IDPC (Malta) - EDPBI:MT:OSS:D:2019:70: Difference between revisions
No edit summary |
No edit summary |
||
Line 61: | Line 61: | ||
=== Holding === | === Holding === | ||
The Commissioner considered that the controller did not have adequate procedures in place to deal with access requests which resulted in the complainant actually being deprived of her right to access her data within the timeframe stipulated within the Regulation. | |||
== Comment == | == Comment == | ||
Relatively high fine compared to other decisions on a failure to comply with the the right of access to personal data. | |||
Also important because this decision was made in a cross-border situation, through the one-stop-shop mechanism, and other authorities did not raise objections to this decision by the IDPC. | |||
== Further Resources == | == Further Resources == |
Revision as of 16:14, 8 February 2022
IDPC (Malta) - | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 15 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 28.10.2019 |
Published: | |
Fine: | 8000 EUR |
Parties: | n/a |
National Case Number/Name: | |
European Case Law Identifier: | EDPBI:MT:OSS:D:2019:70 |
Appeal: | Not appealed |
Original Language(s): | English English |
Original Source: | EDPB (in EN) EDPB (in EN) |
Initial Contributor: | n/a |
The Maltese supervisory authority imposed a fine of €8000 on a controller for failing to respond to an access request.
English Summary
Facts
The complainant requested access to their personal data, but did not obtain a response from the controller (a bank). Upon investigation by the IDPC (Malta) the controller initially claimed that a response had been provided to the complainant. However, upon further investigation, the controller admitted that the response had not been sent. According to the controller the response had not been sent due to a mistake made by an individual employee, who had applied restrictive settings to their mailbox. Moreover, it found that said employee left the company without a proper transfer of the case to another employee.
Holding
The Commissioner considered that the controller did not have adequate procedures in place to deal with access requests which resulted in the complainant actually being deprived of her right to access her data within the timeframe stipulated within the Regulation.
Comment
Relatively high fine compared to other decisions on a failure to comply with the the right of access to personal data.
Also important because this decision was made in a cross-border situation, through the one-stop-shop mechanism, and other authorities did not raise objections to this decision by the IDPC.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Information and Data Protection Commissioner Vs COMPLAINT Reference is made to the complaint (registered internally with file number CDP/IMI/LSA/17/2019) received from the Polish Office for Personal Data Protection concerning ("the complainant") who is alleging that ("the controller" or " ")breached her 1 data protection rights, as enshrined under the General Data Protection Regulation ("GDPR" or the "Regulation"). The complainant contended that the controller did not comply with her right of access request in terms ofArticle 15 ofthe GDPR within the established thirty (30) days' time frame. From the information provided by the complainant, it transpires that she filed her right ofaccess request on the 3'd ofOctober 2018 and on the 5th February 2019, the date when she filed the complaint with the Polish DPA, the controller did not yet provide her with a reply. INVESTIGATION As part of the investigation process, on the 26th of July 2019, through an email, the Commissioner requested the controller to put forward their submissions on the allegation raised by the complainant. The submissions, that were received through an email on the 9th ofAugust 2019, contained a letter that supposedly was sent to the complainant on the 4th of October 2018, the day after the complainant's request was received by ,together with the file containing the copy of her data. As this letter was in the Polish language, the Commissioner kindly requested the controller to provide an English translation. On the 12th ofAugust 2019, the Commissioner was informed, through an email, that while working on the English translation, realised that neither the letter nor the file containing the personal data was ever sent to the complainant, due to (verbatim) "a wrong use ofthe security classification settings by the 's employee with access to the mailbox ( ) used to correspond with the said customer [the complainant]". The security classification was set to be 1 Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC(General Data Protection Regulation) Airways Hause, Second Floor\. 1+3561 23287100 H i g hStreet, Slie1549LM 8 idpc.infa@idpc.org.mt MALTA. e www.idpc.arg.mt,idf;!C. PROJ'ECTION COMMISSlDN�olo "Internal only". This setting does not allow communications to be sent outside the organization's network domain. Following an internal investigation on this matter, the controller found out that (verbatim) "after internal organizational changes the person in charge of this particular customer request left the company without concluding the case and ensuring that a reply wasproperly sent to the customer. For this reason, the file containing the list ofpersonal data processed by [ has not reach the customer, together with the usual letter sent to customer'sfollowing a Data Subject Access Request". The same day the error on the email setting was discovered, meaning on the 12th August 2019, in order to immediately address the incident, sent the complainant another email apologising for the late reply, attaching a letter giving details about the processing of personal data, together with the requested information in the form ofa PDF file. On the 13th ofAugust, the Commissioner requested a copy ofthe above-mentioned email and attached PDF file, as evidence that action has been taken in that regard. The copy was eventually received on the 14th August 2019. The controller was further requested, through an email dated 19th August 2019, to put forward further submissions on the organizational and security measures implemented following this incident, to prevent such a similar incident from occurring again. From this submission, received on the 23rd August 2019, it transpires that now has extended its backup continuity procedure to ensure that customers' requests to exercise their rights under the GDPR are addressed promptly, (verbatim) "The procedure is designed to ensure an adequatefollow-up and mirroring ofthe tasks within the Customer Service Unit. All the customer requests are nowfollowed-up by twopersons, one been the main contact (principal) and a second person following the correspondence as a back-up, with the capability to intervene when the principal is not capable ofdoing so. The principal is a senior Customer Service Agent while the "back-up" is either a Senior Team Member or a senior customer service officer having experience and knowledge on the various internalprocedures regarding the types ofrequests received at by the Customer Services team. In case thefirst contact is away, sick or unavailable, the back-up is able to take over the tasks ifthese are notfinalizedor achieved, thereby closing ofthe customer requests without impacting the customer negatively. Controls andchecks have been integratedwithin theprocess in order to avoid such an incidentfrom occurring again in thefuture".,DECISION On the basis of the foregoing the Commissioner considers that did not have adequate procedures in place to deal with subject access requests, resulting with the complainant actually deprived of her right to access her data within the timeframe stipulated within the Regulation. Consequently, the data controller is found to be in violation ofArticle: 15 of the GDPR. After having taken into consideration: the controller's degree ofcooperation with this Office; that the controller took immediate action to comply with the complainant's request as soon as the error in the security settings ofthe mail box used to communicate with the complainant was discovered; that the controller has now in place a better procedure introducing measures to improve the process to deal with the customers' requests to exercise their rights under the GDPR and to keep within the legal timeframes; and also giving due regard to the circumstances contemplated under Article 83.2 of the GDPR and taking into account Article 83.1, is hereby being served with an administrative fine of eight thousand euros (€ 8,000). The administrative fine shall be paid to the Commissioner within twenty-five (25) days from receipt of this decision. In addition, is hereby being instructed to implement the appropriate technical measures to further enhance the measures already in place. A copy ofthis decision is also being sent to the Polish Office for Personal Data Protection. Information and Data Protection Commissioner Today, the day ofOctober, 2019