Summary Final Decision Art 60
Complaint
Reprimand
Background information
Date of final decision: 11 May 2020
LSA: FR
CSAs: ES, PT, UK
Legal Reference: Right to erasure (Article 17)
Decision: Reprimand
Key words: Right to erasure, Data retention
Summary of the Decision
Origin of the case
The data subject requested the controller to delete their personal data and received the controller’s confirmation of the deletion of the data subject’s account and their personal data. However, despite the confirmation, the data subject verified that he/she still had access to their customer account with the controller. Consequently, the data subject decided to lodge a complaint with the LSA.
Findings
In a first exchange of communications between the LSA and the data controller, the controller stated it had deactivated the complainant’s account the day after their request, but that the deactivation was not effective when the complainant tried access the account due to a technical malfunction, which was only resolved months after. In a second letter, the controller reported that one the members of its customer service team had previously obfuscated the sole complainant’s account ID to try to solve the data subject’s difficulty, which prevented the functioning of the script and overall, the deletion of the account.
When the LSA inquired the controller for the second time, the controller had subsequently restored the complainant’s account ID and restarted the script so that the account could effectively be unavailable. The LSA concluded that the controller had not been able to demonstrate the effectiveness of the deletion of the complainant’s data, despite a first confirmation to the complainant and a second one to the LSA.
The controller indicated that it would proceed with the definitive deletion of the complainant’s data at the end of the applicable limitation periods and domestic retention obligations.
Decision
The LSA reprimanded the controller on the need to sort through the complainant’s data to store, in intermediate archives with restricted access, solely the personal data necessary for the exercise of legal claims, or for compliance with legal obligations.
—
This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-05_chapter_iii_-_rights_of_the_data_subject_summarypublic.pdf
Please see also EDPB Copyright page