Right to erasure – Page 2 – Privacy Design®

June 28, 2020June 29, 2020

publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 18 January 2019
LSA: FR
CSAs: AT, BE, BG, CZ, DE – Bavaria (priv), DE – Lower Saxony, DE – Rhineland Palatinate, DE – Saarland, DE – Thuringia, EE, EL, ES, HR, HU, IE, IT, LT, LU, LV, NO, PL, RO, SE, SK, SI, UK
Legal Reference: Transparency and information and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Reprimand to controller
Key words: Right to Erasure, Data Subject Rights not respected, proportionality for proof of identity, Reprimand

Summary of the Decision

Origin of the case
Complainant states that the right to erasure has been refused by the controller. Controller requested a scan of the ID and a specimen of the signature of the data subject. Complainant argues that neither of the two were required upon the creation of the account.

Findings
By the time of the decision, the controller had already granted the right to erasure to the complainant without the complainant needing to provide further proof of identity.

However:
1. the Controller systematically requested individuals to provide a copy of an identity document for exercising their rights, regardless of their country of residence, without providing a basis for reasonable doubts as to the identity of the complainant according to Art 12.6 GDPR. “The level of verification to be carried out is depending on the nature of the request, sensibility of the communicated information and the context within which the request is being made.”
Thus, the controller required disproportionate information for the purpose of verifying the identity of the data subject.
The SA stated for “illustrative purposes, it is disproportionate to require a copy of an identity document in the event where the claimant made his request within an area where he is already authenticated. An identity document can be requested if there is a suspicion of identity theft or of account piracy for instance.”

2. A controller may only store information needed for the exercise of individuals’ rights until “the end of legal limitation applicable periods.” During this period, “the data have to be subject to an “intermediary” archiving on a support separate from the active base with a restricted access to authorized persons.”

The LSA references https://www.cnil.fr/fr/limiter-la-conservation-des-donnees.

The SA highlights under “Finally”, that it acknowledges that the new data protection rules applicable are leading “to “significant adaptations inside the”” controller, “concerning the exercise of data subjects’ rights.”

Decision
The SA reprimands “the controller for lack of compliance with the law” on the points above.

—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_dk_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR

Background information
Date of final decision: 25 October 2019
LSA: DK
CSAs: AT, BE, CY, DE, ES, FI, FR, HU, IT, LU, NL, NO, SE, SK, UK
Controller: PANDORA A/S
Legal Reference: Principles relating to processing of personal data (Article 5), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR and a reprimand to the controller.
Key words: Right to erasure, Data subjects’ rights, Transparency

Summary of the Decision

Origin of the case
The complainant requested to have his personal data deleted from the controller’s database. The controller replied that, before processing his erasure request, a proof of identification was necessary to confirm his identity. As the complainant refused to comply with the controller’s demand, his data were not deleted.

Findings
The LSA found that the controller’s procedure under which ID validation was required without exception when processing a data subject’s request was not in conformity with Article 12(6) and Article 5(1)(c) GDPR. The LSA also found that, under the controller’s procedure, data subjects had to provide more information than initially collected in order to have their request processed.
Consequently, the controller’s procedure for ID validation went beyond what was required and made burdensome for data subjects to exercise their rights.

Decision
The LSA criticized that the processing by the controller had not been done not in accordance with Article 12(6) and Article 5(1)(c) GDPR. It ordered the controller to decide within two weeks whether the conditions for erasure present in Article 17 GDPR were met and, if so, delete the complainant’s data.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de_saarland_2019-05_deletionofaccount_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Closure of proceedings

Background information
Date of final decision: 7 March 2019
LSA: DE -Saarland
CSAs: DK, FR, NO, SE
Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Closure of proceedings
Key words: Right to erasure, Exercise of the rights of data subjects

Summary of the Decision

Origin of the case
The complainant sent two emails to the controller requesting the deletion of this account on the controller’s website and servers. The controller did not answer the request.

Findings
The data controller acknowledged that it had failed to delete the complainant’s data, and proved that, following the inquiry sent by the LSA, the account was deleted. The controller also demonstrated that it had adopted appropriate organisational measures to ensure compliance with erasure requests in the future.

Decision
The LSA decided to not take further measures since the controller had acted promptly and had taken the appropriate measures to ensure the effectiveness of future requests related to the GDPR.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de-berlin_2020-02_article_16_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 19 February 2020
LSA: DE-Berlin
CSAs: AT, BE, DE, ES, FR, IE, PL, PT, UK
Controller: Sandbox Interactive GmbH
Legal Reference: Transparency (Article 12), Right to erasure (Article 17)

Decision: Infringement of the GDPR, Reprimand
Key words: Right to erasure, User account, Identity

Summary of the Decision
Origin of the case
The complainant requested to have his player account deleted from the controller database of the online game he had previously bought. The controller requested additional information in order to process the erasure request, which it eventually granted nine months after the complainant’s request and after being notified by the Berlin DPA.

Findings
The LSA found that the complainant requested to have his account deleted via the support function of his account, after logging in using his registration data. Although the controller may only request additional information in case of reasonable doubt regarding the identity of the natural person, the controller, in this case, did not explain why he had doubts regarding the complainant’s identity. Hence, the request for additional data was not only unnecessary, but also made it more difficult for the complainant to exercise his right to erasure. Furthermore, the LSA found that not only the controller did not inform the complainant about whether they are processing the erasure request or if there is an extension of the deadline imposed by the GDPR, but also granted the erasure request with a significant delay after the end of the legal deadline.
Following the LSA’s inquiry, the controller modified his process for the deletion of user accounts.

Decision
The LSA found that the controller did not comply with his obligations under the GDPR and issued a reprimand.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de_berlin_2019-04_rightoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 3 December 2018
LSA: DE – Berlin
CSAs: BE, DE-Mecklenburg-Western Pomerania
Controller: Chal-Tec GmbH
Legal Reference: Right to erasure (Article 17), Lawfulness of processing (Article 6), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Reprimand
Key words: Right to erasure, exercise of the rights of the data subject, lawfulness of the processing, e-Commerce

Summary of the Decision
Origin of the case
The complainant created an account on the controller’s website, and the same day he asked for its deletion. Despite receiving a confirmation e-mail about the deletion, the complainant could still log in to his account. In an e-mail, the data controller told the complainant that for legal reasons the account could not be deleted, but only deactivated.

Findings
Following a request for information by the LSA, the data controller deleted the account. The improper handling of the data subject’s request was due to keeping two separate databases, each handled by a different department of the controller which had miscommunicated in this case.

Decision
The LSA decided to reprimand the data controller as the removal of the complainant’s personal data was not carried out by the time it was due, i.e. per art. 58(2)(b) GDPR.

Comments
Even though the request was submitted by the complainant prior to the entry into force of the GDPR, on 25 May 2018 the account had not been deleted yet and therefore, the LSA states that the GDPR is applicable.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_de_berlin_2019-04_reprimandtocontroller_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprim and to co ntro ll erBackground information
Date of final decision: 31 October 2018
LSA: DE- Berlin
CSAs: AT, BE, DK, LU, SE, DE- Bavaria, DE-Hesse, DE-Lower Saxony, DE-Mecklenburg-Western Pomerania , DE-Saarland
Controller: Outfittery GmbH
Legal Reference: Right to erasure (Article 17), Right to object (Article 21)

Decision: Reprimand to controller
Key words: Lawfulness of the processing, Rights of data subjects, Right to erasure, advertising

Summary of the Decision
Origin of the case
The complainant sent an e-mail to the controller requesting that he no longer receives any further emails, in particular advertising e-mails, and that he requests access to and erasure of his personal data. The complainant subsequently received further advertising e-mails. Information on the personal data processed and the notice of erasure were sent to the complainant.

Findings
The LSA considered that the controller had violated art. 17(1)(c) in conjunction with art. 21(2) GDPR because according to it the data subject has the right to require the data controller to erase his personal data as well as to object to its processing for advertising purposes. The controller must comply with such a request immediately. However, the controller did not comply with the request until much later.

Decision
The LSA decided to reprimand the controller.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_cy_2019-11_right_of_access_and_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order

Background information
Date of final decision: 12 November 2019
LSA: CY
CSAs: DE-Lower Saxony, DE-Rhineland Palatinate, ES, FR, HU, NO
Controller: Marikit Holdings Ltd.
Legal Reference: Right to erasure (Article 17), Information to be provided to the data subject (Articles 13 and 14)

Decision: Compliance order
Key words: Right to erasure, Compliance with legal obligations, Data subject rights

Summary of the Decision
Origin of the case
The complainant alleged that after opening an account on the controller’s website to participate in a competition, he was not given the possibility to exercise his right to erasure and delete his account.
When the complainant contacted the controller to request the erasure of his account, the controller initially replied that deletion was not possible, proposing to block the account for one year instead.

Findings
In its initial reply to the LSA, the controller alleged that the data subject could not be identified as s/he did not provide the relevant email address. Subsequently, the controller informed the LSA that it would retain the data until it would be reasonably sure that such data would not need to be produced as supporting evidence before regulatory bodies, which could request data for a wide range of purposes. The erasure request was eventually granted after verification that deleting the complainant’s personal data would not lead to an infringement of other legal obligations.

In addition, the LSA found that the information provided to the data subjects in the privacy policy was
insufficient to facilitate the exercise of their rights.

Decision
Since the controller reacted to the erasure request within the timeframe provided in the GDPR and eventually granted it, the LSA found that no corrective measures should be imposed.

Nevertheless, the LSA ordered the controller to revise their privacy policy accordingly and to inform
the LSA of the revision.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_cy_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE-Hamburg
Controller: Seachefs Cruises Ltd
Legal Reference: Right to erasure (Article 17), Lawfulness of processing (Article 6)
Decision: No infringement of the GDPR
Key words: Right to erasure, Data retention, Legal claims, Compliance with a legal obligation

Summary of the Decision
Origin of the case
The complainant submitted an erasure request to the controller, who was his previous employer. The HR department of the controller replied that some of his data (e.g. his passport information, employment contract, salary information and dismissal records) were to be kept in order to comply with national law obligations and be able to exercise or defend legal claims. As a result, the complainant lodged a complaint requesting the deletion of all his data.

Findings
The LSA found that, pursuant to the applicable national social insurance and tax law, the controller was required to keep records of all expenses including salaries. In order to comply with this obligation, the controller was obliged to keep the complainant’s passport information, employment contract and salary information. Moreover, according to the national law on statute of limitations, the controller was allowed to keep the complainant’s dismissal records for a period of six years after the dismissal as the complainant could appeal the decision of the controller to the relevant court.

Decision
The LSA found no infringement of the GDPR made by the controller.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_cy_2019-10_erasure_request_ignored_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: CY
CSAs: DE, DK, ES, FR, HU, IT, LT, SK, NO
Controller: Hostinger International Ltd
Legal Reference: Right of access (Article 15), Right to erasure (Article 17), Right to object (Article 21)

Decision: No infringement of the GDPR
Key words: Right to erasure, Right to object, Data subject request, Advertising and marketing purposes

Summary of the Decision
Origin of the case
Two complainants lodged complaints with two CSAs regarding the controller’s failure to comply with their requests. The first complainant demanded that his email and other account data would no longer be processed for advertising and marketing purposes. The second complainant aimed at exercising his right of access.

Findings
Through several investigations, the LSA found that the controller never received the data subject requests. However, following the interaction with the LSA, the controller fully complied with the complainants’ requests.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR. No further action towards the controller was taken.

Please see also EDPB Copyright page

June 28, 2020June 29, 2020

publishable_cy_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 13 June 2019
LSA: CY
CSAs: AT, DE-Hessen, DK, ES, FR, NL, NO, SK, SE
Controller: IQ OPTION EUROPE LTD
Legal Reference: Right to Erasure (Article 17)
Decision: No violation
Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision
Origin of the case
The complainant alleged that he was denied erasure of his data due to his earlier consent to the general terms and conditions. The general terms and conditions, however, do not elaborate on the data subjects’ rights but only refer in a general manner to the GDPR.

Findings
After seeking information from the data controller, the LSA found that the controller was regulated by AML national legislation, which requires the retention of data for at least five years to ensure that regulators, companies, and customers have access to key business records regarding financial transactions.

Decision
No violation as the processing was lawful under the provision Art 17(1)(b) GDPR providing that “the processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.