updated_publishable_be_2019-05_rightoferasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 17 May 2019
LSA: BE
CSAs: NL, SE
Legal Reference: Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of data subjects (Article 12)
Decision: Compliance order to controller
Key words: Right to erasure, Exercise of the rights of the data subjects

Summary of the Decision
Origin of the case
The complaint concerned the failure of the controller to comply with the request of a data subject concerning the exercise of his right of erasure. After two submissions of the webform in order to have his data removed, the complainant also sent e-mails with the same request on 28/06/2018.
The complainant still did not receive any reply and asserted that the controller did not respond within a month following the request.

Findings
The controller has failed to comply with the request of the data subject, thus violating its obligations under Article 12.3 GDPR. The LSA considers that the deadline to answer the request “has been exceeded at all levels”.

Decision
The LSA decided to order the controller to comply with the data subject’s request concerning the exercise of the right of erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/updated_publishable_be_2019-05_rightoferasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

Summary Final Decision Art 60
Personal data breach notification

No infringement of the GDPR

Background information
Date of final decision 10 January 2020

LSA: UK

CSAs: AT, BE, CY, CZ, DE, DK, EE, EL, ES, FI, FR, IE, IT, HU, LT, LU, LV, MT, NL, PL, PT, SE, SI, SK

Legal Reference: Personal Data Breach (Articles 33 and 34)

Decision: No infringement of the GDPR

Key words: Data breach notification

Summary of the Decision

Origin of the case
The controller reported a data breach notification involving 643 of their customers in the EU. The former ex-employee accessed the customers data and exported them with the intention of extracting money from the controller.

Findings
In the course of its investigation, the LSA found that the controller had a relevant contract in place with the service provider, as a processor. The contract provided sufficient guarantees for their processing activities. There has been no damage or distress to any of the data subjects involved in this incident and the controller did not receive any complaints as a result of the infringement.

The controller implemented two remedial measures, by taking down the portals for which vulnerabilities were found, and by informing the data subjects about the data breach and possible phishing attempts.

Decision
Although no infringement to the GDPR was found, the LSA issued two recommendations to the controller.
First, to implement more regular reviews of any third parties to ensure that they are meeting their contractual agreements in relation to compliance with data protection legislation including having appropriate technical and organisational measures, confidentiality and the processing of data only on the documented instructions of the controller to ensure the protection of data subjects rights.
Second, to improve password management with their service providers.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2020-01_personal_data_breach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-12_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 17 December 2019

LSA: UK

CSAs: AT, DE-Berlin, DE-Saarland, DE-Bavaria (Private sector), DK, ES, IT, NO, SE, SK

Legal Reference: Lawfulness of the processing (Article 6), Right to erasure (Article 17)

Decision: No infringement of the GDPR

Key words: Right of erasure, Legal obligation, Anti-Money Laundering Directive

Summary of the Decision

Origin of the case
The complainant requested to have his personal data erased, but his request was rejected.

Findings
The LSA found that the controller replied to the complainant’s erasure request within a month. In his reply, the controller explained that, in light of his legal obligation under the fourth Anti-Money Laundering Directive, he was obliged to retain the complainant’s personal data for 5 years after the end of the business relationship.
However, the LSA found that the controller did not properly inform the complainant of his right to complain to the relevant supervisory authority and his right to seek a judicial review. In fact, the LSA considered that providing a link to the privacy policy containing the contact details of the relevant supervisory authority was not enough.

Decision
The LSA asked the controller to improve the information given to all data subjects, by introducing relevant information on the data subjects’ rights to lodge complaint to an SA or seek for judicial review in the privacy policy.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-12_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-09_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement

Background information
Date of final decision: 11 September 2019

LSA: UK
CSAs: DE-Berlin

Legal Reference: Lawfulness of the processing (Article 6), Right to erasure (Article 17)

Decision: No infringement of the GDPR

Key words: Lawfulness of the processing, Right to erasure, Consumer protection, Anti-Money Laundering, Legal obligation

Summary of the Decision

Origin of the case
The complainant requested the deletion of her account on the controller’s website. Her request was not granted by the controller. The complainant filed a complaint with the CSA.

Findings
According to UK anti-money laundering legislation, the controller was required to retain customer information for a period of five years after the end of the business relationship. The LSA found that the complainant’s information had been retained in line with the controller’s legal obligations.

Decision
As the controller complied with his data protection obligations, no further action towards it was taken by the LSA.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-09_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-08_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Failure to comply with the accuracy principle

Background information
Date of final decision: 3 August 2019

LSA: UK

CSAs: DK, FR, IT, SE

Legal Reference: Principles relating to processing of personal data (Article 5), Right to rectification (Article 16), Right to object (Article 21)

Decision: Failure to comply; no regulatory action.

Key words: Accuracy, e-commerce, individual rights

Summary of the Decision

Origin of the case
A French complainant contacted the controller three times between July and October 2018 asking for his phone number to be disassociated from another person’s account, as he had been receiving text message updates on orders he had never made.

Findings
Although the complainant’s phone number was eventually removed from the other user’s account, the UK SA found that the controller did not comply with its obligations under the GDPR as it did not take sufficient action to assure itself of the accuracy of the personal data it was processing. However,
the UK SA recognised that the controller’s standard operating policies and procedures were not followed by the staff in this case and that the controller provided assurances that it reminded its staff of the importance of adhering to such policies.

Decision
The UK SA decided not to take any regulatory action on this complaint.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-08_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final Decision 7 August 2019

LSA: UK
CSAs: AT

Legal Reference: Right to erasure (Article 17)

Decision: Violation identified; No regulatory action.

Key words: Right to erasure, Marketing

Summary of the Decision

Origin of the case
The complainant stated that he asked the controller not to send him marketing emails, yet he continued to receive them.

Findings
The UK SA found that the controller did not comply with its data protection obligations.
The controller stated that the complainant send his request to unsubscribe to a ‘no-reply’ email address, instead of using the ‘unsubscribe’ button. However, the email address was not clearly recognisable as a ‘no-reply’ email address.

Decision
The UK SA took note of the actions taken by the controller, including a change to its processes so that the email address from which marketing communications are sent is now monitored. No regulatory action was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-08_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Failure to comply with the accuracy principle

Background information
Date of final decision: 3 August 2019

LSA: UK

CSAs: DK, FR, IT, SE

Legal Reference: Principles relating to processing of personal data (Article 5), Right to rectification (Article 16), Right to object (Article 21)

Decision: Failure to comply; No regulatory action.

Key words: Accuracy, E-commerce, Individual rights

Summary of the Decision

Origin of the case
A French complainant contacted the controller three times between July and October 2018 asking for his phone number to be disassociated from another person’s account, as he had been receiving text message updates on orders he had never made.

Findings
Although the complainant’s phone number was eventually removed from the other user’s account, the UK SA found that the controller did not comply with its obligations under the GDPR as it did not take sufficient action to assure itself of the accuracy of the personal data it was processing. However, the UK SA recognised that the controller’s standard operating policies and procedures were not followed by the staff in this case and that the controller provided assurances that it reminded its staff of the importance of adhering to such policies.

Decision
The UK SA decided not to take any regulatory action on this complaint.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-08_identity_check_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 3 August 2019

LSA: UK
CSAs: AT, BE, BG, CY, CZ, DE, DK, EL, ES, FI, FR, HR, HU, IE, IT, NO, PL, PT, SE

Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided (Articles 13-14), Right of access (Article 15)

Decision: No violation

Key words: Data subject rights, right of access

Summary of the Decision

Origin of the case
A French complainant asked the controller how to download all of his personal data and the controller went on with the necessary identification verification checks.

Findings
Upon receipt of the identity verification, the controller escalated the request promptly and supplied the data subject with an encrypted file containing his personal data via email, and subsequently with the decryption password. The initial delay in dealing with the matter was due to the fact that the emails from the controller had been sent to the data subject’s spam folder.

Decision
The UK SA found that the controller complied with its obligations under the GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_identity_check_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-06_personaldatabreach_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 June 2019

LSA: UK
CSAs: IE

Legal Reference: Personal data breach (Articles 33 and 34)

Decision: No violation

Key words: Data Breach

Summary of the Decision

Origin of the case
A third party ordered products from the Living Social website. The cost of the products was mistakenly charged to the data subject. On discovery of the error, the third party was able to access the data subjects personal data (name, email address etc.) from Living Social’s website.
The third party then contacted the data subject regarding what had happened. The Controller has refunded the data subject, but the data subject is not satisfied with their response as the Controller states that they do not believe a breach has occurred.

Findings
The LSA, after consulting with the controller, reached the conclusion that no breach had taken place since the controller only stores the last two digits of credit cards in its databases and uses payment tokens instead.

Decision
No violation.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-06_personaldatabreach_summarypublic.pdf

Please see also EDPB Copyright page

publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 10 October 2019
LSA: MT
CSAs: DE-Berlin, NL, NO, SE
Legal Reference: Right to object (Article 21), Cooperation with the supervisory authority(Article 31)
Decision: Infringement of Article 21 and Article 31 GDPR
Key words: Right to object, Cooperation with the supervisory authority, Exercise of data subjects’ rights, Marketing communications

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the CSA alleging that the controller kept sending marketing communications to the complainant even though he had previously objected to the processing of his data for marketing purposes.

Findings
The preliminary investigation by the LSA was aimed at ensuring that the controller’s main establishment was in its country.
The controller as internal procedure accepted any requests from data subjects only when the requests were made by using the same email address the users have used to open their account.
Through its investigations, the LSA found out that the controller could not find the first email sent by the complainant to object to the processing of his data for marketing purposes even if this email was sent from the email address used by the user to open his account. The data controller admitted that there was a possibility that the email had not been received or had not been dealt with properly.

Following the receipt of further unsolicited marketing communications, the complainant objected several more times. These emails were sent from email addresses different from the one used to open his account. Even if the controller was thus not able to comply with the data subject’s request as he could not identify him, the controller decided to block the complainant’s account from receiving marketing communications. From the investigation it transpired that the controller did not have any internal procedures for the handling of data subjects’ requests.
In addition the controller did not cooperate with the LSA that had to wait months to receive the requested submissions.

Decision
The LSA found that the controller infringed Article 21 by not having adequate procedures put in place to deal with the complainant’s request to exercise his right to object. The controller also infringed Article 31 GDPR by not cooperating with the LSA. Consequently, the LSA imposed an administrative fine of 15,000 euros on the controller. A 2,000 euro administrative fine was also imposed on the controller for having breached several provisions of national law relating to unsolicited communications.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-10_right_to_object_marketing_emails_summarypublic.pdf

Please see also EDPB Copyright page