publishable_de-brandenburg_2019-10_right_of_access_summarypublic.pdf

Summary Final Decision Art 60
Complaint

No infringement of the GDPR

Background information
Date of final decision: 2 October 2019
LSA: DE-Brandenburg
CSAs: AT, BE, DE-Berlin, DE-Hesse, DE-Lower Saxony, DE-Mecklenburg-Western Pomerania, DE-North Rhine-Westphalia, DE-Saarland, DE-Thuringia, DK, ES, FR, HU, IT, LU, NO, PL

Legal Reference: Right of access (Article 15), Principles relating to processing of personal data
(Article 5)

Decision: No infringement of the GDPR
Key words: Right of Access, Legal Age, Verification Process

Summary of the Decision
Origin of the case
The complainant requested access to his personal data processed by the controller. The controller verified the data subject’s identity, and subsequently informed the complainant that his account had been suspended due to a discrepancy between the information concerning his age on his account and the information he had provided for the verification of his identity for the request.
Since he was 15 years old at the time and thus a minor, he was also asked to send parental consent, a copy of his ID card and of his birth certificate, in order to access his personal data. The complainant filed a complaint to the CSA on the basis that the information he had provided for the verification process was wrongly used to suspend his account, instead of being used for the process of giving access to personal information.

Findings
The controller underlined that at the time of the request there was no standardised process in place within the company for requests by minors, since the contractual relationship between the controller and the data subjects depends on the fact that the data subjects are adults. Quickly after the controller requested additional documentation for parental consent, this request was set aside and access to personal data was in fact given to the complainant. Finally, further measures were taken by the controller to improve the data access process.

Decision
The request for information was answered in due time and the controller’s verification process has been modified in a suitable manner. The LSA therefore found that there was no infringement of the GDPR.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_de-brandenburg_2019-10_right_of_access_summarypublic.pdf

Please see also EDPB Copyright page