publishable_uk_2019-06_personaldatabreach_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 June 2019

LSA: UK
CSAs: IE

Legal Reference: Personal data breach (Articles 33 and 34)

Decision: No violation

Key words: Data Breach

Summary of the Decision

Origin of the case
A third party ordered products from the Living Social website. The cost of the products was mistakenly charged to the data subject. On discovery of the error, the third party was able to access the data subjects personal data (name, email address etc.) from Living Social’s website.
The third party then contacted the data subject regarding what had happened. The Controller has refunded the data subject, but the data subject is not satisfied with their response as the Controller states that they do not believe a breach has occurred.

Findings
The LSA, after consulting with the controller, reached the conclusion that no breach had taken place since the controller only stores the last two digits of credit cards in its databases and uses payment tokens instead.

Decision
No violation.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-06_personaldatabreach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: MT
CSAs: DE-Berlin, NL, NO, SE
Legal Reference: Right to object (Article 21), Cooperation with the supervisory authority(Article 31)
Decision: Infringement of Article 21 and Article 31 GDPR
Key words: Right to object, Cooperation with the supervisory authority, Exercise of data subjects’ rights, Marketing communications

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the CSA alleging that the controller kept sending marketing communications to the complainant even though he had previously objected to the processing of his data for marketing purposes.

Findings
The preliminary investigation by the LSA was aimed at ensuring that the controller’s main establishment was in its country.
The controller as internal procedure accepted any requests from data subjects only when the requests were made by using the same email address the users have used to open their account.
Through its investigations, the LSA found out that the controller could not find the first email sent by the complainant to object to the processing of his data for marketing purposes even if this email was sent from the email address used by the user to open his account. The data controller admitted that there was a possibility that the email had not been received or had not been dealt with properly.

Following the receipt of further unsolicited marketing communications, the complainant objected several more times. These emails were sent from email addresses different from the one used to open his account. Even if the controller was thus not able to comply with the data subject’s request as he could not identify him, the controller decided to block the complainant’s account from receiving marketing communications. From the investigation it transpired that the controller did not have any internal procedures for the handling of data subjects’ requests.
In addition the controller did not cooperate with the LSA that had to wait months to receive the requested submissions.

Decision
The LSA found that the controller infringed Article 21 by not having adequate procedures put in place to deal with the complainant’s request to exercise his right to object. The controller also infringed Article 31 GDPR by not cooperating with the LSA. Consequently, the LSA imposed an administrative fine of 15,000 euros on the controller. A 2,000 euro administrative fine was also imposed on the controller for having breached several provisions of national law relating to unsolicited communications.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Please see also EDPB Copyright page

publishable_mt_2019-10_right_of_access_request_art_15_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 28 October 2019
LSA: MT
CSAs: PL
Legal Reference: Right of access (Article 15)
Decision: Infringement of Article 15 GDPR
Key words: Right of access, Data subjects’ rights, Data subject access request, Bank, Technical and organisational measures

Summary of the Decision

Origin of the case
The complainant filed a complaint with the CSA contending that the controller did not comply with her access request within the established 30 days’ period.

Findings
The LSA found that a letter and a file containing the copy of the complainant’s data were supposed to be sent to her on the day following the request. However, the email was erroneously categorised as “internal only”, which resulted in a failure to send such letter and file to the complainant.
Furthermore, the employee with access to the relevant mailbox left the company without ensuring that the complainant received a reply. Following the LSA’s investigation and the discovery of the mistake, the controller provided the complainant with a letter giving details about the processing of her data and the file containing the requested information.
Furthermore, the LSA requested the controller to submit details on the organizational and security measures implemented to avoid similar incidents in the future. To ensure an adequate follow-up of the access requests, the controller improved its back-up continuity procedure under which the back-up person would intervene if the main contact was not capable of complying with the client’s request.

Decision
The LSA found that the controller infringed Article 15 GDPR by not having adequate procedures in place to deal with subject access request, thus depriving the complainant of the right to access her data within the established timeframe. As a result, and also in light of several mitigating circumstances, the controller received an administrative fine of 8,000 euros. The LSA also instructed the controller to implement the appropriate technical measures to enhance the organizational and security measures already put in place.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-10_right_of_access_request_art_15_summarypublic.pdf

Please see also EDPB Copyright page

publishable_mt_2019-08_article13_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 5 August 2019
LSA: MT
CSAs: DK, ES, FI, FR, LV, NO, SE
Legal Reference: Information to be provided where personal data are collected from the data subject (Article 13 GDPR)
Decision: No violation
Key words: Right to information, prior information, rights of data subjects

Summary of the Decision

Origin of the case
The complainant contended that her personal data were inserted in the insolvency register of a third party without having been provided the required information, in accordance with Article 13 GDPR, at the time her data were obtained.

Findings
The LSA found that all relevant information was provided to the complainant through the general Terms and Conditions of the loan contract, which she accepted before the loan was granted to her. Additionally, the information that her personal data would be inserted in the insolvency register was communicated to her through a ‘requirement of payment’ letter and warning emails and SMS texts.
The same information is also available on the controller’s website.

Decision
The LSA found that the complainant was adequately informed pursuant to Article 13 GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-08_article13_summarypublic.pdf

Please see also EDPB Copyright page

publishable_mt_2019-07_rightoferasurearticle_17_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 4 March 2019
LSA: MT
CSAs: IE
Legal Reference: Right to erasure (Article 17)
Decision: No violation
Key words: Right to erasure, right of access request, exercise of the rights of the data subjects

Summary of the Decision

Origin of the case
The complainant made a right to access/erasure request to the controller. The controller requested the complainant to confirm her identity but she failed to do so.
The controller has erased the complainant’s personal data accordingly to its privacy policy and taking into consideration a still existing “Compromise Agreement” between the controller and the complainant. Concerning the right of access request, the only reason why the information was not provided revolves around the complainant’s failure to verify her identity with the controller. The complainant then contended that the controller did not accede to the right of access request.

Findings
The LSA assessed that the controller satisfied the complainant’s right of erasure request to the extent permissible by the applicable laws, including but not limited to, employment legislation.

The LSA found that the controller took all the necessary steps to handle the complainant’s right of access. The only reason why the information was not provided, was due to the complainant’s failure to verify her identity with the controller (the email she was using was not known to the controller).

Decision
The LSA decided that the controller did not infringe the provisions of the GDPR, and consequently dismissed the compliant.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-07_rightoferasurearticle_17_summarypublic.pdf

Please see also EDPB Copyright page

publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance Order to Controller

Background information
Date of final decision: 7 June 2019

LSA: MT
CSAs: ES

Legal Reference: Right to erasure (Article 17)

Decision: Compliance order to controller

Key words: Right to erasure, Data subject rights, Accuracy

Summary of the Decision

Origin of the case
A Spanish data subject filed a complaint with the Spanish SA as she was receiving unsolicited phone calls even after having filed an erasure request and such erasure had been confirmed by the data controller.

Findings
The complainant’s phone number was fraudulently provided to the controller by one of its clients.
Since the controller was not aware of this, it tried to contact the client on such phone number. The complainant filed a right of erasure request. During a phone call, the controller erroneously informed the complainant of the need to submit a second erasure request to delete the number from another database held by the controller, whereas only one database existed. Form the call logs provided by the controller it transpires that the complainant phone number was erased from the controller’s database immediately after the first erasure request. All the erasure requests from the complainant were followed by erasure confirmations sent by the controller. The controller couldn’t exclude the possibility that the complainant’s residence’s phone number was fraudulently provided by the same client, also to other entities/lenders and that these entities/lenders may make use of it.

Decision
The LSA instructed the data controller to implement the appropriate technical and organisational measures to make sure that personal data are accurate and, where necessary, kept up to date, and that every reasonable step is taken to ensure that personal data that are inaccurate, having regards to the purposes for which they are processed, are erased or rectified without delay.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 8 November 2019
LSA: LV
CSAs: All SAs

Legal Reference: Transparency (Article 12), Information (Articles 13 and 14)

Decision: Infringement of the GDPR, Fine

Key words: Transparency, Information, E-commerce, Identity of the controller

Summary of the Decision

Origin of the case
The complainant alleged that he did not receive information on the identity of the controller before submitting his order on the online retail platform. Moreover, the complainant contended that the privacy policy available on the website was not in conformity with the GDPR.

Findings
During its investigation, the LSA found that the controller was a Latvian company performing retails sales through several websites, including the one used by the complainant to order his goods.
After establishing the identity of the controller, the LSA found that the privacy policy on the website did not provide information on the identity of the controller, the legal basis of the data processing, its purposes and the way data subjects’ consent is collected.

Decision
The LSA found that the controller did not comply with his obligations under the GDPR and imposed a fine of 150,000 euros.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lv_2020-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order

Background information
Date of final decision: 3 December 2019
LSA: LV
CSAs: DE-Berlin, DE-Hesse, DE-Rhineland-Palatinate, DK, FR, IE, IT, PL, NO

Legal Reference: Lawfulness of processing (Article 6), Right to erasure (Article 17), Right to be informed (Article 15)

Decision: Infringement of the GDPR, Order to comply

Key words: Right to erasure, Right to be informed, Blacklisted email

Summary of the Decision

Origin of the case
The complainant alleged that their request for deletion of their personal data had not been complied with.

Findings
After an investigation, the LSA found that after accidentally signing up to the controller’s services, the complainant had contacted the controller to ask for the deletion of two accounts made in his name.
The controller responded the next day that this would not be possible. The controller also blacklisted the complainant’s email address, thereby blocking reception of its emails.

Decision
The LSA found that the controller did not have a legal basis to continue processing and storing the complainant’s personal data on a blacklist. An administrative act was issued by the LSA, with the order for the controller to delete the complainant’s personal data from the blacklist or from any storage site or filling system by 20 December 2019.
In addition, the controller was given an order to assess the degree of risk to the rights and freedoms of natural persons, taking into account the nature, extent, context, purposes and technical and organizational measures taken to protect personal data and prevent their possible unlawful processing was issued, and to provide a mechanism to prevent such situations from happening in the future. The controller was asked to inform the LSA of the execution of the order by 20 December 2019.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lv_2020-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CZ, DE – Mecklenburg-Western Pomerania, DE – Berlin, DE – Lower Saxony, DE – Bavaria (Private sector), DE – Saarland, DE – North Rhine-Westphalia, DK, FR, IT, NO, PL, SE, SI, SK

Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement of the right to erasure

Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision

Origin of the case
The complainant requested the erasure of his customer account in the controller website, and he asserted that the controller did not respond within a month following his request.

Findings
The controller demonstrated that it did not delete the account because the request was lodged via a different email address than the one associated with the customer account. For security reasons, the controller contacted the complainant and asked him to submit the request from the same e-mail address associated with the customer account or, if not possible, to change his login details. The complainant did not take any action and therefore, the controller could not authenticate him as the owner of the customer account.
After receiving the letter from the LSA, the controller contacted the complainant on the e-mail address associated with the customer account and offered him to associate his other e-mail address to the customer account.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The CSA to which the complaint was lodged informed the LSA that the complainant was satisfied with the answer from the controller and that the cross-border complaint should be closed.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lu_2019-05_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CY, CZ, DE – Berlin, DE – Lower Saxony, DE – Rhineland-Palatinate, DE- Bavaria (Private sector), DE – Mecklenburg-Western Pomerania, DK, ES, FI, FR, IE, IT, PL, SE, SK, NO

Legal Reference: Right of access by the data subject (Article 15), Transparent information,communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement

Key words: Right of access, exercise of the rights of the data subject, e-commerce

Summary of the Decision

Origin of the case
The complainant requested access to his personal data held by the controller because his national ID number, his address and his IP had been blocked by the controller’s platform and he was thus unable to use its services. He wanted to know the reason and thus requested access to his data.

Findings
The controller demonstrated that it had provided the complainant with access to the data concerning him and his seller account. The controller provided the relevant communication to the LSA and it also clarified that the blockage of the complainant’s information was due to a violation of the controller’s selling policies. The controller also explained that it had granted the complainant the right to appeal the blockage, but instead he tried to circumvent the decision by opening new seller accounts, which were blocked. However, the controller allowed him to create a customer account.

Decision
The LSA found that there had been no violation of the GDPR, since the controller had granted the complainant the right to access to his data. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page