of the Decision

Origin of the case
The complainant asked for the deletion of his user account on the Spanish version of the controller’s website. In its reply, the controller stated that it was required to keep some of his data. However, it informed the complainant of the date on which all of his data would be entirely deleted.

Findings
The LSA found that, pursuant to national law, the controller was required to retain the complainant’s payment data in an intermediate archive upon the deletion of his user account in order to manage claims and disputes related to a payment made on its platform. In consequence, the controller acted in accordance with Article 17 (3) GDPR when it kept some of the complainant’s data.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 29 August 2019
LSA: FR
CSAs: BE
Legal Reference: Right to erasure (Article 17), Right to object (Article 21)

Decision: No violation
Key words: Right to erasure, Right to object, Anonymisation

Summary of the Decision

Origin of the case
In a complaint filed with the CSA, the complainant alleged that personal data in her email correspondence with the controller was published on the controller’s website without her consent.

Findings
After communicating with the LSA, the controller took action to anonymise the complainant’s first and last names from the correspondence.

Decision
The LSA invited the controller to anonymise the copies of all the letters published on its website.

No further action towards the controller was taken.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-09_right_to_erasure_summarypublic.pdf