IDPC (Malta) - CDP COMP 583 2022: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 68: | Line 68: | ||
In 2022, The data subject informally requested a correction to her name and marriage date, which was denied. The data subject tried again formally, explaining her situation and supplying her marriage certificate, which showed the correct details for her spouse and marriage date. This was again rejected by the controller on the grounds that it was the data subjects' responsibility to ensure that her information was correct when filling out the forms. Moreover, the controller argued that they were under no legal obligation to change this data. This was not simply an issue of "correcting details", but would require a complete change in the personal details of her alleged husband. | In 2022, The data subject informally requested a correction to her name and marriage date, which was denied. The data subject tried again formally, explaining her situation and supplying her marriage certificate, which showed the correct details for her spouse and marriage date. This was again rejected by the controller on the grounds that it was the data subjects' responsibility to ensure that her information was correct when filling out the forms. Moreover, the controller argued that they were under no legal obligation to change this data. This was not simply an issue of "correcting details", but would require a complete change in the personal details of her alleged husband. | ||
The data subject complained to the Maltese DPA that the controller refusal to corrrect her personal data breached her right to rectification under [[Article 16 GDPR|Article 16 GDPR.]] | The data subject complained to the Maltese DPA that the controller's refusal to corrrect her personal data breached her right to rectification under [[Article 16 GDPR|Article 16 GDPR.]] | ||
=== Holding === | === Holding === | ||
The DPA upheld the complaint and ordered the controller to rectify the data subject's record within 20 days. | The DPA upheld the complaint and ordered the controller to rectify the data subject's record within 20 days. | ||
The DPA notes that under a strict interpretation of [[Article 16 GDPR|Article 16 GDPR,]] it is unclear that the controller would be bound to correct the data. The GDPR does not define the terms 'inaccurate' and 'incomplete' data. Moreover, the data which the data subject was seeking to rectify relates to information which she knowingly provided wrongly to the controller at the time of applying for international protection in Malta. The DPA decided that this makes the data accurate because it reflects the data which the data subject submitted at the time. | |||
However, the DPA interpreted [[Article 16 GDPR|Article 16]] in a broad sense in conjunction with the accuracy and accountability principles found in [[Article 5 GDPR|Article 5(1)(d) GDPR]] and [[Article 5 GDPR|Article 5(2) GDPR,]] respectively. The controller bears the responsibility of maintaining up-to-date data and proving compliance with this obligation. As a result, the controller needs to have policies in place to verify the accuracy of the data submitted during an application. | However, the DPA interpreted [[Article 16 GDPR|Article 16]] in a broad sense in conjunction with the accuracy and accountability principles found in [[Article 5 GDPR|Article 5(1)(d) GDPR]] and [[Article 5 GDPR|Article 5(2) GDPR,]] respectively. The controller bears the responsibility of maintaining up-to-date data and proving compliance with this obligation. As a result, the controller needs to have policies in place to verify the accuracy of the data submitted during an application. The controller did not only fail to verify the data but also had no procedures in place to do so.<ref>An example of an adequate policy, according to the DPA, would be an internal note by the controller attesting to the applicant's verification of the data against official sources. </ref> Therefore, the controller was legally required to make the necessary corrections, particularly after the data subject provided sufficient evidence for the controller to verify the accuracy of her personal information. | ||
== Comment == | == Comment == |
Latest revision as of 14:50, 6 December 2023
IDPC - CDP_COMP_583_2022 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 16 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CDP_COMP_583_2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | CDP_COMP_583_2022 (in EN) |
Initial Contributor: | sh |
The Maltese DPA ordered a controller to rectify a record for international protection under Article 16 GDPR.
English Summary
Facts
In 2016 the data subject gave Maltese authorities (the controller) false information about her spouse's identity and stated that their traditional marriage, not their civil marriage, was the date of their marriage for security purposes.
In 2022, The data subject informally requested a correction to her name and marriage date, which was denied. The data subject tried again formally, explaining her situation and supplying her marriage certificate, which showed the correct details for her spouse and marriage date. This was again rejected by the controller on the grounds that it was the data subjects' responsibility to ensure that her information was correct when filling out the forms. Moreover, the controller argued that they were under no legal obligation to change this data. This was not simply an issue of "correcting details", but would require a complete change in the personal details of her alleged husband.
The data subject complained to the Maltese DPA that the controller's refusal to corrrect her personal data breached her right to rectification under Article 16 GDPR.
Holding
The DPA upheld the complaint and ordered the controller to rectify the data subject's record within 20 days.
The DPA notes that under a strict interpretation of Article 16 GDPR, it is unclear that the controller would be bound to correct the data. The GDPR does not define the terms 'inaccurate' and 'incomplete' data. Moreover, the data which the data subject was seeking to rectify relates to information which she knowingly provided wrongly to the controller at the time of applying for international protection in Malta. The DPA decided that this makes the data accurate because it reflects the data which the data subject submitted at the time.
However, the DPA interpreted Article 16 in a broad sense in conjunction with the accuracy and accountability principles found in Article 5(1)(d) GDPR and Article 5(2) GDPR, respectively. The controller bears the responsibility of maintaining up-to-date data and proving compliance with this obligation. As a result, the controller needs to have policies in place to verify the accuracy of the data submitted during an application. The controller did not only fail to verify the data but also had no procedures in place to do so.[1] Therefore, the controller was legally required to make the necessary corrections, particularly after the data subject provided sufficient evidence for the controller to verify the accuracy of her personal information.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Idpc. Information and Data Protection Commissioner CDP/COMP/583/2022 vs COMPLAINT 1. On the 22"4 December 2022, es brough her legal counsel (the “complainant” or the “data subject”) lodged a complaint with the Information and Data Protection Commissioner (the “Commissioner”) pursuant to article 77(1) of the General Data Protection Regulation! (the “Regulation” or the “GDPR”), alleging that the x (the or the “controller”) has refused to rectify her personal data without any valid legal reason, and therefore the ME “has breached my client’s right to rectification as provided for in article 16 of the General Data Protection Regulation”. FACTS OF THE CASE 2. For the purpose of this complaint, the Commissioner assessed the relevant facts surrounding the complaint: Summary of Events ' Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Page 1 of 13 that the complainant is a beneficiary of subsidiary protection; that upon her arrival to Malta, the complainant had given the authorities a different name to that of her spouse for security purposes. Moreover, the date of marriage listed in the records of the JJ relates to the date of their traditional marriage, rather than that of their civil marriage being the 4 January 2015; that the complainant had previously made an informal request in order to amend the above-mentioned details on her documents, however, she was never given the opportunity to explain her situation, and her request was consequently turned down; that following this, an email was sent to the J from her lawyer in order to formally request the authorisation of the fC] to amend the marital information retained by the same Jj. Together with the email, the Jj was provided with the public marnage certificate showing the correct details for her spouse and containing the correct marriage date. The complainant confirmed that the spouse was willing to provide a DNA test if the Jj has any further doubts regarding the family relationship; that the i rejected the complainant’s request stating that the complainant’s “sole responsibility to ensure that the details submitted to this Jj when lodging her application for international protection on 15/06/2016 were correct. In this regard, it should be noted that she was given the services of an interpreter to ensure proper communication, and that the application form was duly re-read to her prior signing to ensure that the information contained therein was indeed correct’; and that in this regard, the complainant submitted a complaint on the basis that by refusing to change the above-mentioned personal information on the complainant’s documentation, without any valid legal basis, the JJ has breached her right to rectification as provided for in article 16 of the Regulation. Page 2 of 13 INVESTIGATION Request for submissions 3. Pursuant to article 58(1)(a) of the Regulation, the Commissioner provided the (Si with a copy of the complaint, including the documentation attached thereto, and requested it to put forward its submissions in order to defend itself against the allegations raised by the complainant. By means of an email dated the 15" February 2023, the J submitted the following principal arguments for the Commissioner to consider in the legal analysis of the case: a. that when the complainant applied for international protection in Malta back in 2016, she was duly informed of her obligation to provide this Jj with all the information at her disposal as per the following: “/o/bliged to cooperate with the a ns with a view to establishing his identity and other elements referred to in the Act and in these regulations’, b. that the complainant was informed of this obligation, when filling in her application form, and nonetheless she provided a completely different name to that of her alleged husband. Furthermore, the same details were reconfirmed by the complainant during her personal interview; c. that the Jj noted that despite the fact that the complainant was married when she lodged her application for international protection, she did not present her marriage certificate, or any other document attesting to her marriage, at the time of the application. Indeed, the J further noted that the complainant only submitted her marriage certificate six (6) years later when she decided to file a request to change the details, she had originally submitted to the [J vis-a-vis her spouse during the asylum procedure; > Article 13 of the Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on common procedures for granting and withdrawing international protection (recast), and Article 4(3)(a) of Chapter 420.7 of the Laws of Malta. Page 3 of 13 d. that the jj remarked that this is not simply an issue of ‘correcting details’, but rather a complete change in the personal details of her alleged husband, including his name and surname. In connection with this, the Jj submitted that such a request does not simply entail a slight modification in the details as originally declared by the complainant during the asylum procedure, but rather a complete change, as there are no similarities whatsoever with the initial data provided to the I: e. that the J noted a gap with respect to her marriage date. Specifically, when the complainant was asked about her marriage details both at registration, lodging her application and at interview stage, she allegedly provided incorrect dates in both instances. In this regard, the JJ is of the opinion that the complainant, could have easily highlighted the difference between her traditional marriage and her civil marriage when she was questioned during her personal interview, which took place a month after the lodging of her application; f. that the JJ also highlighted the fact that the complainant “trusted the enough to apply for international protection in Malta. She come forth with the reasons why she was in need of international protection, including the situation of her alleged husband in QJ however, she allegedly did not trust he 7: enough to provide the correct personal details of her alleged husband for fear that something might happen to him in J. Therefore, she trusted the Jj with assessing her application for international protection but knowingly provided wrong information, all while being well aware of the fact that the] is legally bound by the principle of confidentiality”; and g. that the J submitted that the complainant was granted subsidiary protection status back in 2016; however, she only submitted this request six (6) years after, in 2022. The I remarked that this delay is significant and cannot simply be overlooked considering all the available opportunities she had to provide the correct details pertaining to her spouse and marriage. Page 4 of 13 On the 16" February 2023, the Commissioner provided the complainant with the opportunity to rebut the arguments made by the [jg On the 1S March 2023, the complainant through her legal counsel, rebutted the arguments made by the controller and submitted the following principal arguments: a. that the complainant has a right to the rectification of inaccurate data and the MH. 2s a controller of personal data, has an obligation to ensure that personal data held by it is accurate. Furthermore, the complainant noted that the ay failed to inform the complainant of her right to lodge a complaint; b. that personal data should be processed in accordance with the data protection laws and policies to preserve the right to privacy of a data subject. The right to data protection concerns the safeguarding of a person’s fundamental human rights in connection with the right to a private and family life as enshrined in the Universal Declaration of Human Rights and as also enshrined in the EU Charter of Fundamental Rights and the Treaty on the Functioning of the European Union, which give effect to individuals’ right to privacy by providing them with control over the way information about them is collected and used; c. that it is hence important to note that the principles enshrined in the Regulationshould be applied to asylum seekers, persons with subsidiary status and refugees in the same manner as it would be applied to European nationals; d. that Chapter III of the Regulation provides a list of rights which data subjects may exercise regarding their personal data. The Regulation specifically provides data subjects with the right to obtain from the controllers, without undue delay, the rectification of inaccurate personal data concerning them. The right of rectification is an important complement to the right of access and is essential for maintaining a high level of data quality; e. that the complainant explicitly requested the J to rectify the marital information which is retained by the same J With her request, the Page 5 of 13 lOpc. complainant included documentation which clearly proved that the data which was held by the J was inaccurate; that the complainant explained that upon lodging her application for international protection, she had not given the correct information of her spouse, due to security reasons, since her husband was still in Jj and so she feared that by providing his real name to the J her husband would be in trouble in his country of origin. Therefore, the complainant felt that she could not reach out to the aaa before since she was afraid of the consequences of having her spouses’ name disclosed; that moreover, when she was asked to provide their date of marriage, she provided the date of their religious wedding rather than the date of their civil marriage. Since their civil marriage is the one which is recognised in Malta, the date of their marriage on her documentation should be amended. By reviewing the documentation provided by the complainant, including the official public marriage certificate, the Jj was provided with sufficient information in order to easily ascertain that the personal data that it held was inaccurate; that the JJ stated that the right to rectification should not be adhered to since the complainant is requesting the complete change in personal details in relation to her husband, and not merely a slight modification, such as the request to change one or two letters. In this regard, it should be noted that the right to rectification as expounded in the Regulation does not state that the rectification must be limited to a slight modification in details; that the complainant referred to article 5(1)(d) and article 5(2) of the Regulation, and noted that the controller is responsible for ensuring that the data processed is accurate and updated when necessary; that when a request for the rectification of data is made by a data subject, the controller must evaluate whether the data in question is incomplete or inaccurate Page 6 of 13 Ipc. with regard to the purposes of processing. In this case, the BS did not oppose the claim that the data held by it is inaccurate, but merely stated that the data subject is responsible for ensuring that the personal data provided is accurate, this in spite of the obligations and responsibilities placed on the data controller by the relevant data protection laws; that the controller shall facilitate the exercise of data subject rights under Articles 15 to 22 of the Regulation. In the cases referred to in Article 11(2) of the Regulation, the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22 of the Regulation, unless the controller demonstrates that it is not in a position to identify the data subject; that according to article 12 of the Regulation, if the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. In this regard, the a. in its reply merely stated that it ‘will not be taking any further cognisance of other requests [the complainant] might submit in relation to this matter’. 5. In line with the Office’s complaint-handling procedure, the Commissioner provided the Sa with the final opportunity to rebut the arguments made by the complainant. In this regard, on the 20" March 2023, the controller submitted its reply and highlighted the following salient arguments: a. that the complainant had a legal obligation to co-operate with the =| throughout the asylum procedure, including with a view to establish her identity; that the JJ noted that as an applicant for international protection, it was the complainant’s sole responsibility to ensure that the details submitted to the aaa throughout the asylum procedure, including when filling-in her application form and during the personal interview, were correct; Page 7 of 13 c, that the J stressed that, provided it is true that the original details submitted by the complainant are incorrect, this means that when filling in her application form for international protection, the complainant was fully aware of the fact that she was not providing the details of her real husband. Indeed, this would entail that she purposefully provided wrong information to the J, allegedly due to concerns for the safety of her husband in yyy that the J reiterates that it is inconceivable that while the complainant trusted the [MJ with assessing her application for international protection, she allegedly did not trust the J enough to comply with her legal obligations and provide the correct personal details of her alleged husband, all while being well aware of the fact that the Jj is legally bound by the principle of confidentiality. Moreover, the J noted that even after her alleged husband was no longer in J, it took the complainant a total of six (6) years before she finally decided to approach the Jj to request a rectification of the details provided. The same applies with respect to her marriage date, which is also allegedly incorrect; that the J is well aware of the data protection legislation and the obligations that emanate from this legal framework. Indeed, the Jj does not dispute that the Regulation should be applied to asylum seekers, persons with subsidiary status and refugees in the same manner as it would be applied to European nationals; that the IMJ applied article 16 of the Regulation, which stipulates that data subjects have the right to obtain from the controllers, without undue delay, the rectification of inaccurate personal data concerning them. However, the J noted that the complainant, provided completely different details vis-a-vis her alleged husband, as well as a different marriage date. Therefore, it is amply clear that this is not simply a matter of ‘correcting details’, but of completely changing the details provided to this j- Moreover, the J noted that considering the nature of the request, it is possible, that the complainant was indeed married to the man she provided details of. Hence why, as already highlighted by the [, Page 8 of 13 requests for rectifications require an understanding of the personal circumstances as well as their legal weight; that by the standard of the complainant’s request, everyone has a right to change details, which were knowingly incorrect, there is an automatic acceptance that deception of the authorities is veiled by data protection legislation, which in the opinion of the a] goes against the spirit of the Regulation. Therefore, the BM opines that while data subjects have the right to request the rectification of inaccurate personal data concerning them, there are strong legal responsibilities attached to the information provided throughout the asylum procedure; that the =e further noted that “the complainant is incorrect to quote the following “has no legal obligation whatsoever to process change of details requests, and that these requests are ultimately being carried out ex-gratia thereby completely ignoring the obligations of a data controller as set forth in Regulation(EU) 2016/679”. The original request submitted by the complainant, was not a request for rectification as per GDPR regulations, consequently, the IPA was not ignoring its obligations as a data controller as set forth in Regulation (EU) 2016/679. Therefore, the complainant’s submissions provide a tweaked account of the request submitted by a) who at that point was not considered as a complainant. As a result, the disputes the complainant’s assertion that IPA did not ‘inform the complainant, of the possibility of lodging a complaint with the Office of the Information and Data Protection Commissioner or that the complainant could seek judicial redress. If the complainant’s request for rectification was filed in terms of GDPR regulations, hs m7 would have complied with article 12 of the regulation and informed the complainant accordingly”; LEGAL ANALYSIS AND DECISION 6. For the purpose of the investigation of this complaint, the Commissioner proceeded to assess the request of the complainant, wherein she requested the controller to rectify Page 9 of 13 her personal data in terms of article 16 of the Regulation (annexed and marked as ‘Doc. IDPC 1’). By means of an email dated the 28" October 2022, the controller informed the complainant that her request could not be met because it was her sole responsibility “to ensure that the details submitted to this BE wher lodging her application for international protection on 15/06/2016 were correct. In this regard, it should be noted that she was given the services of an interpreter to ensure proper communication, and that the application form was duly re-read to her prior signing to ensure that the information contained therein was indeed correct” (annexed and marked as ‘Doc. IDPC 27’). 7. The Commissioner examined the complaint submitted in terms of article 77(1) of the Regulation, wherein the complainant confirmed that she had knowingly provided incorrect data to the controller upon applying for international protection in Malta, back in 2016. The complainant held that “/u/pon arrival into Malta J had given the authorities a different name to that of her spouse for security purposes, as she feared that he would be sought out. Moreover, the date of marriage listed in the records of the: _[ee (he GE) relates to their traditional marriage, rather than that of their civil marriage being the 4" of January 2015” [emphasis has been added]. 8. In the submissions dated the 14" February 2023, the controller provided that the personal data pertaining to the complainant were collected for the purpose of processing her application form for international protection. It therefore follows that the processing activity, which is being contested by means of this complaint, refers to personal data which the controller collected directly from the data subject. 9. In this regard, the Commissioner assessed the right to rectification as provided by article 16 of the Regulation, which provides that the “data subject shall have the right to obtain jrom the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement ”. Page 10 of 13 10. The Commissioner emphasises that the right to rectification is a key aspect of the 11. 13. fundamental right to data protection, which is recognised in article 8(2) of the Charter of Fundamental Rights of the European Union. Within this context, article 16 of the Regulation provides for the right to rectify inaccurate data and the right to complete incomplete data. Where the data is deemed to be incomplete, the data subject shall have the right to have incomplete data completed, by adding new elements instead of correcting existing data, and this could be done by means of a providing a supplementary statement. The law does not define the terms “inaccurate” and “incomplete”, however, the Court of Justice of the European Union (the “CJEU”) sheds further light on this by providing that the accuracy and completeness of the personal data have to be determined based on the purpose of the processing activity conducted by the controller. The judgment ‘Peter Nowak vs Data Protection Commissioner’ provided that “fi]s apparent from Article 6(1)(d) of Directive 95/46 that the assessment of whether personal data is accurate and complete must be made in the light of the purpose for which that data was collected”? . After examining the circumstances of the case and in light of the purpose for which the data were collected by the controller, the Commissioner established that the data which the complainant is seeking to rectify relate to information which she knowingly provided wrong to the controller at the time of applying for international protection in Malta. Thus, the data recorded by the controller in relation to the processing of her application form, is in itself accurate because it reflects the information which the complainant submitted to the controller by means of the application form dated the 15" June 2016. Nonetheless, the controller should not ignore the fact that it is responsible for keeping the data up-to-date, and thus, the controller should take every reasonable step to ensure respect of the accuracy principle as set forth in article 5(1)(d) of the Regulation. In this 3 Court of Justice of the European Union, Peter Nowak vs Data Protection Commissioner (Case C-434/16),decided on the 20" December 2017, para. 53 Page 11 of 13 regard, the Commissioner emphasises that the controller should effectively demonstrate in terms of article 5(2) of the Regulation that the data are kept updated and accurate. 14. The Commissioner emphasises that it is incumbent on the controller to ensure that the necessary procedures are in place to actually verify and ascertain that, in practice, any information provided by an individual during the application process for international protection is indeed verified against official documentation. The verification process does not necessarily require the retention of actual documents, unless this clearly derives from a law to which the controller is subject, but an internal note demonstrating that the data provided by the applicant has been verified against official sources should suffice. 15. Thus, the reply provided by the controller in relation to the request for rectification, specifically, that it “has no legal obligation whatsoever to process change of details requests, and that these requests are ultimately being carried out ex-gratia” is legally incorrect [emphasis has been added]. In fact, the Commissioner emphasises that the controller does indeed have a legal obligation to ensure compliance with the data protection law, especially, after considering that the complainant had submitted sufficient evidence to enable the controller to verify the accuracy of her personal data. Furthermore, the CJEU had confirmed that it is the controller who shall bear the responsibility to ensure compliance with its obligations regarding the quality of the data. The CJEU stated that “the principles of protection must be reflected, on the one hand, in the obligations imposed on persons responsible for processing, in particular regarding data quality“ [emphasis has been added]. Within this context, ‘data quality’ refers to the requirement incumbent upon the controller to ensure that the data processed by the controller are kept accurate, complete, and up to date. On the basis of the foregoing considerations, and after having taken into account the specific circumstances of the complainant at the time of applying for international protection, the Commissioner hereby decides that the controller infringed article 16 of 4 Court of Justice of the European Union, College van burgemeester en wethouders van Rotterdam vs M.E.E. Rijkeboer (Case C-553/07), decided on the 7" May 2009, para. 48. Page 12 of 13 the Regulation when it failed to comply with the request made by the complainant to rectify her personal data. Pursuant to article 58(2)(c) of the Regulation, the Commissioner is ordering the controller to rectify the complainant’s record and take the necessary internal measures accordingly. This shall be without prejudice to the possibility of the controller to retain the original information as provided by the complainant given that such record reflects a true representation of such information, which the controller processed at the time of granting the international protection status. The aforementioned order shall be complied without undue delay and by no later than twenty (20) days from receipt of this legally-binding decision and confirmation of the action taken shall be notified to the Commissioner immediately thereafter. lan Digitally signed by lan DEGUARA DEGUARA (Signature) Date: 2023.05.22 (Signature) 56.35.50 +02'00 Ian Deguara Information and Data Protection Commissioner Page 13 of 13
- ↑ An example of an adequate policy, according to the DPA, would be an internal note by the controller attesting to the applicant's verification of the data against official sources.