publishable_uk_2019-08_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Failure to comply with the accuracy principle

Background information
Date of final decision: 3 August 2019

LSA: UK

CSAs: DK, FR, IT, SE

Legal Reference: Principles relating to processing of personal data (Article 5), Right to rectification (Article 16), Right to object (Article 21)

Decision: Failure to comply; no regulatory action.

Key words: Accuracy, e-commerce, individual rights

Summary of the Decision

Origin of the case
A French complainant contacted the controller three times between July and October 2018 asking for his phone number to be disassociated from another person’s account, as he had been receiving text message updates on orders he had never made.

Findings
Although the complainant’s phone number was eventually removed from the other user’s account, the UK SA found that the controller did not comply with its obligations under the GDPR as it did not take sufficient action to assure itself of the accuracy of the personal data it was processing. However,
the UK SA recognised that the controller’s standard operating policies and procedures were not followed by the staff in this case and that the controller provided assurances that it reminded its staff of the importance of adhering to such policies.

Decision
The UK SA decided not to take any regulatory action on this complaint.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_uk_2019-08_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Failure to comply with the accuracy principle

Background information
Date of final decision: 3 August 2019

LSA: UK

CSAs: DK, FR, IT, SE

Legal Reference: Principles relating to processing of personal data (Article 5), Right to rectification (Article 16), Right to object (Article 21)

Decision: Failure to comply; No regulatory action.

Key words: Accuracy, E-commerce, Individual rights

Summary of the Decision

Origin of the case
A French complainant contacted the controller three times between July and October 2018 asking for his phone number to be disassociated from another person’s account, as he had been receiving text message updates on orders he had never made.

Findings
Although the complainant’s phone number was eventually removed from the other user’s account, the UK SA found that the controller did not comply with its obligations under the GDPR as it did not take sufficient action to assure itself of the accuracy of the personal data it was processing. However, the UK SA recognised that the controller’s standard operating policies and procedures were not followed by the staff in this case and that the controller provided assurances that it reminded its staff of the importance of adhering to such policies.

Decision
The UK SA decided not to take any regulatory action on this complaint.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_uk_2019-08_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 8 November 2019
LSA: LV
CSAs: All SAs

Legal Reference: Transparency (Article 12), Information (Articles 13 and 14)

Decision: Infringement of the GDPR, Fine

Key words: Transparency, Information, E-commerce, Identity of the controller

Summary of the Decision

Origin of the case
The complainant alleged that he did not receive information on the identity of the controller before submitting his order on the online retail platform. Moreover, the complainant contended that the privacy policy available on the website was not in conformity with the GDPR.

Findings
During its investigation, the LSA found that the controller was a Latvian company performing retails sales through several websites, including the one used by the complainant to order his goods.
After establishing the identity of the controller, the LSA found that the privacy policy on the website did not provide information on the identity of the controller, the legal basis of the data processing, its purposes and the way data subjects’ consent is collected.

Decision
The LSA found that the controller did not comply with his obligations under the GDPR and imposed a fine of 150,000 euros.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CZ, DE – Mecklenburg-Western Pomerania, DE – Berlin, DE – Lower Saxony, DE – Bavaria (Private sector), DE – Saarland, DE – North Rhine-Westphalia, DK, FR, IT, NO, PL, SE, SI, SK

Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement of the right to erasure

Key words: Right to erasure, e-commerce, Exercise of the rights of data subjects

Summary of the Decision

Origin of the case
The complainant requested the erasure of his customer account in the controller website, and he asserted that the controller did not respond within a month following his request.

Findings
The controller demonstrated that it did not delete the account because the request was lodged via a different email address than the one associated with the customer account. For security reasons, the controller contacted the complainant and asked him to submit the request from the same e-mail address associated with the customer account or, if not possible, to change his login details. The complainant did not take any action and therefore, the controller could not authenticate him as the owner of the customer account.
After receiving the letter from the LSA, the controller contacted the complainant on the e-mail address associated with the customer account and offered him to associate his other e-mail address to the customer account.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The CSA to which the complaint was lodged informed the LSA that the complainant was satisfied with the answer from the controller and that the cross-border complaint should be closed.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_right_to_erasure_not_granted_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lu_2019-05_rightofaccess_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019
LSA: LU
CSAs: AT, BE, CY, CZ, DE – Berlin, DE – Lower Saxony, DE – Rhineland-Palatinate, DE- Bavaria (Private sector), DE – Mecklenburg-Western Pomerania, DK, ES, FI, FR, IE, IT, PL, SE, SK, NO

Legal Reference: Right of access by the data subject (Article 15), Transparent information,communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: No infringement

Key words: Right of access, exercise of the rights of the data subject, e-commerce

Summary of the Decision

Origin of the case
The complainant requested access to his personal data held by the controller because his national ID number, his address and his IP had been blocked by the controller’s platform and he was thus unable to use its services. He wanted to know the reason and thus requested access to his data.

Findings
The controller demonstrated that it had provided the complainant with access to the data concerning him and his seller account. The controller provided the relevant communication to the LSA and it also clarified that the blockage of the complainant’s information was due to a violation of the controller’s selling policies. The controller also explained that it had granted the complainant the right to appeal the blockage, but instead he tried to circumvent the decision by opening new seller accounts, which were blocked. However, the controller allowed him to create a customer account.

Decision
The LSA found that there had been no violation of the GDPR, since the controller had granted the complainant the right to access to his data. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_rightofaccess_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019

LSA: LU
CSAs: CZ, DK, ES, FR

Legal Reference: Lawfulness of the processing (Article 6), principles relating to the processing of personal data (Article 5), Security of processing (Article 32)

Decision: No violation

Key words: Lawfulness of the processing, Third party access to personal data, Rights of data subjects, Security of processing, e-commerce

Summary of the Decision
Origin of the case
The complainant states that they received a telegram sent by a third party in which their full name and address were included, as well as an order number. The third party claimed that a parcel purchased by him on the controller website had been sent to the complainant. The complainant states that their personal data may have been provided by the controller to the third party, thus violating the claimant’s rights under GDPR.

Findings
Following an inquiry by the LSA, the controller has demonstrated that it was the courier who provided the complainant’s details to the third party. The controller did not find any account on its website containing the personal details of the complainant, and there was no further evidence that the controller provided the personal data of the complainant either to the third party or to the courier.
Therefore, it seems that the personal data relating to the complainant must have already been stored by the courier and got connected (by the courier) to the order made by the third party.

Decision
The LSA did not identify any infringement of the obligations set out in Regulation (EU) 2016/679 (GDPR) by the controller. The data controller did not provide the third party with the complainant’s personal details and therefore the cross-border complaint should be closed, since no further action is required.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic.pdf

Please see also EDPB Copyright page

publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 10 May 2019

LSA: LU
CSAs: ES, FR, CZ

Legal Reference: Lawfulness of the processing (Article 6), Principles relating to the processing of personal data (Article 5), Right of access (Article 15), Security of processing (Article 32)

Decision: No violation
Key words: Lawfulness of processing, Third party access to personal data, Rights of data subjects, Right of access, Security of processing, e-commerce

Summary of the Decision
Origin of the case
The complainant received a parcel by an unknown person who wanted to return an item that she had purchased on the controller’s website. The complainant’s name and address had been indicated to the third individual as the place to return the parcel he had purchased.

Findings
The third-party was a customer of the controller that bought an item from a seller located in China, from which the complainant had also made a purchase. The personal data of the complainant had been disclosed to the third-party by the seller. After conducting an internal inquiry, the controller took corrective measures against the seller and informed the complainant.

Decision
The LSA found that there had been no violation of the GDPR. The LSA and the CSA agreed to close the cross-border complaint, since no further action is required.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lu_2019-05_lawfulnessoftheprocessing_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_fr_2020-02_right_to_object_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Reprimand

Background information
Date of final decision: 20 February 2020
LSA: FR
CSAs: LU
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12) Right to object (Article 21)

Decision: Reprimand
Key words: Right to object, E- commerce

Summary of the Decision

Origin of the case
The complainant received SMS marketing on his phone. Following his objection to the controller, he received another marketing SMS.

Findings
The LSA has made note of the fact that there was a delay in deletion of the complainant’s data of 48 -72 hours. The controller will now inform individuals when exercising their right to object of the above mentioned delay.

Further, the LSA found out that the controller’s procedure for requests to exercise rights required complainants to systematically provide a copy of an identity document, in breach of Article 12(6) GDPR. Also, the information delivered to individuals at the registration stage and when sending direct marketing messages did not meet the objective of transparency, accessibility and clarity as set out in Article 12.2 GDPR.

The controller undertook the necessary actions to adjust its procedure to request an identity document only under specific circumstances and to improve the information delivered to individuals at the registration stage and when sending direct marketing messages, for instance detailing the contact addresses for exercising rights.

Decision
The LSA issued a reprimand in accordance with Article 58(2)(b) GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2020-02_right_to_object_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Summary Final Decision Art 60
Investigation

Compliance order

Background information
Date of final decision: 16 December 2019
LSA: FR
CSAs: BE, DE-Rhineland-Palatinate, DK, ES, IT, HU, LU, PL, PT, SE, SK
Legal Reference: Transparency and Information (Articles 12, 13 and 14), Right to erasure (Article 17), Right to object (Article 21), Security of processing (Article 32)

Decision: Order to comply
Key words: Transparency and Information, Right to Erasure, Right to Object, Security of Processing, E-Commerce, Direct Marketing, Children, Consumers

Summary of the Decision

Origin of the case
The LSA conducted two on-site investigations at the controller’s premises to audit the controller’s compliance with the GDPR and tested the procedure set up by the controller to create an account.

Findings
The controller is a company offering subscription to educational magazines for children. On the basis of the investigation, the LSA found several GDPR infringements. First of all, several breaches of the obligation to inform data subjects, enshrined in articles 12 and 13 GDPR, were identified. No information relating to data protection nor link to the controller’s Terms and Conditions was given to the data subjects upon registration or when placing an order. As a consequence, the information was considered to be not accessible enough.
The Terms and Conditions did not include any information on the legal basis for processing, on the retention period and on the individual rights to restriction of processing, data portability, or to submit a claim to a supervisory authority. Although the target audience was French-speaking and the website is fully in French, the “unsubscribe” button in the newsletter and marketing emails was hyperlinked to a text in English, asking for confirmation. An additional hypertext link was included in the final page (titled “Clicking here”): this is misleading for the user, as clicking on such link actually resulted in a new subscription.

Secondly, a breach of the obligation to comply with the request to erase data was identified, as personal data was not erased systematically when requested by data subjects although there was no legal requirement to keep it and although users had been informed of the erasure of the data.

Last, there was a breach of the obligation to ensure the security of data, concerning passwords, locking of workstations, and access to data. More specifically, the password requirements and methods for processing the passwords were found to be non-compliant with the obligation to implement technical and organisational measures to ensure a level of security appropriate to the risk, since authentication was based on insufficiently complex passwords and obsolete hash algorithms. Additionally, the computer used by one of the database’s administrators was configured to never automatically lock or go on sleep mode. With regard to access to data, the absence of specific identification (i.e. the use of the same account by several people) made it impossible to ensure access traceability.

Decision
The LSA ordered the controller to comply, within two months of the notification of the decision, with several specific instructions.
First, the controller was ordered to provide full information to data subjects about the processing activities, in an easily accessible manner. Additionally, the LSA ordered the controller to set up a procedure for unsubscribing that is compliant with Articles 12 and 21 GDPR.
Secondly, the controller was ordered to ensure the effectiveness of all requests to exercise the right of erasure.
Last, the authority ordered the controller to take appropriate security measures to protect personal data and prevent access thereto by unauthorised third parties (by setting up a new password policy, avoiding the transmission of passwords in clear text, ensuring that workstations go on sleep mode, and setting up individual accounts).


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-12_right_to_be_informed_summarypublic.docx_validated.pdf

Please see also EDPB Copyright page

publishable_fr_2019-06_art_32_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 17 June 2019
LSA: FR
CSAs: BE, ES, LU, DE-Lower Saxony, DE-Rhineland-Palatinate, DE-Berlin, IT
Legal Reference: Security of processing (Article 32)

Decision: No violation of art. 32 GDPR and recommendation on the adoption of technical measures
Key words: Consumers, e-commerce, security of data

Summary of the Decision

Origin of the case
This case concerned a complaint lodged by a data subject regarding the fact that the username and password for access to a website operated by the controller were given to him via a plain text email.

Findings
After correspondence with the controller, the LSA reached the conclusion that it did not communicate to its users or store in its databases plaintext passwords. However, the LSA found that, despite its assertions to the contrary, the controller did not operate a captcha system and only operated an access temporization system of 1 second.

Decision
The LSA closed the case regarding the complaint and recommended to the controller to introduce a captcha system and enhance access temporization to 1 minute after 5 failed attempts and introducing a limit of 25 attempts within 24 hours.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-06_art_32_summarypublic.pdf

Please see also EDPB Copyright page