publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 18 January 2019
LSA: FR
CSAs: AT, BE, BG, CZ, DE – Bavaria (priv), DE – Lower Saxony, DE – Rhineland Palatinate, DE – Saarland, DE – Thuringia, EE, EL, ES, HR, HU, IE, IT, LT, LU, LV, NO, PL, RO, SE, SK, SI, UK
Legal Reference: Transparency and information and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Reprimand to controller
Key words: Right to Erasure, Data Subject Rights not respected, proportionality for proof of identity, Reprimand

Summary of the Decision

Origin of the case
Complainant states that the right to erasure has been refused by the controller. Controller requested a scan of the ID and a specimen of the signature of the data subject. Complainant argues that neither of the two were required upon the creation of the account.

Findings
By the time of the decision, the controller had already granted the right to erasure to the complainant without the complainant needing to provide further proof of identity.

However:
1. the Controller systematically requested individuals to provide a copy of an identity document for exercising their rights, regardless of their country of residence, without providing a basis for reasonable doubts as to the identity of the complainant according to Art 12.6 GDPR. “The level of verification to be carried out is depending on the nature of the request, sensibility of the communicated information and the context within which the request is being made.”
Thus, the controller required disproportionate information for the purpose of verifying the identity of the data subject.
The SA stated for “illustrative purposes, it is disproportionate to require a copy of an identity document in the event where the claimant made his request within an area where he is already authenticated. An identity document can be requested if there is a suspicion of identity theft or of account piracy for instance.”

2. A controller may only store information needed for the exercise of individuals’ rights until “the end of legal limitation applicable periods.” During this period, “the data have to be subject to an “intermediary” archiving on a support separate from the active base with a restricted access to authorized persons.”

The LSA references https://www.cnil.fr/fr/limiter-la-conservation-des-donnees.

The SA highlights under “Finally”, that it acknowledges that the new data protection rules applicable are leading “to “significant adaptations inside the”” controller, “concerning the exercise of data subjects’ rights.”

Decision
The SA reprimands “the controller for lack of compliance with the law” on the points above.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page