publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Summary Final Decision Art 60
Investigation

Compliance order

Background information
Date of final decision: 16 December 2019
LSA: FR
CSAs: BE, DE-Rhineland-Palatinate, DK, ES, IT, HU, LU, PL, PT, SE, SK
Legal Reference: Transparency and Information (Articles 12, 13 and 14), Right to erasure (Article 17), Right to object (Article 21), Security of processing (Article 32)

Decision: Order to comply
Key words: Transparency and Information, Right to Erasure, Right to Object, Security of Processing, E-Commerce, Direct Marketing, Children, Consumers

Summary of the Decision

Origin of the case
The LSA conducted two on-site investigations at the controller’s premises to audit the controller’s compliance with the GDPR and tested the procedure set up by the controller to create an account.

Findings
The controller is a company offering subscription to educational magazines for children. On the basis of the investigation, the LSA found several GDPR infringements. First of all, several breaches of the obligation to inform data subjects, enshrined in articles 12 and 13 GDPR, were identified. No information relating to data protection nor link to the controller’s Terms and Conditions was given to the data subjects upon registration or when placing an order. As a consequence, the information was considered to be not accessible enough.
The Terms and Conditions did not include any information on the legal basis for processing, on the retention period and on the individual rights to restriction of processing, data portability, or to submit a claim to a supervisory authority. Although the target audience was French-speaking and the website is fully in French, the “unsubscribe” button in the newsletter and marketing emails was hyperlinked to a text in English, asking for confirmation. An additional hypertext link was included in the final page (titled “Clicking here”): this is misleading for the user, as clicking on such link actually resulted in a new subscription.

Secondly, a breach of the obligation to comply with the request to erase data was identified, as personal data was not erased systematically when requested by data subjects although there was no legal requirement to keep it and although users had been informed of the erasure of the data.

Last, there was a breach of the obligation to ensure the security of data, concerning passwords, locking of workstations, and access to data. More specifically, the password requirements and methods for processing the passwords were found to be non-compliant with the obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, since authentication was based on insufficiently complex passwords and obsolete hash algorithms. Additionally, the computer used by one of the database’s administrators was configured to never automatically lock or go on sleep mode. With regard to access to data, the absence of specific identification (i.e. the use of the same account by several people) made it impossible to ensure access traceability.

Decision
The LSA ordered the controller to comply, within two months of the notification of the decision, with several specific instructions.
First, the controller was ordered to provide full information to data subjects about the processing activities, in an easily accessible manner. Additionally, the LSA ordered the controller to set up a procedure for unsubscribing that is compliant with Articles 12 and 21 GDPR.
Secondly, the controller was ordered to ensure the effectiveness of all requests to exercise the right of erasure.
Last, the authority ordered the controller to take appropriate security measures to protect personal data and prevent access thereto by unauthorised third parties (by setting up a new password policy, avoiding the transmission of passwords in clear text, ensuring that workstations go on sleep mode, and setting up individual accounts).


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Please see also EDPB Copyright page

publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 23 September 2019
LSA: FR
CSAs: DE-Mecklenburg-Western Pomerania, DE-Rhineland-Palatinate, ES
Legal Reference: Right to erasure (Article 17)

Decision: No infringement of the GDPR
Key words: Right to erasure, Electronic communications, Payment data

Summary of the Decision

Origin of the case
The complainant asked for the deletion of his user account on the Spanish version of the controller’s website. In its reply, the controller stated that it was required to keep some of his data. However, it informed the complainant of the date on which all of his data would be entirely deleted.

Findings
The LSA found that, pursuant to national law, the controller was required to retain the complainant’s payment data in an intermediate archive upon the deletion of his user account in order to manage claims and disputes related to a payment made on its platform. In consequence, the controller acted in accordance with Article 17 (3) GDPR when it kept some of the complainant’s data.

Decision
The LSA found that the controller complied with its obligations under the GDPR and closed the case.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-10_right_to_erasure_ignored_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 29 August 2019
LSA: FR
CSAs: BE
Legal Reference: Right to erasure (Article 17), Right to object (Article 21)

Decision: No violation
Key words: Right to erasure, Right to object, Anonymisation

Summary of the Decision

Origin of the case
In a complaint filed with the CSA, the complainant alleged that personal data in her email correspondence with the controller was published on the controller’s website without her consent.

Findings
After communicating with the LSA, the controller took action to anonymise the complainant’s first and last names from the correspondence.

Decision
The LSA invited the controller to anonymise the copies of all the letters published on its website.

No further action towards the controller was taken.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-09_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-08_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 26 August 2019
LSA: FR
CSAs: AT, BE, DE-Rhineland-Palatinate, DE-Saxony-Anhalt, DE-North Rhine-Westphalia, NL, UK
Legal Reference: Right of access (Article 15); Right to erasure (Article 17); Right to object (Article 21)

Decision: No violation of the GDPR
Key words: Right to object, right to access, direct marketing

Summary of the Decision

Origin of the case
The complainant alleged that the controller had not taken his objection to direct marketing into account and that his request to access his personal data had not been granted.

Findings
The LSA found that both requests had been granted. The complainant’s email address had been erased from the controller’s marketing tools and an unsubscribe confirmation message had been sent.

Decision
No violation of the GDPR was found.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-08_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-08_lawfulness_of_the_processing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 9 August 2019
LSA: FR
CSAs: ES, IT
Legal Reference: Lawfulness of the processing (Article 6 GDPR)

Decision: No violation
Key words: lawfulness of the processing, right to object, spam emails, unsolicited communication, rights of the data subject

Summary of the Decision

Origin of the case
The complainant alleged he faced difficulties when he tried to exercise his right to object to unsolicited marketing emails.

Findings
The LSA found that the complainant had consented to receiving marketing emails and that the controller removed the complainant’s data from their database, following the request. The controller’s reaction to the request was delayed, due to an internal dysfunction, which has since been resolved.

Decision
The LSA found no infringement.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-08_lawfulness_of_the_processing_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_fr_2019-06_art_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 17 June 2019
LSA: FR
CSAs: BE, ES, LU, DE-Lower Saxony, DE-Rhineland-Palatinate, DE-Berlin, IT
Legal Reference: Security of processing (Article 32)

Decision: No violation of art. 32 GDPR and recommendation on the adoption of technical measures
Key words: Consumers, e-commerce, security of data

Summary of the Decision

Origin of the case
This case concerned a complaint lodged by a data subject regarding the fact that the username and password for access to a website operated by the controller were given to him via a plain text email.

Findings
After correspondence with the controller, the LSA reached the conclusion that it did not communicate to its users or store in its databases plaintext passwords. However, the LSA found that, despite its assertions to the contrary, the controller did not operate a captcha system and only operated an access temporization system of 1 second.

Decision
The LSA closed the case regarding the complaint and recommended to the controller to introduce a captcha system and enhance access temporization to 1 minute after 5 failed attempts and introducing a limit of 25 attempts within 24 hours.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-06_art_32_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-03_transparency_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 20 March 2019
LSA: FR
CSAs: AT, DE – Rhineland-Palatinate, DE – North-Westphalia, DE – Lower Saxony, DE- Saarland, DE – Mecklenburg-Western Pomerania, DE – Bavaria
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Information to be provided where personal data have not been obtained from the data subject (Article 14)

Decision: No violation
Key words: Transparency, Privacy statement, Consent

Summary of the Decision

Origin of the case
The complaint concerned the information delivered to individuals visiting the controller’s websites as well as the conditions for processing personal data for the purposes of direct marketing. It was alleged that the controller collects data for advertising purposes without having privacy statement on its websites.

Findings
Following examination of the complaint, a series of exchanges between LSA services and the marketing service of the controller took place. The controller updated the information delivered to individuals visiting its websites, in accordance with Articles 13 and 14 of the GDPR, by the publication of a document entitled ‘General Data Protection Regulation (GDPR)’. The LSA noted controller’s commitment in pursuing a consent campaign for the collection and the use of personal data for the purposes of direct marketing from data subjects, prior to sending newsletters.

Lastly, it was observed that the controller undertakes measures to ensure that every data subject has ‘the possibility to unsubscribe easily and for free’.

Decision
After having observed that the controller responded appropriately and demonstrated compliance with the GDPR, the LSA together with the CSAs agreed to proceed to the closure of the complaint.

Comments
Submitted by a citizen, but not a formal complaint (Art. 77 GDPR)


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-03_transparency_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_fr_2019-03_lawfulness_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 22 March 2019
LSA: FR
CSAs: AT, BE, DE-Berlin, DE-Mecklenburg-Western Pomerania, DE-Bavaria (private sector), DE-Lower Saxony
Legal Reference: Right to object (Article 21), Principles relating to processing of personal data (Article 5), Lawfulness of the processing (Article 6), Conditions for consent (Article 7)

Decision: No violation
Key words: Rights of data subjects, Right to object, Lawfulness of processing, e-Commerce, Marketing

Summary of the Decision

Origin of the case
The data subject filed a complaint after facing difficulties in pursuing his right to object and in relation to the information required on the product order form.

Findings
The LSA found that the delay in complying with the right to object was due to the 72 hours required to process the relevant request, of which the data subject was informed. Besides, the request was submitted on a Saturday and Monday was a holiday. The data controller also took measures to clarify the e-mail address to which such requests can be submitted, and it also set up a dedicated email address to handle such requests more efficiently. In addition, the data controller no longer requires the date of birth to be provided for an order to be placed. Moreover, the consent to receive promotional offers from the controller and third parties must be explicitly given by checking the respective boxes when ordering a product.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The data controller did not delay to comply with the request beyond what was reasonable and adjusted the information required to avoid collecting more data than necessary.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-03_lawfulness_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand to controller

Background information
Date of final decision: 18 January 2019
LSA: FR
CSAs: AT, BE, BG, CZ, DE – Bavaria (priv), DE – Lower Saxony, DE – Rhineland Palatinate, DE – Saarland, DE – Thuringia, EE, EL, ES, HR, HU, IE, IT, LT, LU, LV, NO, PL, RO, SE, SK, SI, UK
Legal Reference: Transparency and information and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Reprimand to controller
Key words: Right to Erasure, Data Subject Rights not respected, proportionality for proof of identity, Reprimand

Summary of the Decision

Origin of the case
Complainant states that the right to erasure has been refused by the controller. Controller requested a scan of the ID and a specimen of the signature of the data subject. Complainant argues that neither of the two were required upon the creation of the account.

Findings
By the time of the decision, the controller had already granted the right to erasure to the complainant without the complainant needing to provide further proof of identity.

However:
1. the Controller systematically requested individuals to provide a copy of an identity document for exercising their rights, regardless of their country of residence, without providing a basis for reasonable doubts as to the identity of the complainant according to Art 12.6 GDPR. “The level of verification to be carried out is depending on the nature of the request, sensibility of the communicated information and the context within which the request is being made.”
Thus, the controller required disproportionate information for the purpose of verifying the identity of the data subject.
The SA stated for “illustrative purposes, it is disproportionate to require a copy of an identity document in the event where the claimant made his request within an area where he is already authenticated. An identity document can be requested if there is a suspicion of identity theft or of account piracy for instance.”

2. A controller may only store information needed for the exercise of individuals’ rights until “the end of legal limitation applicable periods.” During this period, “the data have to be subject to an “intermediary” archiving on a support separate from the active base with a restricted access to authorized persons.”

The LSA references https://www.cnil.fr/fr/limiter-la-conservation-des-donnees.

The SA highlights under “Finally”, that it acknowledges that the new data protection rules applicable are leading “to “significant adaptations inside the”” controller, “concerning the exercise of data subjects’ rights.”

Decision
The SA reprimands “the controller for lack of compliance with the law” on the points above.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-01_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_dk_2020-02_security_of_processing_article_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Dismissal of the case

Background information
Date of final decision: 5 February 2020

LSA: DK
CSAs: DE-Schleswig-Holstein, FR, SE

Controller: Garnio ApS/Hobbii Aps (Garnio ApS changed its name on 8 April 2019).

Legal Reference: Right of access by the data subject (Article 15), Security of processing (Article 32), Personal data breach (Articles 33 and 34), and Tasks of the Data Protection Officer (Article 39).

Decision: Dismissal of the case

Key words: Data breach, security

Summary of the Decision

Origin of the case
The complainant requested access to his data processed by the controller. As a result of this request, the controller provided the personal data of another individual. The complainant contacted the controller again about the breach but the controller did not reply to the inquiry.

Findings
The LSA found that the data subject in this case was not entitled to complain, as the processing of personal data did not relate to that individual.

Decision
The LSA took notice of the security issue and the occurred breach of personal data. This will be taken into consideration during the planning of audits.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_dk_2020-02_security_of_processing_article_32_summarypublic.pdf

Please see also EDPB Copyright page