IDPC (Malta) - CDP/IMI/LSA/17/2022: Difference between revisions
(Changed short summary and layout) |
(Rewritten the facts and holding slightly) |
||
Line 74: | Line 74: | ||
=== Facts === | === Facts === | ||
The data subject stated that he opened an account with the controller in October 2019 to carry out a few operations on the stock market. He stated that in December 2019, he requested the controller to close his account. However, the controller did not close his account and | The data subject stated that he opened an account with the controller in October 2019 to carry out a few operations on the stock market. He stated that in December 2019, he requested the controller to close his account. However, the controller did not close his account and still send him messages. The data subject stated that the controller had requested the data subject to sign an agreement in order to close his account, because this agreement had not been signed upon subscription. The data subject also stated that one day before he submitted his complaint at the DPA, he received a document form the controller’s external auditor, who requested the data subject to confirm his balance at the end of the previous year and sign the document. In his document, not only his personal data were shown, but also data of other customers, including postal addresses, (sir)names and account balances. | ||
The DPA determined based on send e-mails that actually on 23 February 2020, the data subject requested the controller to close his account | The DPA determined based on send e-mails that is was actually on 23 February 2020, the data subject requested the controller to close his account and unsubscribe him from e-mail notifications. The controller replied on 24 May 2020 describing the procedure to unsubscribe from e-mail notifications. The data subject answered the same day stating that he was not able to close his account using this procedure. | ||
On May | On 26 May 2020 the controller asked the data subject to sign and return the subscription agreement, because this agreement had not been signed upon subscription. The data subject replied on the same day stating that he was still receiving e-mails despite the fact he had requested the controller to remove him from its server. The controller replied that when the data subjet would sign the agreement, the controller would close the account and would not receive any e-mails. The data subject rejected to sign the agreement and stated that the controller had already stated that the account would be deleted, which apparently had not happened yet. | ||
On May 27 2020, the data subject also received a document form the controller’s external auditor, who requested the data subject to confirm his portfolio holdings and cash balances held by the controller. In this document, not only the data subject’s balances were shown, but also those of other third parties. | |||
The data subject submitted a complaint at the Spanish DPA against the controller. The Spanish DPA transferred the case to the information and data protection commissioner of Malta (DPA), which decided to handle the case as lead supervisory authority pursuant of [[Article 56 GDPR]]. Therefore, the DPA handled the complaint in terms of [[Article 60 GDPR]] and started an investigation into the controller. | The data subject submitted a complaint at the Spanish DPA against the controller. The Spanish DPA transferred the case to the information and data protection commissioner of Malta (DPA), which decided to handle the case as lead supervisory authority pursuant of [[Article 56 GDPR]]. Therefore, the DPA handled the complaint in terms of [[Article 60 GDPR]] and started an investigation into the controller. | ||
During the investigation, the controller stated that is was a company performing investment services and was therefore subject to various obligations. The controller stated that is was amonst other things subject to a yearly audit by an independend third pary. The processing of personal data was necessary to comply with this legal obligation. The controller made specific reference to Article 17(3)(b) GDPR and stated that it had not deleted all the data to comply wit its legal obligation, despite the ersure request of the data subject. The controller further stated that it was obligated to keep data to comply with its anti laundering money obligations. The controller also determined that its request for the data subject to sign the agreement had nothing to do with the erasure request and was also necessary to comply with its legal obligations. The controller acknowlegded the data subject's right for erasure, but stated that none of the grounds under Article 17(1) GDPR applied in this case. | |||
In a answer to a follow up request from the DPA, the controller specified that it relied on Article 6(1)(c) GDPR for its processing. It also provided a 'Operation Department manual procedure', which contained the procedure for handling of erasure requests, and its 'complaince manual'. The controller also reiterated that it asked the data subject to sign the contract but that the data subject rejected this. The controller also provided screenshots to prove that it closed the account of the data subject. | |||
=== Holding === | === Holding === | ||
<u>Document containing personal data of third parties</u> | <u>Document containing personal data of third parties</u> | ||
The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerns the data subject. This part of the complaint was dismissed since it | The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerns the data subject (Article 77(1) GDPR). This part of the complaint was dismissed since it concerned personal data of third parties disclosed in the document. The data subject was not affected by this. However, the DPA reserved the right to start a separate investigation on this alleged data breach. | ||
The DPA proceeded to examine the erasure request and the timing of the request, pursuant of article 57(1)(f) GDPR. | The DPA proceeded to examine the erasure request and the timing of the request, pursuant of article 57(1)(f) GDPR. | ||
<u>Erasure request</u> | <u>Erasure request</u> | ||
The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of [[Article 17 GDPR]]. However, this is different when Article 17(3) applies, which describes that Article 17(1) and 17(2) do not apply when processing is necessary for certain, specific purposes or compelling requirements described in | The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of [[Article 17 GDPR]]. However, this is different when Article 17(3) applies, which describes that Article 17(1) and 17(2) do not apply when processing is necessary for certain, specific purposes or compelling requirements described in these provisions. The DPA continued by stating that [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]] states that the right of erasure does not apply when the controller has a legal obligation to process data for a task in the public interest or in the exercise of official authority vested in the controller. | ||
The DPA agreed with the controller that it had to keep the personal data to comply with national law. Because the data subjects account had been closed on 26 May 2020, the 5 | |||
The DPA agreed with the controller that it had to keep the personal data to comply with national law, specifically Subsidiary Legislation 373.01. Article 13(2) of this regulation states that under certian conditions, specific data must be reained for 5 years commencing from triggering events prescribed in the provision. The DPA determined that the cotnroller was subject to this provision. | |||
Because the data subjects account had been closed on 26 May 2020, the 5 year period had not elapsed at the time that the data subject filed his complaint at the DPA. Therefore, the DPA concluded that [[Article 17 GDPR#1|Article 17(1) GDPR]] did not apply did not apply because the processing was necessary to comply with the legal obligation in Article 13(2) of S.L. 373.01. | |||
<u>Timing of the request</u> | <u>Timing of the request</u> | ||
The DPA determined that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]], because it failed to provide the data subject with information on action taken regarding the | |||
The DPA also determined that the controller did not follow its own guidelines on how to handle erasure requests, | The DPA determined that the controller violated [[Article 12 GDPR#3|Article 12(3) GDPR]], because it failed to provide the data subject with information on action taken regarding the erasure request within one month of the receipt of the request. Instead, it had requested the data subject to sign the subscription agreement. The DPA stated that any failure on the controller’s part to fulfill its own procedural obligation, in this case the signing of the subscription agreement, shall be independent and shall have not effect on the exercise of data subject’s data protection rights. | ||
The DPA also determined that the controller did not follow its own guidelines (described in the 'Operations department manual') on how to handle erasure requests, which was an indicator that the controller had acted negligently when the request was not handled in a timely manner, as prescribed in [[Article 12 GDPR#3|Article 12(3) GDPR]]. The DPA also referred to the WP29 Guidelines 17/EN WP 253 (p. 12) to support its argument. | |||
The DPA reprimanded the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and held that in case of a similar infringement in the future, the DPA would impose a fine. The DPA also ordered the controller to provide an answer to the erasure request, pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]. This reply had to be provided in a concise, transparent, intelligible an easily accessible form, using clear and plain language, in particular by including information relating to specific regulation which obligates the controller to store personal data for the specific timeframe (Article 12(1) GDPR). | The DPA reprimanded the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and held that in case of a similar infringement in the future, the DPA would impose a fine. The DPA also ordered the controller to provide an answer to the erasure request, pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]. This reply had to be provided in a concise, transparent, intelligible an easily accessible form, using clear and plain language, in particular by including information relating to specific regulation which obligates the controller to store personal data for the specific timeframe (Article 12(1) GDPR). | ||
Revision as of 10:28, 8 November 2022
IDPC - CDP/IMI/LSA/17/2022 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 12(1) GDPR Article 12(3) GDPR Article 17(1) GDPR Article 17(3) GDPR Article 56 GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 28.05.2020 |
Decided: | 28.02.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CDP/IMI/LSA/17/2022 |
European Case Law Identifier: | EDPBI:MT:OSS:D:2022:340 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In a Article 60 GDPR procedure, the DPA of Malta reprimanded a controller (Article 58(2)(b) GDPR) for requesting the data subject to sign an agreement in order to process his erasure request. The controller also had to reply to the request (Article 58(2)(d) GDPR).
English Summary
Facts
The data subject stated that he opened an account with the controller in October 2019 to carry out a few operations on the stock market. He stated that in December 2019, he requested the controller to close his account. However, the controller did not close his account and still send him messages. The data subject stated that the controller had requested the data subject to sign an agreement in order to close his account, because this agreement had not been signed upon subscription. The data subject also stated that one day before he submitted his complaint at the DPA, he received a document form the controller’s external auditor, who requested the data subject to confirm his balance at the end of the previous year and sign the document. In his document, not only his personal data were shown, but also data of other customers, including postal addresses, (sir)names and account balances.
The DPA determined based on send e-mails that is was actually on 23 February 2020, the data subject requested the controller to close his account and unsubscribe him from e-mail notifications. The controller replied on 24 May 2020 describing the procedure to unsubscribe from e-mail notifications. The data subject answered the same day stating that he was not able to close his account using this procedure.
On 26 May 2020 the controller asked the data subject to sign and return the subscription agreement, because this agreement had not been signed upon subscription. The data subject replied on the same day stating that he was still receiving e-mails despite the fact he had requested the controller to remove him from its server. The controller replied that when the data subjet would sign the agreement, the controller would close the account and would not receive any e-mails. The data subject rejected to sign the agreement and stated that the controller had already stated that the account would be deleted, which apparently had not happened yet.
On May 27 2020, the data subject also received a document form the controller’s external auditor, who requested the data subject to confirm his portfolio holdings and cash balances held by the controller. In this document, not only the data subject’s balances were shown, but also those of other third parties.
The data subject submitted a complaint at the Spanish DPA against the controller. The Spanish DPA transferred the case to the information and data protection commissioner of Malta (DPA), which decided to handle the case as lead supervisory authority pursuant of Article 56 GDPR. Therefore, the DPA handled the complaint in terms of Article 60 GDPR and started an investigation into the controller.
During the investigation, the controller stated that is was a company performing investment services and was therefore subject to various obligations. The controller stated that is was amonst other things subject to a yearly audit by an independend third pary. The processing of personal data was necessary to comply with this legal obligation. The controller made specific reference to Article 17(3)(b) GDPR and stated that it had not deleted all the data to comply wit its legal obligation, despite the ersure request of the data subject. The controller further stated that it was obligated to keep data to comply with its anti laundering money obligations. The controller also determined that its request for the data subject to sign the agreement had nothing to do with the erasure request and was also necessary to comply with its legal obligations. The controller acknowlegded the data subject's right for erasure, but stated that none of the grounds under Article 17(1) GDPR applied in this case.
In a answer to a follow up request from the DPA, the controller specified that it relied on Article 6(1)(c) GDPR for its processing. It also provided a 'Operation Department manual procedure', which contained the procedure for handling of erasure requests, and its 'complaince manual'. The controller also reiterated that it asked the data subject to sign the contract but that the data subject rejected this. The controller also provided screenshots to prove that it closed the account of the data subject.
Holding
Document containing personal data of third parties
The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerns the data subject (Article 77(1) GDPR). This part of the complaint was dismissed since it concerned personal data of third parties disclosed in the document. The data subject was not affected by this. However, the DPA reserved the right to start a separate investigation on this alleged data breach.
The DPA proceeded to examine the erasure request and the timing of the request, pursuant of article 57(1)(f) GDPR.
Erasure request
The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of Article 17 GDPR. However, this is different when Article 17(3) applies, which describes that Article 17(1) and 17(2) do not apply when processing is necessary for certain, specific purposes or compelling requirements described in these provisions. The DPA continued by stating that Article 17(3)(b) GDPR states that the right of erasure does not apply when the controller has a legal obligation to process data for a task in the public interest or in the exercise of official authority vested in the controller.
The DPA agreed with the controller that it had to keep the personal data to comply with national law, specifically Subsidiary Legislation 373.01. Article 13(2) of this regulation states that under certian conditions, specific data must be reained for 5 years commencing from triggering events prescribed in the provision. The DPA determined that the cotnroller was subject to this provision.
Because the data subjects account had been closed on 26 May 2020, the 5 year period had not elapsed at the time that the data subject filed his complaint at the DPA. Therefore, the DPA concluded that Article 17(1) GDPR did not apply did not apply because the processing was necessary to comply with the legal obligation in Article 13(2) of S.L. 373.01.
Timing of the request
The DPA determined that the controller violated Article 12(3) GDPR, because it failed to provide the data subject with information on action taken regarding the erasure request within one month of the receipt of the request. Instead, it had requested the data subject to sign the subscription agreement. The DPA stated that any failure on the controller’s part to fulfill its own procedural obligation, in this case the signing of the subscription agreement, shall be independent and shall have not effect on the exercise of data subject’s data protection rights.
The DPA also determined that the controller did not follow its own guidelines (described in the 'Operations department manual') on how to handle erasure requests, which was an indicator that the controller had acted negligently when the request was not handled in a timely manner, as prescribed in Article 12(3) GDPR. The DPA also referred to the WP29 Guidelines 17/EN WP 253 (p. 12) to support its argument.
The DPA reprimanded the controller pursuant of Article 58(2)(b) GDPR and held that in case of a similar infringement in the future, the DPA would impose a fine. The DPA also ordered the controller to provide an answer to the erasure request, pursuant of Article 58(2)(d) GDPR. This reply had to be provided in a concise, transparent, intelligible an easily accessible form, using clear and plain language, in particular by including information relating to specific regulation which obligates the controller to store personal data for the specific timeframe (Article 12(1) GDPR).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.