publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Infringement of the GDPR

Background information
Date of final decision: 8 November 2019
LSA: LV
CSAs: All SAs

Legal Reference: Transparency (Article 12), Information (Articles 13 and 14)

Decision: Infringement of the GDPR, Fine

Key words: Transparency, Information, E-commerce, Identity of the controller

Summary of the Decision

Origin of the case
The complainant alleged that he did not receive information on the identity of the controller before submitting his order on the online retail platform. Moreover, the complainant contended that the privacy policy available on the website was not in conformity with the GDPR.

Findings
During its investigation, the LSA found that the controller was a Latvian company performing retails sales through several websites, including the one used by the complainant to order his goods.
After establishing the identity of the controller, the LSA found that the privacy policy on the website did not provide information on the identity of the controller, the legal basis of the data processing, its purposes and the way data subjects’ consent is collected.

Decision
The LSA found that the controller did not comply with his obligations under the GDPR and imposed a fine of 150,000 euros.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_lv_2020-01_transparency_and_information_summarypublic.pdf

Please see also EDPB Copyright page

publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 21 August 2019
LSA: LI
CSAs: DE-Lower Saxony
Legal Reference: Principles relating to processing of personal data (Article 5), Lawfulness of processing (Article 6), Conditions for consent (Article 7), Right of access by the data subject (Article 15, Security of processing (Article 32)

Decision: Compliance order to controller
Key words: Consent, Transparency

Summary of the Decision
Origin of the case
The complainant lodged a complaint with the Commissioner for Data Protection of Lower Saxony, alleging he received unsolicited personalised advertising. In its reply to the data subject’s right of access request, the controller had stated that the complainant’s personal data was the result of a prize competition in which he had allegedly participated consenting to the use of his data for marketing purposes by the controller or its sponsors.

Findings
In its assessment of the validity of the consent provided by the complainant, the LI SA found that the text explaining the checkbox for consent was inconsistent with the privacy policy, which referred to a wider range of processing activities and a larger number of recipients: thus, the consent was not legally valid and Articles 5(1)(a), 6 and 7 GDPR were violated.
Furthermore, the LI SA found that the controller did not comply with Article 15 GDPR as it did not appropriately provide the data subject with information on the purposes of the processing of personal data, the recipients and the storage period.
In addition, violations of Article 32 GDPR were also identified: first, the technical and organizational measures implemented by the processor (e.g. double opt-in procedure) were not sufficient to prevent the misuse of personal data; secondly, the unauthorized entry of data could not be traced back due to the deletion of the link relating to the generated lead after a 30-day period.

Decision
The LI SA required the controller to take the following required steps within three months:

– seek consent in accordance with Article 7 GDPR and revise the Terms and Conditions and Privacy Notice of the prize competition;

– implement further technical and organisational measures;

– ensure that the author or source of the manipulation can be identified.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_li_2019-07_rightofaccessnotgranted_summarypublic.pdf

Please see also EDPB Copyright page

publishable_fr_2019-03_transparency_summarypublic_0.pdf

Summary Final Decision Art 60
Complaint

No violation

Background information
Date of final decision: 20 March 2019
LSA: FR
CSAs: AT, DE – Rhineland-Palatinate, DE – North-Westphalia, DE – Lower Saxony, DE- Saarland, DE – Mecklenburg-Western Pomerania, DE – Bavaria
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Information to be provided where personal data have not been obtained from the data subject (Article 14)

Decision: No violation
Key words: Transparency, Privacy statement, Consent

Summary of the Decision

Origin of the case
The complaint concerned the information delivered to individuals visiting the controller’s websites as well as the conditions for processing personal data for the purposes of direct marketing. It was alleged that the controller collects data for advertising purposes without having privacy statement on its websites.

Findings
Following examination of the complaint, a series of exchanges between LSA services and the marketing service of the controller took place. The controller updated the information delivered to individuals visiting its websites, in accordance with Articles 13 and 14 of the GDPR, by the publication of a document entitled ‘General Data Protection Regulation (GDPR)’. The LSA noted controller’s commitment in pursuing a consent campaign for the collection and the use of personal data for the purposes of direct marketing from data subjects, prior to sending newsletters.

Lastly, it was observed that the controller undertakes measures to ensure that every data subject has ‘the possibility to unsubscribe easily and for free’.

Decision
After having observed that the controller responded appropriately and demonstrated compliance with the GDPR, the LSA together with the CSAs agreed to proceed to the closure of the complaint.

Comments
Submitted by a citizen, but not a formal complaint (Art. 77 GDPR)


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_fr_2019-03_transparency_summarypublic_0.pdf

Please see also EDPB Copyright page

publishable_dk_2019-10_right_to_erasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR

Background information
Date of final decision: 25 October 2019
LSA: DK
CSAs: AT, BE, CY, DE, ES, FI, FR, HU, IT, LU, NL, NO, SE, SK, UK
Controller: PANDORA A/S
Legal Reference: Principles relating to processing of personal data (Article 5), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Right to erasure (Article 17)

Decision: Order to take a decision regarding the fulfilment of the conditions for erasure under Article 17 GDPR and a reprimand to the controller.
Key words: Right to erasure, Data subjects’ rights, Transparency

Summary of the Decision

Origin of the case
The complainant requested to have his personal data deleted from the controller’s database. The controller replied that, before processing his erasure request, a proof of identification was necessary to confirm his identity. As the complainant refused to comply with the controller’s demand, his data were not deleted.

Findings
The LSA found that the controller’s procedure under which ID validation was required without exception when processing a data subject’s request was not in conformity with Article 12(6) and Article 5(1)(c) GDPR. The LSA also found that, under the controller’s procedure, data subjects had to provide more information than initially collected in order to have their request processed.
Consequently, the controller’s procedure for ID validation went beyond what was required and made burdensome for data subjects to exercise their rights.

Decision
The LSA criticized that the processing by the controller had not been done not in accordance with Article 12(6) and Article 5(1)(c) GDPR. It ordered the controller to decide within two weeks whether the conditions for erasure present in Article 17 GDPR were met and, if so, delete the complainant’s data.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_dk_2019-10_right_to_erasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_be_2019-01_righttoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: Before 29 January 2019
LSA: BE
CSAs: DK, ES, NO
Legal Reference: Right to Erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12)

Decision: Compliance order to controller
Key words: Transparency, Compliance order

Summary of the Decision
Origin of the case
The complainant received an email on the update of the privacy policy of the controller. The complainant sent a mail to the controller requesting the erasure of the complainant’s data. The controller informed that it would need 60 more days to execute the request. By September 2018, the complainant hadn’t received any confirmation, despite the obligation to the controller in Art 12.3 GDPR.

Findings
The period in which the Controller has to inform the complainant on the action taken to exercise the right of erasure has expired. The SA stated that “it is obvious that the deadline has been exceeded at all levels”.

Decision
The SA has issued a Data subject rights compliance order to the controller on the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_righttoerasure_summarypublic.pdf

Please see also EDPB Copyright page

publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Summary Final Decision Art 60
Complaint

Compliance order to controller

Background information
Date of final decision: 29 January 2019
LSA: BE
CSAs: DE (Rhineland-Palatinate), FR
Legal Reference: Right of Access (Article 15), Right to erasure (Article 17), Transparent information, communication and modalities for the exercise of the rights of the data subjects (Article 12)

Decision: Compliance order to controller
Key words: Data subject rights, Right of access, right to erasure, transparency

Summary of the Decision
Origin of the case
The complainant requested that the controller shall grant his right to access and following this, grant the right to erasure. The complainant did not receive any reply at all until the date of the complaint, despite the obligation provided in Article 12.3 GDPR, according to which the controller shall inform the data subject about the follow-up of the request within one month since the receipt thereof.

Findings
So far, the controller has not reacted to the initial request for the exercise of the right of access and the right to erasure.

Decision
The SA issued a data subject rights compliance order to the controller on the Right to Access and following this the Right of Erasure.


This text has been converted automatically from the PDF available via
https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-article-60-final-decisions_en
using Apache Tika to allow for a better search. This might result in some characters being mangled.
Please see the original file for the official wording at
https://edpb.europa.eu/sites/edpb/files/article-60-final-decisions/summary/publishable_be_2019-01_rightofaccessandtoerasure_summarypublic.pdf

Please see also EDPB Copyright page