publishable_li_2019-08_noviolation_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 12 August 2019
LSA: LI
CSAs: DE-Brandenburg
Legal Reference: Lawfulness of the processing (Article 6), Conditions for consent (Article 7),

Principles relating to processing of personal data (Article 5)
Decision: No violation
Key words: Advertising, Lawfulness of the processing, Lack of evidence

Summary of the Decision

Origin of the case
The complainant alleged he had received unwanted advertising. After requesting access to his personal data, he received a screenshot from the controller showing the information he had allegedly shared in order to participate in an online competition. This included his address and contact details.
The complainant argued that he had in fact not participated in the online competition and did not provide his consent, so he lodged a complaint assuming that a third party entered his contact details.

Findings
The LSA sent a request for further information to the complainant, which remained unanswered.

Decision
The case was rejected as no evidence was submitted by the complainant.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_li_2019-08_noviolation_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 21 August 2019
LSA: LI
CSAs: DE-Lower Saxony
Legal Reference: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Conditions for consent (Article 7), Right of access by the data subject (Article 15, Security of processing (Article 32)

Decision: Compliance order to controller
Key words: Consent, Transparency

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the Commissioner for Data Protection of Lower Saxony, alleging he received unsolicited personalised advertising. In its reply to the data subject’s right of access request, the controller had stated that the complainant’s personal data was the result of a prize competition in which he had allegedly participated consenting to the use of his data for marketing purposes by the controller or its sponsors.

Findings
In its assessment of the validity of the consent provided by the complainant, the LI SA found that the text explaining the checkbox for consent was inconsistent with the privacy policy, which referred to a wider range of processing activities and a larger number of recipients: thus, the consent was not legally valid and Articles 5(1)(a), 6 and 7 GDPR were violated.
Furthermore, the LI SA found that the controller did not comply with Article 15 GDPR as it did not appropriately provide the data subject with information on the purposes of the processing of personal data, the recipients and the storage period.
In addition, violations of Article 32 GDPR were also identified: first, the technical and organizational measures implemented by the processor (e.g. double opt-in procedure) were not sufficient to prevent the misuse of personal data; secondly, the unauthorized entry of data could not be traced back due to the deletion of the link relating to the generated lead after a 30-day period.

Decision
The LI SA required the controller to take the following required steps within three months:

– seek consent in accordance with Article 7 GDPR and revise the Terms and Conditions and Privacy Notice of the prize competition;

– implement further technical and organisational measures;

– ensure that the author or source of the manipulation can be identified.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Please see also EDPB Copyright page

publishable_it_2019-09_newsletter_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No ongoing infringement of the GDPR

Background information
Date of final decision: 17 September 2019

LSA: IT
CSAs: DE-Baden-Württemberg, DE-Hamburg, DE-Rhineland-Palatinate
Legal Reference: Right to erasure (Article 17)

Decision: No ongoing infringement of the GDPR
Key words: Right to erasure, Spam, Newsletter

Summary of the Decision

Origin of the case
The complainant sent an email to the controller to unsubscribe from a newsletter. The day following the erasure request, he received another SPAM email from the newsletter.

Findings
The LSA found that, instead of sending the erasure request to the dedicated email address present in the marketing email footer, the complainant sent it to the wrong email address, thus slowing down the procedure. Despite the complainant’s mistake, the controller dealt with the erasure request within a few days.

Decision
The LSA found that the controller ultimately complied with his obligations under the GDPR, since some technical processing times are unavoidable especially if the data subject enforces his right writing to the wrong e-mail address, and dismissed the complaint.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_it_2019-09_newsletter_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2020_rights_of_the_data_subject_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to the controller

Background information
Date of final decision: 25 February 2020
LSA: FR
CSAs: BE, DE Berlin, DE Hesse, DE Lower Saxony, DE Mecklenburg-Western Pomerania, DK, ES, FI, SE, UK
Legal Reference: Responsibility of the controller (Article 24), Security of processing (Article 32)

Decision: Reprimand
Key words: Password, Right of access, Marketing preferences, Data security

Summary of the Decision

Origin of the case
The complainants have encountered difficulties during exercise of the right to object to direct marketing and rights of access and portability.

Findings
The LSA found out during the investigation that an incident arose during the migration of the controller’s consent management tool for marketing communications, causing consents not given/withdrawn considered as given/not withdrawn, and the users’ communication preferences not to be taken into account in the controller’s communication campaigns.

Although the LSA noted that the problem had been solved and that the users’ communication preferences had been restored, it stems from this incident that, prior the migration of its consent management tool, the controller had not implemented the necessary measures as required by the Article 24 GDPR

The LSA also found that the controller’s procedure to process access requests was not fully compliant with the Article 32 GDPR. Indeed, the LSA noted that, in absence of a client account, the username and password for connection to content containing data personal data were sent to data subjects via one and the same channel.

Thus, the controller has been asked to modify this procedure. The LSA determined that the controller had improved the procedures to handle data subject rights requests and trained employees on such procedures.

Decision
The LSA issued a reprimand to the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020_rights_of_the_data_subject_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 11 May 2020
LSA: FR
CSAs: ES, PT, UK

Legal Reference: Right to erasure (Article 17)
Decision: Reprimand
Key words: Right to erasure, Data retention

Summary of the Decision

Origin of the case
The data subject requested the controller to delete their personal data and received the controller’s confirmation of the deletion of the data subject’s account and their personal data. However, despite the confirmation, the data subject verified that he/she still had access to their customer account with the controller. Consequently, the data subject decided to lodge a complaint with the LSA.

Findings
In a first exchange of communications between the LSA and the data controller, the controller stated it had deactivated the complainant’s account the day after their request, but that the deactivation was not effective when the complainant tried access the account due to a technical malfunction, which was only resolved months after. In a second letter, the controller reported that one the members of its customer service team had previously obfuscated the sole complainant’s account ID to try to solve the data subject’s difficulty, which prevented the functioning of the script and overall, the deletion of the account.

When the LSA inquired the controller for the second time, the controller had subsequently restored the complainant’s account ID and restarted the script so that the account could effectively be unavailable. The LSA concluded that the controller had not been able to demonstrate the effectiveness of the deletion of the complainant’s data, despite a first confirmation to the complainant and a second one to the LSA.

The controller indicated that it would proceed with the definitive deletion of the complainant’s data at the end of the applicable limitation periods and domestic retention obligations.

Decision
The LSA reprimanded the controller on the need to sort through the complainant’s data to store, in intermediate archives with restricted access, solely the personal data necessary for the exercise of legal claims, or for compliance with legal obligations.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2020-02_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 20 February 2020
LSA: FR
CSAs: LU
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12) Right to object (Article 21)

Decision: Reprimand
Key words: Right to object, E- commerce

Summary of the Decision

Origin of the case
The complainant received SMS marketing on his phone. Following his objection to the controller, he received another marketing SMS.

Findings
The LSA has made note of the fact that there was a delay in deletion of the complainant’s data of 48 -72 hours. The controller will now inform individuals when exercising their right to object of the above mentioned delay.

Further, the LSA found out that the controller’s procedure for requests to exercise rights required complainants to systematically provide a copy of an identity document, in breach of Article 12(6) GDPR. Also, the information delivered to individuals at the registration stage and when sending direct marketing messages did not meet the objective of transparency, accessibility and clarity as set out in Article 12.2 GDPR.

The controller undertook the necessary actions to adjust its procedure to request an identity document only under specific circumstances and to improve the information delivered to individuals at the registration stage and when sending direct marketing messages, for instance detailing the contact addresses for exercising rights.

Decision
The LSA issued a reprimand in accordance with Article 58(2)(b) GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-02_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2020-01_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 27 January 2020
LSA: FR
CSAs: AT, BE, DE, ES, IT, NL, UK
Legal Reference: Transparency (Article 12), Right to erasure (Article 17), Right to object (Article 21)

Decision: Infringement of the GDPR
Key words: Erasure request, Objection, Direct marketing emails, Electronic communications, Reprimand

Summary of the Decision

Origin of the case
The complainant requested to have his account and personal data deleted and objected to the reception of direct marketing emails. According to the complainant, the controller did not comply with his requests.

Findings
The LSA found that, despite having deleted the complainant’s account and personal data a few days after receiving the erasure request, the controller did not inform the complainant of the erasure.
Moreover, in order for the complainant to unsubscribe from direct marketing emails, he had to have an account with the controller’s services. As his account was deleted, the complainant did no longer have the possibility to unsubscribe from direct marketing emails. However, the LSA found that the controller erased the complainant from the direct marketing databases, even though with a delay due to the lack of synchronisation between his direct marketing database and the tool used by his subsidiary to send emails to members.

Decision
The LSA found that the controller did not comply with his obligations under the GDPR and issued him a reprimand.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-01_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Summary Final Decision Art 60
Investigation

Compliance order

Background information
Date of final decision: 16 December 2019
LSA: FR
CSAs: BE, DE-Rhineland-Palatinate, DK, ES, IT, HU, LU, PL, PT, SE, SK
Legal Reference: Transparency and Information (Articles 12, 13 and 14), Right to erasure (Article 17), Right to object (Article 21), Security of processing (Article 32)

Decision: Order to comply
Key words: Transparency and Information, Right to Erasure, Right to Object, Security of Processing, E-Commerce, Direct Marketing, Children, Consumers

Summary of the Decision

Origin of the case
The LSA conducted two on-site investigations at the controller’s premises to audit the controller’s compliance with the GDPR and tested the procedure set up by the controller to create an account.

Findings
The controller is a company offering subscription to educational magazines for children. On the basis of the investigation, the LSA found several GDPR infringements. First of all, several breaches of the obligation to inform data subjects, enshrined in articles 12 and 13 GDPR, were identified. No information relating to data protection nor link to the controller’s Terms and Conditions was given to the data subjects upon registration or when placing an order. As a consequence, the information was considered to be not accessible enough.
The Terms and Conditions did not include any information on the legal basis for processing, on the retention period and on the individual rights to restriction of processing, data portability, or to submit a claim to a supervisory authority. Although the target audience was French-speaking and the website is fully in French, the “unsubscribe” button in the newsletter and marketing emails was hyperlinked to a text in English, asking for confirmation. An additional hypertext link was included in the final page (titled “Clicking here”): this is misleading for the user, as clicking on such link actually resulted in a new subscription.

Secondly, a breach of the obligation to comply with the request to erase data was identified, as personal data was not erased systematically when requested by data subjects although there was no legal requirement to keep it and although users had been informed of the erasure of the data.

Last, there was a breach of the obligation to ensure the security of data, concerning passwords, locking of workstations, and access to data. More specifically, the password requirements and methods for processing the passwords were found to be non-compliant with the obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, since authentication was based on insufficiently complex passwords and obsolete hash algorithms. Additionally, the computer used by one of the database’s administrators was configured to never automatically lock or go on sleep mode. With regard to access to data, the absence of specific identification (i.e. the use of the same account by several people) made it impossible to ensure access traceability.

Decision
The LSA ordered the controller to comply, within two months of the notification of the decision, with several specific instructions.
First, the controller was ordered to provide full information to data subjects about the processing activities, in an easily accessible manner. Additionally, the LSA ordered the controller to set up a procedure for unsubscribing that is compliant with Articles 12 and 21 GDPR.
Secondly, the controller was ordered to ensure the effectiveness of all requests to exercise the right of erasure.
Last, the authority ordered the controller to take appropriate security measures to protect personal data and prevent access thereto by unauthorised third parties (by setting up a new password policy, avoiding the transmission of passwords in clear text, ensuring that workstations go on sleep mode, and setting up individual accounts).


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Please see also EDPB Copyright page

publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 23 September 2019
LSA: FR
CSAs: DE-Mecklenburg-Western Pomerania, DE-Rhineland-Palatinate, ES
Legal Reference: Right to erasure (Article 17)

Decision: No infringement of the GDPR
Key words: Right to erasure, Electronic communications, Payment data

Summary of the Decision

Origin of the case
The complainant asked for the deletion of his user account on the Spanish version of the controller’s website. In its reply, the controller stated that it was required to keep some of his data. However, it informed the complainant of the date on which all of his data would be entirely deleted.

Findings
The LSA found that, pursuant to national law, the controller was required to retain the complainant’s payment data in an intermediate archive upon the deletion of his user account in order to manage claims and disputes related to a payment made on its platform. In consequence, the controller acted in accordance with Article 17 (3) GDPR when it kept some of the complainant’s data.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 29 August 2019
LSA: FR
CSAs: BE
Legal Reference: Right to erasure (Article 17), Right to object (Article 21)

Decision: No violation
Key words: Right to erasure, Right to object, Anonymisation

Summary of the Decision

Origin of the case
In a complaint filed with the CSA, the complainant alleged that personal data in her email correspondence with the controller was published on the controller’s website without her consent.

Findings
After communicating with the LSA, the controller took action to anonymise the complainant’s first and last names from the correspondence.

Decision
The LSA invited the controller to anonymise the copies of all the letters published on its website.

No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page