Commissioner (Cyprus) - 11.17.001.009.232: Difference between revisions
No edit summary |
m (Co moved page Comissioner (Cyprus) - 11.17.001.009.232 to Commissioner (Cyprus) - 11.17.001.009.232) |
Revision as of 08:18, 30 January 2024
Commissioner - 11.17.001.009.232 | |
---|---|
Authority: | Commissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 12(3) GDPR Article 17 GDPR Article 24(1) GDPR Article 58(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 18.09.2021 |
Decided: | 07.09.2023 |
Published: | 24.01.2024 |
Fine: | n/a |
Parties: | Freedom Finance Europe Ltd |
National Case Number/Name: | 11.17.001.009.232 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | Commissioner for Personal Data Protection (in EN) |
Initial Contributor: | nikolaos.konstantis |
The Commissioner for Personal Data Protection held that the controller should notify the data subject about the request to the right of erasure in a clear and concise manner without undue delay by taking all the appropriate measures in place, such a training of the staff in tackling GDPR requests in a timely manner.
English Summary
Facts
A data subject made a request for deletion of her data withe the Freedom Finance Germany TT GmbH, subsidiary of the Freedom Finance Europe Ltd. The data subject never got a reply and she requested again the erasure of her data. The complaint was filed with the Federal Supervisory Authority of Germany against the company Freedom Finance Europe Ltd regarding the non-fulfillment of the right to erasure. The fact that the company has the main establishment in Cyprus, the Commissioner for Personal Data Protection undertook the investigation of the complaint.The company replied that the email of the complainant’s erasure request was not sent to the appropriate email address of the DPO and that the data was deleted immediately upon receipt of the letter from the Berlin SA.
Holding
The DPA held that the notification that a data erasure request has been satisfied should be transmitted to the data subject in a clear and concise manner and the controller should have in place appropriate measures for at least satisfying data subject rights set out in Articles 15 to 22 of the GDPR. Thus, the DPA issued a reprimand to the company.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
ur ref.: 11.17.001.009.232 7 September 2023 Decision Failure to Fully Comply to an Erasure Request by Freedom Finance Europe Ltd 1. A complaint was lodged with the Federal Commissioner for Data Protection and Freedom of Information in Germany (Berlin SA) against Freedom Finance Europe Ltd (the Controller), whose main establishment is in Cyprus. Moreover, the complaint was subsequently transmitted to the Office of the Commissioner for Personal Data Protection (Cyprus SA) on 18/9/2021, in line with Article 56 of the General Data Protection Regulation. 2. On the basis of the above, the Commissioner for Personal Data Protection (the Commissioner) is acting as the lead authority in this matter. In the course of the investigation, other EU countries were identified as being concerned by this case. Description of the case 3.1. The complaint involved the Controller’s failure to comply with the complainant’s erasure request (article 17 of the GDPR) submitted to Freedom Finance Germany TT GmbH in Germany which is a subsidiary of the Controller. 3.2. In her complaint, the complainant stated that she initiated a registration process, through the Controller’s webpage (https://freedomfinance.eu/), but did not complete the verification required. Following this, she sent an email on 26/01/2021 at clients@freedom24.com requesting the deletion of her data. 3.3. On 10/02/2021 she sent a reminder to the same email address and on 15/2/2021 she got a reply from an investment consultant of Freedom Finance Germany TT GmbH, informing her that the verification process was not completed and asking her whether she needed any assistance. She replied back the same day, requesting again the deletion of her data, together with a corresponding email confirmation. As she claims, she never got a reply. 3.4. Upon receiving the complaint, the Berlin SA requested the views of the subsidiary in Germany on 22/6/2021. The Berlin SA received a reply by the subsidiary on 22/07/2021, through which they were informed, the following: a) the complainant’s emails were lost, and therefore not answered, due to the abundance of communication via email address clients@freedom24.com, b) the complainant’s personal data that were processed were her name and email address, c) the data were processed for the purpose of opening a demo account, and by opening a demo account, the data subject agreed to the Controller’s General Terms and Conditions and consequently to the data processing, d) the complainant’s data was deleted immediately upon receipt of the Berlin SA’s letter. e) the complainant’s erasure request was not sent to the appropriate email address. More specifically, the email address clients@freedom24.com, is used for initial customer communication, to which the DPO does not have access. Additionally, data protection enquiries should be sent to email address info@ffineu.eu or to the DPO’s direct email address dpo@ffineu.eu, as it is clearly stated in the Privacy Policy. Investigation by Cyprus SA 4.1. The Commissioner’s Office contacted the Controller on 19/4/2022, and requested their views on the matter raised by the complainant as also proof that the complainant’s personal data had been deleted. 4.2. In their reply, the Controller confirmed that the complainant’s personal data was deleted on 25/6/2021 and provided proof in the form of a screenshot from the relevant database, which was deemed satisfactory. The Controller also provided the relevant email communication where the complainant was informed of the erasure. It is noted that the email was dated 25/4/2022, i.e. after the reception of the email from the Commissioner’s Office. 4.3. The privacy policy, which can be found on the Controller’s website, clearly states the appropriate email to be used for data protection matters. Despite this, the complainant sent her requests to an email that is used for initial customer communication and receives a large number of emails daily. Preliminary Decision 5. On 31 May 2023, the Commissioner issued a Preliminary Decision regarding the controller’s failure to notify the complainant of the erasure of his data. In the said Preliminary Decision, the Commissioner concluded that a. Although it is evident that the controller did not have any intention of not satisfying the complainant’s request, the controller did not notify the complainant of the erasure of his data within the timeframe set in Article 12(3) GDPR. b. The Controller should have implemented appropriate technical and organizational measures to ensure that all emails received by employees relating to data subject rights are acknowledged without further delay in accordance with Article 24(1) GDPR. 6. The controller’s legal representative responded on 26 June 2023 to the Preliminary Decision and stated, inter alia, that: a. The personal data concerned, only included the name and email address of the complainant and was not submitted to further processing other than the initial registration. b. Instead of sending his request to the email addresses mentioned in the privacy policy, the complainant used the German subsidiary's email address clients@freedom24.com along with the personal email of one of the employees of the German subsidiary. c. With the deletion of said data the complainant did not have access to his profile thus it can reasonably be assumed that the controller provided the complainant with a clear message that the data was deleted. d. The inadvertent mistake of the employees of the German subsidiary is found in not forwarding the deletion request to the relevant employees in time. 7. In addition to the above, the controller’s legal representative included the following mitigating factors to be taken into account by the Commissioner: a. the nature, gravity and duration of the breach, taking into account the nature, extent or purpose of the relevant processing, as well as the number of data subjects affected by the breach and the degree of damage suffered by them. b. The absence of any element that implies bad intentions from the controller towards the complainant. c. The absence of any precedent at the expense of the controller. d. The absence of any benefit ultimately derived by the controller from the alleged infringement. e. The immediate compliance with the complainant’s request once received from a non-generic corporate e-mail. f. the non-notification of the action to the complainant was an isolated event that, in the light of the company's experience, the procedure has now been modified as the Commissioner states in her letter to prevent it from happening again. g. the full cooperation with the competent Control Authority to remedy the violation and limit its possible adverse effects. h. the intention compliance by immediately improving the company's regulations in order to prevent a recurrence of the incident. Legal framework 8.1. Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject. Pursuant to article 12(3) of the GDPR The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. 8.2. Article 17: Right to erasure (‘right to be forgotten’) “1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). …” 8.3. Pursuant to article 24(1) of the GDPR Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary. 8.4. Pursuant to Article 58(2) GDPR, Each supervisory authority shall have all of the following corrective powers: …(b)to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; …(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case; Views of the Commissioner 9. Firstly, following the controller’s claim in paragraph 6(c), I consider that it cannot be assumed that the inability of the complainant to sign in to this account, is considered as a notification that his erasure request was satisfied. Furthermore, the information provided following Article 12(3) GDPR should be transmitted in a clear and concise manner. 10. After reviewing the information provided by the controller’s legal representative, in their response to my Preliminary Decision, specifically the fact that the controller appreciates that there was a lack of appropriate attention to the complainant’s request, I consider that the controller understands that the request could have been satisfied from the first instance if the support staff was properly trained in tackling GDPR requests in a timely manner. I also consider that the controller did not intend to act in a way that would negatively affect the complainant’s rights and freedoms. 11. Despite this, considering that the GDPR had been enforced for more than 2 years at the time of the complainant’s first erasure request, the controller should have had the appropriate measures in place for at least satisfying data subject rights set out in Articles 15 to 22 of the GDPR. Moreover, the complainant should have been informed of the satisfaction of his request without delay. Decision 12. Having regard to all the above information, and based on the powers vested in me by Articles 58 and 83 of Regulation (EU) 2016/679 and article 24(b) of National Law 125(I)/2018, I conclude that there is an infringement by Freedom Finance Europe Ltd of Article 12(3) and 24(1) of the GDPR, for the reasons mentioned above. 13. Moreover, following an infringement of Article 12(3) and 24(1) GDPR, as explained above, under the provisions of Article 83 of the GDPR, I take into account the following mitigating (1-3) and aggravating (4-6) factors: 1. That there is no previous violation by the controller of the GDPR. 2. The controller satisfied the erasure request as soon as the mistake was realised. 3. The measures taken after the incident to ensure that all staff is appropriately trained in handling GDPR matters. 4. The controller only became aware of the erasure request after being notified of the complaint by my the Berlin SA. 5. The complainant’s request was not satisfied within the legal timeframe. 6. The lack of appropriate procedures and measures for handling data subject rights at the time of the request. 14. In view of the above and on the basis of the powers conferred on me by the provisions of subparagraph (b) of paragraph (2) of Article 58 of the GDPR, I have decided to issue a reprimand to Freedom Finance Europe Ltd for the infringement mentioned in paragraph 12 above. In the event of a recurrence of a similar infringement within 12 months from today, this Decision may be counted against the company. Irene Loizidou Nicolaidou Commissioner For Personal Data Protection