publishable_uk_2019-08_identity_check_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 3 August 2019

LSA: UK
CSAs: AT, BE, BG, CY, CZ, DE, DK, EL, ES, FI, FR, HR, HU, IE, IT, NO, PL, PT, SE

Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided (Articles 13-14), Right of access (Article 15)

Decision: No violation

Key words: Data subject rights, right of access

Summary of the Decision

Origin of the case
A French complainant asked the controller how to download all of his personal data and the controller went on with the necessary identification verification checks.

Findings
Upon receipt of the identity verification, the controller escalated the request promptly and supplied the data subject with an encrypted file containing his personal data via email, and subsequently with the decryption password. The initial delay in dealing with the matter was due to the fact that the emails from the controller had been sent to the data subject’s spam folder.

Decision
The UK SA found that the controller complied with its obligations under the GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_identity_check_summarypublic.pdf

Please see also EDPB Copyright page

publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance Order to Controller

Background information
Date of final decision: 7 June 2019

LSA: MT
CSAs: ES

Legal Reference: Right to erasure (Article 17)

Decision: Compliance order to controller

Key words: Right to erasure, Data subject rights, Accuracy

Summary of the Decision

Origin of the case
A Spanish data subject filed a complaint with the Spanish SA as she was receiving unsolicited phone calls even after having filed an erasure request and such erasure had been confirmed by the data controller.

Findings
The complainant’s phone number was fraudulently provided to the controller by one of its clients.
Since the controller was not aware of this, it tried to contact the client on such phone number. The complainant filed a right of erasure request. During a phone call, the controller erroneously informed the complainant of the need to submit a second erasure request to delete the number from another database held by the controller, whereas only one database existed. Form the call logs provided by the controller it transpires that the complainant phone number was erased from the controller’s database immediately after the first erasure request. All the erasure requests from the complainant were followed by erasure confirmations sent by the controller. The controller couldn’t exclude the possibility that the complainant’s residence’s phone number was fraudulently provided by the same client, also to other entities/lenders and that these entities/lenders may make use of it.

Decision
The LSA instructed the data controller to implement the appropriate technical and organisational measures to make sure that personal data are accurate and, where necessary, kept up to date, and that every reasonable step is taken to ensure that personal data that are inaccurate, having regards to the purposes for which they are processed, are erased or rectified without delay.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_mt_2019-06_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cz_2019-10_lawfulness_of_processing_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order

Background information
Date of final decision: 7 October 2019
LSA: CZ
CSAs: AT, DE-All, HR, SI, SK
Legal Reference: Lawfulness of the processing (Article 6)

Decision: Order to the controller, Infringement of the GDPR
Key words: Lawfulness of processing, Legitimate interest, Data subject rights

Summary of the Decision

Origin of the case
The data subjects filed a complaint with one of the CSAs alleging that the controller published his personal data on its social media page without a legal basis.

Findings
The controller published on its social media page information concerning the complainant and other data subjects, referring to debts which the controller was in charge of collecting. The abbreviated first name and the entire surname of the data subjects, as well as the status of debtor and the amount owed by them were specified. Through a balancing test between the data subjects’ interests and basic rights with the controller’s interests, it was concluded that the controller did not rely on any lawful basis pursuant to Art. 6 GDPR. More specifically, the data subject had not expressed his/her consent; moreover, in the balancing between the legitimate interest pursued by the controller and the interests and rights of the data subject, the latter prevailed, given the significant risk of adverse impact arising
from the publication of negative information about the data subjects’ financial situation.

Decision
The LSA ordered the controller to cease processing the complainant’s personal data and to remove the published personal data within ten business days of the decision. The LSA also ordered the controller to submit a report to LSA on the implementation of the order within five business days of its completion.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cz_2019-10_lawfulness_of_processing_summarypublic.pdf

Please see also EDPB Copyright page

publishable_cy_2019-11_right_of_access_and_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order

Background information
Date of final decision: 12 November 2019
LSA: CY
CSAs: DE-Lower Saxony, DE-Rhineland Palatinate, ES, FR, HU, NO
Controller: Marikit Holdings Ltd.
Legal Reference: Right to erasure (Article 17), Information to be provided to the data subject (Articles 13 and 14)

Decision: Compliance order
Key words: Right to erasure, Compliance with legal obligations, Data subject rights

Summary of the Decision
Origin of the case
The complainant alleged that after opening an account on the controller’s website to participate in a competition, he was not given the possibility to exercise his right to erasure and delete his account.
When the complainant contacted the controller to request the erasure of his account, the controller initially replied that deletion was not possible, proposing to block the account for one year instead.

Findings
In its initial reply to the LSA, the controller alleged that the data subject could not be identified as s/he did not provide the relevant email address. Subsequently, the controller informed the LSA that it would retain the data until it would be reasonably sure that such data would not need to be produced as supporting evidence before regulatory bodies, which could request data for a wide range of purposes. The erasure request was eventually granted after verification that deleting the complainant’s personal data would not lead to an infringement of other legal obligations.

In addition, the LSA found that the information provided to the data subjects in the privacy policy was
insufficient to facilitate the exercise of their rights.

Decision
Since the controller reacted to the erasure request within the timeframe provided in the GDPR and eventually granted it, the LSA found that no corrective measures should be imposed.

Nevertheless, the LSA ordered the controller to revise their privacy policy accordingly and to inform
the LSA of the revision.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_cy_2019-11_right_of_access_and_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 29 January 2019
LSA: BE
CSAs: DE (Rhineland-Palatinate), FR
Legal Reference: Right of Access (Article 15), Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subjects (Article 12)

Decision: Compliance order to controller
Key words: Data subject rights, Right of access, right to erasure, transparency

Summary of the Decision
Origin of the case
The complainant requested that the controller shall grant his right to access and following this, grant the right to erasure. The complainant did not receive any reply at all until the date of the complaint, despite the obligation provided in Article 12.3 GDPR, according to which the controller shall inform the data subject about the follow-up of the request within one month since the receipt thereof.

Findings
So far, the controller has not reacted to the initial request for the exercise of the right of access and the right to erasure.

Decision
The SA issued a data subject rights compliance order to the controller on the Right to Access and following this the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Please see also EDPB Copyright page