publishable_de_berlin_2019-07_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 2 July 2019
LSA: DE-Berlin
CSAs: AT, DE-Rhineland-Palatinate, DE-Hesse, DE-Saarland, DE-North Rhine-Westphalia, FR
Controller: Billpay GmbH
Legal Reference: Right of access (Article 15), Responsibility of the controller (Article 24), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Reprimand to controller
Key words: Right of access, Exercise of the rights of the data subjects, Reprimand, Data Subject Rights not respected

Summary of the Decision
Origin of the case
The complainant sent an e-mail to the controller, stating his current address, requesting access to his personal data in accordance with Article 15 GDPR. The controller attempted to provide the complainant with the requested information by a registered letter, but it used another postal address than the one specified by the complainant. Therefore, the letter was not delivered to the complainant.
The controller sent an e-mail to the complainant requesting his current address. As a result, the complainant was provided with the information about his personal data four months after the deadline established under Article 12 (3) GDPR.

Findings
The LSA determined that the controller infringed Article 12(3) GDPR by exceeding the deadline to answer the complainant’s access request, since it was technically possible and reasonable for the controller to send the information to the address given by the complainant, without further delay.

Decision
Taking into account the circumstances of the case and the fact that the controller, after being contacted by the LSA, showed understanding and its willingness to comply with data protection regulations, the LSA issued a reprimand based on Article 58(2)(b) GDPR for violating the complainant’s right of access under Article 15 GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-07_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_berlin_2019-05_databreach_summarypublic_0.pdf

Summary Final Decision Art 60
Data Breach Notification

No violation

Background information
Date of final decision: 3 April 2019
LSA: DE-Berlin
CSAs: DE-Lower Saxony, UK
Controller: AWIN AG
Legal Reference: Notification of a personal data breach to the supervisory authority (Article 33), Communication of a personal data breach to the data subject (Article 34)

Decision: No violation
Key words: Data breach

Summary of the Decision
Origin of the case
The controller reported a data breach to the LSA after some laptops were stolen. The laptops contained personal data of business partners, but the majority of the laptops had encrypted hard disks.

Findings
Only 4 laptops could have included personal data, 3 of which were located in Germany and one in the UK. The controller posted breach notifications online following the recommendations by the LSA as per Article 34(3)(c) GDPR.

Decision
The case was closed as the controller followed the recommendations of the LSA.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-05_databreach_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_de_berlin_2019-04_rightoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 3 December 2018
LSA: DE – Berlin
CSAs: BE, DE-Mecklenburg-Western Pomerania
Controller: Chal-Tec GmbH
Legal Reference: Right to erasure (Article 17), Lawfulness of processing (Article 6), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Reprimand
Key words: Right to erasure, exercise of the rights of the data subject, lawfulness of the processing, e-Commerce

Summary of the Decision
Origin of the case
The complainant created an account on the controller’s website, and the same day he asked for its deletion. Despite receiving a confirmation e-mail about the deletion, the complainant could still log in to his account. In an e-mail, the data controller told the complainant that for legal reasons the account could not be deleted, but only deactivated.

Findings
Following a request for information by the LSA, the data controller deleted the account. The improper handling of the data subject’s request was due to keeping two separate databases, each handled by a different department of the controller which had miscommunicated in this case.

Decision
The LSA decided to reprimand the data controller as the removal of the complainant’s personal data was not carried out by the time it was due, i.e. per art. 58(2)(b) GDPR.

Comments
Even though the request was submitted by the complainant prior to the entry into force of the GDPR, on 25 May 2018 the account had not been deleted yet and therefore, the LSA states that the GDPR is applicable.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-04_rightoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_berlin_2019-04_reprimandtocontroller_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprim and to co ntro ll erBackground information
Date of final decision: 31 October 2018
LSA: DE- Berlin
CSAs: AT, BE, DK, LU, SE, DE- Bavaria, DE-Hesse, DE-Lower Saxony, DE-Mecklenburg-Western Pomerania , DE-Saarland
Controller: Outfittery GmbH
Legal Reference: Right to erasure (Article 17), Right to object (Article 21)

Decision: Reprimand to controller
Key words: Lawfulness of the processing, Rights of data subjects, Right to erasure, advertising

Summary of the Decision
Origin of the case
The complainant sent an e-mail to the controller requesting that he no longer receives any further emails, in particular advertising e-mails, and that he requests access to and erasure of his personal data. The complainant subsequently received further advertising e-mails. Information on the personal data processed and the notice of erasure were sent to the complainant.

Findings
The LSA considered that the controller had violated art. 17(1)(c) in conjunction with art. 21(2) GDPR because according to it the data subject has the right to require the data controller to erase his personal data as well as to object to its processing for advertising purposes. The controller must comply with such a request immediately. However, the controller did not comply with the request until much later.

Decision
The LSA decided to reprimand the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-04_reprimandtocontroller_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_berlin_2019-01_databreach_summarypublic.pdf

Summary Final Decision Art 60
Data breach notification

No violation

Background information
Date of final decision: 25 January 2019
LSA: DE (Berlin)
CSAs: AT, DE (Lower Saxony), FI, FR, IT, SE, NO
Controller: Delivery Hero SE
Legal Reference: Personal data breach (Articles 33 and 34), Security of processing (Article 32

Decision: No infringement
Key words: Data Breach Notification

Summary of the Decision
Origin of the case
The controller was informed about a flaw in their service for exporting a user’s personal data. This flaw allowed a specific user to export the data of some additional users (30) of in total seven member states. To prevent further data leakage, the function for exporting a user’s personal data was temporarily disabled until the problem could be fixed. The controller notified the SA of the data breach within due time.

Findings
The controller provided all the required information and acted promptly. Following a general recommendation given by the LSA, contained in an automatic reply after receiving a breach notification, the affected data subjects were notified despite the initial reasoning provided by the controller where it deemed that the requirements of Art. 34.1 GDPR are not met.

Decision
Taking into account that only one data recipient received the data and that the breach was properly notified, the case was closed without any corrective measures being imposed on the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_berlin_2019-01_databreach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_baden-wurttemberg_2020-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 24 September 2019
LSA: DE -Baden-Wuerttemberg
CSAs: All SAs
Legal Reference: Transparency (Article 12), Right to erasure (Article 17)

Decision: No infringement of the GDPR
Key words: Exercise of data subjects rights, Erasure request

Summary of the Decision
Origin of the case
The complainant alleged that the controller did not comply with her erasure request.

Findings
The LSA found that the controller deleted the complainant’s personal data. However, the controller did not do so within the timeframe provided by the GDPR. In its reply to the LSA, the controller described the measures taken to avoid delays in the future.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_baden-wurttemberg_2020-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_de_baden-wurttemberg_2020-01_personal_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Data Breach Notification

No infringement of the GDPR

Background information
Date of final decision: 27 January 2020
LSA: DE-Baden-Wuerttemberg
CSAs: All SAs
Legal Reference: Personal data breach (Articles 33 and 34)

Decision: No infringement of the GDPR
Key words: Personal data breach, Phishing emails

Summary of the Decision
Origin of the case
The controller stated that a phishing attack had been launched on their central servers. The email address of a subsidiary’s manager had been compromised and used to send phishing emails to employees and clients.

Findings
The LSA found that the controller had carried out an investigation and a risk assessment of the breach, before communicating it to the LSA within 72 hours of becoming aware of it, as well as to the data subjects. Further, the password of the affected account was immediately changed. They also stated that the employees had been informed about the phishing attempt.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de_baden-wurttemberg_2020-01_personal_data_breach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cz_2019-10_lawfulness_of_processing_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order

Background information
Date of final decision: 7 October 2019
LSA: CZ
CSAs: AT, DE-All, HR, SI, SK
Legal Reference: Lawfulness of the processing (Article 6)

Decision: Order to the controller, Infringement of the GDPR
Key words: Lawfulness of processing, Legitimate interest, Data subject rights

Summary of the Decision

Origin of the case
The data subjects filed a complaint with one of the CSAs alleging that the controller published his personal data on its social media page without a legal basis.

Findings
The controller published on its social media page information concerning the complainant and other data subjects, referring to debts which the controller was in charge of collecting. The abbreviated first name and the entire surname of the data subjects, as well as the status of debtor and the amount owed by them were specified. Through a balancing test between the data subjects’ interests and basic rights with the controller’s interests, it was concluded that the controller did not rely on any lawful basis pursuant to Art. 6 GDPR. More specifically, the data subject had not expressed his/her consent; moreover, in the balancing between the legitimate interest pursued by the controller and the interests and rights of the data subject, the latter prevailed, given the significant risk of adverse impact arising
from the publication of negative information about the data subjects’ financial situation.

Decision
The LSA ordered the controller to cease processing the complainant’s personal data and to remove the published personal data within ten business days of the decision. The LSA also ordered the controller to submit a report to LSA on the implementation of the order within five business days of its completion.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-10_lawfulness_of_processing_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cz_2019-08_databreach_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 26 August 2019
LSA: CZ
CSAs: All SAs
Legal Reference: Security of processing (Article 32), Notification of a personal data breach to the supervisory authority (Article 33)

Decision: Reprimand to controller
Key words: Data breach, Request for compliance, Mitigating circumstances

Summary of the Decision

Origin of the case
The complainant, a website’s user, alleged that access to their personal information had been disclosed to another user.

Findings
The LSA found that there had been a data breach because a customer support officer accidentally copied the link to a complainant’s reservation and sent it to another customer. The controller therefore infringed the obligation to adopt appropriate security measures under art. 32 GDPR as well as the obligations set out by art. 33 GDPR in connection with data breaches. This incident had not been reported by the customer support officer in charge, contrary to the website owner’s internal regulations.
After the controller received the LSA’s communication, they investigated the incident and began adapting their technical and organisational measures in place and making new ones.

Decision
Also on the basis of the objections received, the LSA decided that although there had been an infringement by the controller of Articles 32 and 33, the imposition of a fine would not have been reasonable, given the mitigating circumstances, especially in connection to the fact that the isolated incident occurred as a result of a particular employee’s misconduct rather than of systemic non-compliance. Therefore, no sanctions were imposed, but a request for compliance and reprimand regarding infringement was sent to the controller.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-08_databreach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cz_2019-07_lawfulnessoftheprocessing_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Violation of Article 24(1)

Background information
Date of final decision: 11 July 2019
LSA: CZ
CSAs: All
Legal Reference: Principles relating to processing of personal data (Article 5); Lawfulness of the processing (Article 6); Responsibility of the controller (Article 24)

Decision: Violation
Key words: Concept of personal data, Accountability, Consumers

Summary of the Decision

Origin of the case
A complaint was filed with the Dutch SA concerning the processing of personal data of the users of the antivirus software provided by the controller, and specifically the protection granted to users of the free version of the software compared to that granted to the paying users.

Findings
In its inspection report, the LSA concluded that the inspected party failed to comply with Articles 5(2) and 24(1) GDPR, which was interpreted as the obligation to take into account all relevant circumstances surrounding the processing and to adopt a set of measures to ensure that all personal data processing is carried out exclusively under pre-defined conditions that the controller is able to regularly check and enforce. This stemmed from the conclusion that the inspected party, despite its assertions to the contrary, was indeed processing personal data (e.g. IP addresses), based on the Court of Justice case law, and was acting as a data controller.
The controller filed several objections to the inspection report, arguing inter alia that no processing of personal data was involved, that it was not to be universally considered as a data controller, and that sufficient information to properly show compliance with Articles 5(2) and 24(1) GDPR was provided.
The last objection was partially accommodated by the LSA, which concluded that only an infringement of Article 24(1) GDPR had been ascertained, whereas no specific breach of Article 5(2) followed from the documentation.

Decision
The controller was found to have violated Article 24(1) GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-07_lawfulnessoftheprocessing_summarypublic.pdf

Please see also EDPB Copyright page