IDPC (Malta) - CDP/IMI/LSA/17/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Malta |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoMT.jpg |DPA_Abbrevation=IDPC |DPA_With_Country=IDPC (Malta) |Case_Number_Name=CDP/I...") |
(Changed short summary and layout) |
||
Line 69: | Line 69: | ||
}} | }} | ||
In a Article 60 GDPR procedure, the DPA of Malta reprimanded a controller (Article 58(2)(b) GDPR) for requesting the data subject to sign an agreement in order to process his erasure request. The controller also had to reply to the request (Article 58(2)(d) GDPR). | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The data subject stated that he | The data subject stated that he opened an account with the controller in October 2019 to carry out a few operations on the stock market. He stated that in December 2019, he requested the controller to close his account. However, the controller did not close his account and was still sending him messages. The data subject stated that the controller had requested the data subject to sign an agreement in order to close his account, because such an agreement had not been signed upon subscription. The data subject also stated that one day before he submitted his complaint at the DPA, he received a document form the controller’s external auditor, who requested that the data subject to confirm his balance at the end of the previous year and sign the document. In his document, not only his personal data were shown, but also data of other customers, including postal addresses, (sir)names and account balances. | ||
The DPA determined based on send e-mails that actually on 23 February 2020, the data subject requested the controller to close his account, pursuant of [[ | |||
The DPA determined based on send e-mails that actually on 23 February 2020, the data subject requested the controller to close his account, pursuant of [[Article 17 GDPR]], and unsubscribe him from e-mail notifications. The controller replied on 24 May 2020 indicating the procedure to unsubscribe from e-mail notifications. The data subject answered the same day stating that he was not able to close his account using this procedure. | |||
On May 26 2020 the controller asked the data subject to sign and return the subscription agreement, because this agreement had not been signed upon subscription. The data subject replied on the same day stating that he was still receiving e-mails despite the fact he had requested the controller to remove him from its server. He also rejected to sign the agreement and stated that the controller had already stated that the account would be deleted, which apparently had not happened yet. | On May 26 2020 the controller asked the data subject to sign and return the subscription agreement, because this agreement had not been signed upon subscription. The data subject replied on the same day stating that he was still receiving e-mails despite the fact he had requested the controller to remove him from its server. He also rejected to sign the agreement and stated that the controller had already stated that the account would be deleted, which apparently had not happened yet. | ||
The data subject also received a document form the controller’s external auditor, who requested the data subject to confirm his portfolio holdings and cash balances held by the controller. In this document, not only the data subject’s balances were shown, but also those of other third parties. | The data subject also received a document form the controller’s external auditor, who requested the data subject to confirm his portfolio holdings and cash balances held by the controller. In this document, not only the data subject’s balances were shown, but also those of other third parties. | ||
The controller stated that is was obligated to keep customer data for 5 years to comply with national law for the purpose of preventing Money laundering and funding terrorism. | The controller stated that is was obligated to keep customer data for 5 years to comply with national law for the purpose of preventing Money laundering and funding terrorism. | ||
The data subject submitted a complaint at the Spanish DPA against the controller. The Spanish DPA transferred the case to the information and data protection commissioner of Malta (DPA), which decided to handle the case as lead supervisory authority pursuant of [[ | The data subject submitted a complaint at the Spanish DPA against the controller. The Spanish DPA transferred the case to the information and data protection commissioner of Malta (DPA), which decided to handle the case as lead supervisory authority pursuant of [[Article 56 GDPR]]. Therefore, the DPA handled the complaint in terms of [[Article 60 GDPR]] and started an investigation into the controller. | ||
=== Holding === | === Holding === | ||
Document containing personal data of third parties | <u>Document containing personal data of third parties</u> | ||
The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerns the data subject. This part of the complaint was dismissed since it was about personal data of third parties disclosed in the document. However, the DPA reserved the right to start a separate investigation on this alleged data breach. | The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerns the data subject. This part of the complaint was dismissed since it was about personal data of third parties disclosed in the document. However, the DPA reserved the right to start a separate investigation on this alleged data breach. | ||
The DPA proceeded to examine the erasure request and the timing of the request, pursuant of article 57(1)(f) GDPR. | The DPA proceeded to examine the erasure request and the timing of the request, pursuant of article 57(1)(f) GDPR. | ||
Erasure request | |||
The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of [[ | <u>Erasure request</u> | ||
The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of [[Article 17 GDPR]]. However, this is different when Article 17(3) applies, which describes that Article 17(1) and 17(2) do not apply when processing is necessary for certain, specific purposes or compelling requirements described in this provision. The DPA continued by stating that [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]] states that the right of erasure does not apply when the controller has a legal obligation to process data for a task in the public interest or in the exercise of official authority vested in the controller. | |||
The DPA agreed with the controller that it had to keep the personal data to comply with national law. Because the data subjects account had been closed on 26 May 2020, the 5-year period had not elapsed at the time that the data subject filed his complaint at the DPA. Therefore, the DPA concluded that [[Article 17 GDPR#1|Article 17(1) GDPR]] did not apply did not apply because the processing was necessary to comply with a legal obligation | The DPA agreed with the controller that it had to keep the personal data to comply with national law. Because the data subjects account had been closed on 26 May 2020, the 5-year period had not elapsed at the time that the data subject filed his complaint at the DPA. Therefore, the DPA concluded that [[Article 17 GDPR#1|Article 17(1) GDPR]] did not apply did not apply because the processing was necessary to comply with a legal obligation | ||
Timing of the request | |||
<u>Timing of the request</u> | |||
The DPA determined that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]], because it failed to provide the data subject with information on action taken regarding the Erasure request within one month of the receipt of the request. Instead, it had requested the data subject to sign the subscription agreement. The DPA stated that any failure on the controller’s part to fulfill its own procedural obligation, in this case the signing of the subscription agreement, shall be independent and shall have not effect on the exercise of data subject’s data protection rights. | The DPA determined that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]], because it failed to provide the data subject with information on action taken regarding the Erasure request within one month of the receipt of the request. Instead, it had requested the data subject to sign the subscription agreement. The DPA stated that any failure on the controller’s part to fulfill its own procedural obligation, in this case the signing of the subscription agreement, shall be independent and shall have not effect on the exercise of data subject’s data protection rights. | ||
The DPA also determined that the controller did not follow its own guidelines on how to handle erasure requests, and had therefore acted negligently when the request was not handled in a timely manner, as prescribed in [[Article 12 GDPR#3|Article 12(3) GDPR]]. | The DPA also determined that the controller did not follow its own guidelines on how to handle erasure requests, and had therefore acted negligently when the request was not handled in a timely manner, as prescribed in [[Article 12 GDPR#3|Article 12(3) GDPR]]. |
Revision as of 11:13, 4 November 2022
IDPC - CDP/IMI/LSA/17/2022 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 12(1) GDPR Article 12(3) GDPR Article 17(1) GDPR Article 17(3) GDPR Article 56 GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 28.05.2020 |
Decided: | 28.02.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CDP/IMI/LSA/17/2022 |
European Case Law Identifier: | EDPBI:MT:OSS:D:2022:340 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In a Article 60 GDPR procedure, the DPA of Malta reprimanded a controller (Article 58(2)(b) GDPR) for requesting the data subject to sign an agreement in order to process his erasure request. The controller also had to reply to the request (Article 58(2)(d) GDPR).
English Summary
Facts
The data subject stated that he opened an account with the controller in October 2019 to carry out a few operations on the stock market. He stated that in December 2019, he requested the controller to close his account. However, the controller did not close his account and was still sending him messages. The data subject stated that the controller had requested the data subject to sign an agreement in order to close his account, because such an agreement had not been signed upon subscription. The data subject also stated that one day before he submitted his complaint at the DPA, he received a document form the controller’s external auditor, who requested that the data subject to confirm his balance at the end of the previous year and sign the document. In his document, not only his personal data were shown, but also data of other customers, including postal addresses, (sir)names and account balances.
The DPA determined based on send e-mails that actually on 23 February 2020, the data subject requested the controller to close his account, pursuant of Article 17 GDPR, and unsubscribe him from e-mail notifications. The controller replied on 24 May 2020 indicating the procedure to unsubscribe from e-mail notifications. The data subject answered the same day stating that he was not able to close his account using this procedure.
On May 26 2020 the controller asked the data subject to sign and return the subscription agreement, because this agreement had not been signed upon subscription. The data subject replied on the same day stating that he was still receiving e-mails despite the fact he had requested the controller to remove him from its server. He also rejected to sign the agreement and stated that the controller had already stated that the account would be deleted, which apparently had not happened yet.
The data subject also received a document form the controller’s external auditor, who requested the data subject to confirm his portfolio holdings and cash balances held by the controller. In this document, not only the data subject’s balances were shown, but also those of other third parties.
The controller stated that is was obligated to keep customer data for 5 years to comply with national law for the purpose of preventing Money laundering and funding terrorism. The data subject submitted a complaint at the Spanish DPA against the controller. The Spanish DPA transferred the case to the information and data protection commissioner of Malta (DPA), which decided to handle the case as lead supervisory authority pursuant of Article 56 GDPR. Therefore, the DPA handled the complaint in terms of Article 60 GDPR and started an investigation into the controller.
Holding
Document containing personal data of third parties
The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerns the data subject. This part of the complaint was dismissed since it was about personal data of third parties disclosed in the document. However, the DPA reserved the right to start a separate investigation on this alleged data breach. The DPA proceeded to examine the erasure request and the timing of the request, pursuant of article 57(1)(f) GDPR.
Erasure request
The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of Article 17 GDPR. However, this is different when Article 17(3) applies, which describes that Article 17(1) and 17(2) do not apply when processing is necessary for certain, specific purposes or compelling requirements described in this provision. The DPA continued by stating that Article 17(3)(b) GDPR states that the right of erasure does not apply when the controller has a legal obligation to process data for a task in the public interest or in the exercise of official authority vested in the controller. The DPA agreed with the controller that it had to keep the personal data to comply with national law. Because the data subjects account had been closed on 26 May 2020, the 5-year period had not elapsed at the time that the data subject filed his complaint at the DPA. Therefore, the DPA concluded that Article 17(1) GDPR did not apply did not apply because the processing was necessary to comply with a legal obligation
Timing of the request The DPA determined that the controller violated Article 12(3) GDPR, because it failed to provide the data subject with information on action taken regarding the Erasure request within one month of the receipt of the request. Instead, it had requested the data subject to sign the subscription agreement. The DPA stated that any failure on the controller’s part to fulfill its own procedural obligation, in this case the signing of the subscription agreement, shall be independent and shall have not effect on the exercise of data subject’s data protection rights. The DPA also determined that the controller did not follow its own guidelines on how to handle erasure requests, and had therefore acted negligently when the request was not handled in a timely manner, as prescribed in Article 12(3) GDPR. The DPA reprimanded the controller pursuant of Article 58(2)(b) GDPR and held that in case of a similar infringement in the future, the DPA would impose a fine. The DPA also ordered the controller to provide an answer to the erasure request, pursuant of Article 58(2)(d) GDPR. This reply had to be provided in a concise, transparent, intelligible an easily accessible form, using clear and plain language, in particular by including information relating to specific regulation which obligates the controller to store personal data for the specific timeframe (Article 12(1) GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.