Commissioner (Cyprus) - 11.17.001.011.218: Difference between revisions
From GDPRhub
mNo edit summary |
No edit summary |
||
| Line 67: | Line 67: | ||
}} | }} | ||
The | The DPA fined a controller €3,000 that did not comply with requests for erasure by data subjects and did not comply with a request by the DPA on time under [[Article 31 GDPR|Article 31 GDPR]]. | ||
== English Summary == | == English Summary == | ||
Revision as of 13:48, 18 December 2024
| Commissioner - 11.17.001.011.218 | |
|---|---|
 | |
| Authority: | Commissioner (Cyprus) |
| Jurisdiction: | Cyprus |
| Relevant Law: | Article 6(1)(f) GDPR Article 12(3) GDPR Article 17 GDPR Article 31 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 04.09.2024 |
| Published: | |
| Fine: | 3000 EUR |
| Parties: | Senira Ltd. |
| National Case Number/Name: | 11.17.001.011.218 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | Commissioner (in EN) |
| Initial Contributor: | la |
The DPA fined a controller €3,000 that did not comply with requests for erasure by data subjects and did not comply with a request by the DPA on time under Article 31 GDPR.
English Summary
Facts
The decision of the Cyprus DPA was based on two complaints regarding the platform nicelocal.com (the controller).
Data subject 1 is from Germany and runs a local single business. An entry on the controller’s platform containing personal data was published without her knowledge. Data subject 1 then contacted the controller requesting the immediate removal of the entry under Article 17 GDPR. Upon receiving no feedback from the controller the data subject 1 then filed a complaint with the Sachsen-Anhalt DPA in Germany.
Data subject 2 is from Poland and also runs a local business. The controller created an unsolicited profile containing personal data such as his name, photos of premises, as well as unverified reviews. Data subject 2 as well requested the deletion of that profile as well as the erasure of all personal data that it contained. He received an automated message that his request was in progress. However, only the photos of the premises were removed and the profile remained online. The data subject 2 also claimed that the controller’s platform falsely indicated that his business was closed. The data subject 2 then filed a complaint with the Polish DPA.
After the initiated proceedings by the Cyprus DPA the controller failed to meet a deadline the DPA had set for a reply.
Subsequently, the controller complied with the requests for the erasure of data.
Holding
The Cypriot DPA held that information regarding one-person businesses can also be personal data where they allow the identification of a natural person. This was the case in the present two complaints as the information was referring to the data subjects as individuals. The collection and publication of the said information constituted processing activities.
The controller did not take action within the one-month period under Article 12(3) GDPR. Furthermore, it failed to comply with a request by the DPA to provide information on, inter alia, how exactly the system dealing with the requests worked in detail and safeguards applied. Thus, the controller also violated Article 31 GDPR.
Regarding the processing itself, the DPA held that the controller could rely on Article 6(1)(f) GDPR because, inter alia, the personal data in question was originally made public by the data subjects themselves and therefore there could be no harm to the data subjects as the data was already public before.
Therefore, the DPA issued a reprimand for the infringement of Article 12(3) GDPR and a fine of €3,000 under Article 83 GDPR for the infringement of Article 31 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Our ref.: 11.17.001.011.218 4 September 2024
11.17.001.012.012
Decision
Investigation of complaints against the company Senira Limited under the
General Data Protection Regulation (GDPR)
I refer to the investigation of two complaints against the company SENIRA
LIMITED (hereinafter, the “Controller”), which operates the website
www.nicelocal.com (hereinafter, the “website”).
Description of the complaints
2.1. The first complaint was lodged in Germany, and is related to the Controller’s
failure to respond to a data subject request to erase their personal data. More
specifically, the complaint concerns an entry published on the website
www.nicelocal.com.de. The said entry contains personal data about the
complainant (complainant 1) running a clothing tailoring service as a natural
person ( https://nicelocal.com.de/sachsen-anhalt/utility_service/n_design_nancy),eer/
and was published without the complainant’s knowledge and against her will.
2.2. Complainant 1 contacted the Controller on 22/08/2023, by sending an email
to the email addresses legal@nicelocal.com and content@nicelocal.com,
requesting the immediate deletion of her personal data, as her legal right to
erasure under Article 17 of the GDPR. On 11/09/2023 the complainant repeated
her request by sending an email to privacy@nicelocal.com, which is the email
address provided by the Controller to the public for matters related to personal
data protection.
2.3. On 12/10/2023, complainant 1 informed the Supervisory Authority in
Germany that she received no feedback from the Controller. Moreover, she
claimed that the option “Request Removal of Content” which is available on the
homepage of the website was not working.
3.1. The second complaint was lodged in Poland. The complainant (complainant
2) is a natural person, with a sole proprietorship under the name: XXX. Accordingto complainant 2, a profile of his business was created in the website
nicelocal.co.pl, containing his name, photos of premises (most likely taken from
google maps) and unverified reviews. The profile was created without his consent
or knowledge.
3.2. On 21/06/2023, complainant 2 requested the deletion of the
aforementioned profile from the website (via content@nicelocal.com) and erasure
of all the data contained therein. On the same day, he received an automated
message informing him that his request was in progress. Despite the above, the
entire profile remained, and only photos of the premises were removed. Also, the
complainant claims that the following false information was contained in the profile:
"Unfortunately, this place has been closed", which worked to his detriment as a
businessman.
3.3. On 9/12/2023 complainant 2 repeated his request and received again the
same automated massage, without however any success, since the relevant
profile and all his personal data remained in the website.
4. On the basis of the Registrar of Companies in Cyprus, the Controller is
registered in Cyprus, under registration no. ΗΕ 429529, and the address stated at
the Registrar of Companies is Floor 3&4 M. KYPRIANOU HOUSE, Gladstonos,
116, 3032, Lemesos, Cyprus. On the basis of the above, the Commissioner for
Personal Data Protection in Cyprus (hereinafter, the “Commissioner”) is acting as
the lead authority in this matter.
Investigation by the Commissioner
5.1. On 30/11/2023 the Commissioner’s Office contacted the Controller as
regards to the first complaint, requesting the latter’s views and position on the
same, the reason why the automated option “Request Removal of Content” was
not working, and where was the personal data collected from and what is the legal
basis and purpose for the relevant processing.
5.2. In its reply, dated 20/12/2023, the Controller stated the following:
i. They use a specially designed software to handle requests of this type
received via email at privacy@nicelocal.com and legal@nicelocal.com.
ii. The option “Request Removal of Content” is placed at the bottom of
each page and their team process requests after receiving them through
a feedback form. They confirm that the said form works as expected.
iii. Data regarding the business “N/Design Nancy Beer” were collected from
an open public source, namely Google. The Controller stated that the
2 ground of processing is the fact that data comes from a publiclyavailable
source. Moreover, they stated that the data in question includes no
special categories of data, stands for the public interest and helps
business to grow by obtaining new clients on the web.
iv. Upon receipt of the Commissioner’s letter, the Controller initiated a
thorough investigation into the matter. They carefully reviewed the
evidence provided, and they confirmed that they deleted the webpage
https://en.nicelocal.com.de/sachsen-
anhalt/utility_service/n_design_nancy_beer/.
v. The controller informed the Commissioner that they would carry out
additional work to analyze the causes of what happened with the
software algorithms.
5.3. The Commissioner confirmed through a relevant check that the personal
data of complainant 1 had been deleted. Notwithstanding the above, the
Commissioner considered that further information was required as regards to the
way the system that handles the relevant request operates, and the safeguards
and actions/measure taken by the controller in line with the GDPR. Moreover, the
controller in its response failed to provide a valid legal basis, and the relevant
purpose as to the processing of personal data. To that end, and as part of the
investigation of the first complaint, a second letter was sent to the controller on
05/01/2024.
5.4. The controller failed to respond within the deadline specified in the
aforementioned letter of the Commissioner, i.e. by the 25 of January 2024. In the
meantime, the Commissioner’s Office received the second complaint described in
paragraphs 3.1.-3.3. above.
5.5. On 05/02/2024 the Commissioner sent another letter to the Controller,
requesting a respond to the letter dated 05/01/2024, informing them about the
second complaint and requesting their views on the same.
5.6. The Controller once again missed the deadline, and a reminder was sent
by the Commissioner’s Office on 06/03/2024. The Controller’s response dated
07/03/2024 was the following:
“First and foremost, I would like to express my utmost respect as we value the
importance of maintaining a positive business environment, and we strive to
ensure that our client’s and user’s data are under protection and control.
Therefore, we appreciate your bringing this matter to our attention so that we may
address it appropriately.
3We use a specially designed software to handle these types of requests.
Unfortunately, this case shows that we still have room for an improvement.
Upon receipt of your letter, we initiated a thorough investigation into the matter.
We have carefully reviewed the evidence provided, and we can confirm that at the
date of this letter the webpage has been deleted.
We will carry out additional work to analyze the causes of what happened with the
software algorithms and assure you that we are always attentive to the rights of
personal data subjects in accordance with the requirements of the GDPR.”
5.7. On 12 April 2024, the Commissioner issued a Preliminary Decision against
the Controller where the following was identified:
(a) infringement of the Article 12(3) of the GDPR since the controller did not satisfy
the complainants’ requests for erasure of their personal data, in accordance with
the provisions of the said Article.
(b) infringement of the Article 31 of the GDPR, since it failed to cooperate with the
Commissioner’s Office and provide the requested information.
5.8. Following the above, the Commissioner ordered the Controller to respond to
the Commissioner’s Office letter dated 05/01/2024, and particularly to provide the
information requested in paragraphs 3.2. and 4.4.
5.9. In their response, on 12 May 2024, the controller stated the following:
i. The relevant processing is lawful for the purposes of the legitimate interests
pursued by the Controller in accordance with Article 6(1)(f) GDPR. This is
confirmed by the fact that the information collected regarding the business,
including name, address or contact information, was manifestly made public
by the data subjects on public sources such as Google.
ii. In the case of the first complaint, the erasure request was processed by the
automated system, however, an error occurred as a result of which the said
page was not deleted. In any case, the relevant information was removed
on 19 December 2023, after the notification from the Commissioner’s
Office.
iii. In the case of the second complaint, the relevant information was removed
on 6 March 2024, again after the notification from the Commissioner’s
Office.
iv. The Controller uses an automatic inquiry processing system that processes
incoming inquiries, analyzes their content and takes appropriate actions,
4 sending automatic notifications of the actions taken. If the system is unable
to recognize a request, it sends it to the processing center for manual
processing.
Legal framework
6.1. According to article 4 of the GDPR:
“(1) ‘personal data’ means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural
or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination
or otherwise making available, alignment or combination, restriction, erasure or
destruction;
(7) ‘controller’ means the natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes and means of
the processing of personal data; where the purposes and means of such
processing are determined by Union or Member State law, the controller or the
specific criteria for its nomination may be provided for by Union or Member State
law;”.
6.2. Article 5 of the GDPR sets out the principles according to which personal
data shall be processed:
“1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data
subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes shall, in accordance with Article 89(1),
not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes
for which they are processed (‘data minimisation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must
be taken to ensure that personal data that are inaccurate, having regard to the
purposes for which they are processed, are erased or rectified without delay
(‘accuracy’);
5(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the personal data are processed; personal
data may be stored for longer periods insofar as the personal data will be
processed solely for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes in accordance with Article 89(1) subject
to implementation of the appropriate technical and organisational measures
required by this Regulation in order to safeguard the rights and freedoms of the
data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures (‘integrity and confidentiality’).”.
2. The controller shall be responsible for, and be able to demonstrate compliance
with, paragraph 1 (‘accountability’).”.
6.3. For a processing to be lawful, one of the following conditions set out in
article 6 of the GDPR must be applied:
“(a) the data subject has given consent to the processing of his or her personal
data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data subject prior to
entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the
controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject
or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by
the controller or by a third party, except where such interests are overridden by
the interests or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child.”.
6.4. Paragraphs 2 and 3 of article 12, which is related to the obligations of a
controller as regards to data subject requests under Articles 15 to 22, state the
following:
“2. The controller shall facilitate the exercise of data subject rights under
Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not
refuse to act on the request of the data subject for exercising his or her rights under
Articles 15 to 22, unless the controller demonstrates that it is not in a position to
identify the data subject.
63. The controller shall provide information on action taken on a request under
Articles 15 to 22 to the data subject without undue delay and in any event within
one month of receipt of the request. That period may be extended by two further
months where necessary, taking into account the complexity and number of the
requests. The controller shall inform the data subject of any such extension within
one month of receipt of the request, together with the reasons for the delay. Where
the data subject makes the request by electronic form means, the information shall
be provided by electronic means where possible, unless otherwise requested by
the data subject.”.
6.5. The right of a data subject to erasure (‘right to be forgotten’) is stipulated in
Article 17 of the GDPR.
6.6. Article 24(1) of the GDPR is related to the responsibility of the controller to
implement appropriate technical and organisational measures to safeguard the
rights and freedoms of data subjects, in accordance with the GPDR:
“Taking into account the nature, scope, context and purposes of processing as
well as the risks of varying likelihood and severity for the rights and freedoms of
natural persons, the controller shall implement appropriate technical and
organisational measures to ensure and to be able to demonstrate that processing
is performed in accordance with this Regulation. Those measures shall be
reviewed and updated where necessary.”.
6.7. Further to the above, article 32(1) states the following:
“Taking into account the state of the art, the costs of implementation and the
nature, scope, context and purposes of processing as well as the risk of varying
likelihood and severity for the rights and freedoms of natural persons, the controller
and the processor shall implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including inter alia
as appropriate: …”.
6.8. Article 31 of the GDPR refers to the obligation of a controller to cooperate
with the Supervisory Authority, upon a relevant request:
“The controller and the processor and, where applicable, their representatives,
shall cooperate, on request, with the supervisory authority in the performance of
its tasks.”
6.9. Pursuant to Article 58(1) of the GDPR, the Commissioner has, amongst other,
the investigative powers:
7“(a) to order the controller and the processor, and, where applicable, the
controller's or the processor's representative to provide any information it requires
for the performance of its tasks;
(b) to obtain, from the controller and the processor, access to all personal data and
to all information necessary for the performance of its tasks;”.
6.10. Moreover, according to Article 58(2) the Commissioner has the following
corrective powers:
“(a) to issue warnings to a controller or processor that intended processing
operations are likely to infringe provisions of this Regulation;
(b) to issue reprimands to a controller or a processor where processing operations
have infringed provisions of this Regulation;
(c) to order the controller or the processor to comply with the data subject's
requests to exercise his or her rights pursuant to this Regulation;
(d) to order the controller or processor to bring processing operations into
compliance with the provisions of this Regulation, where appropriate, in a specified
manner and within a specified period;
(e) to order the controller to communicate a personal data breach to the data
subject;
(f) to impose a temporary or definitive limitation including a ban on processing;
(g) to order the rectification or erasure of personal data or restriction of processing
pursuant to Articles 16, 17 and 18 and the notification of such actions to recipients
to whom the personal data have been disclosed pursuant to Article 17(2) and
Article 19;
(h) to withdraw a certification or to order the certification body to withdraw a
certification issued pursuant to Articles 42 and 43, or to order the certification body
not to issue certification if the requirements for the certification are not or are no
longer met;
(i) to impose an administrative fine pursuant to Article 83, in addition to, or instead
of measures referred to in this paragraph, depending on the circumstances of each
individual case;
(j) to order the suspension of data flows to a recipient in a third country or to an
international organization.”
6.11. As regards to the administrative fines that may be imposed by the
Commissioner, Article 83(2)-(6) states the following:
“(2) Administrative fines shall, depending on the circumstances of each individual
case, be imposed in addition to, or instead of, measures referred to in points (a)
to (h) and (j) of Article 58(2). When deciding whether to impose an administrative
fine and deciding on the amount of the administrative fine in each individual case
due regard shall be given to the following:
8(a) the nature, gravity and duration of the infringement taking into account the
nature scope or purpose of the processing concerned as well as the number of
data subjects affected and the level of damage suffered by them;
(b) the intentional or negligent character of the infringement;
(c) any action taken by the controller or processor to mitigate the damage
suffered by data subjects;
(d) the degree of responsibility of the controller or processor taking into account
technical and organisational measures implemented by them pursuant to Articles
25 and 32;
(e) any relevant previous infringements by the controller or processor;
(f) the degree of cooperation with the supervisory authority, in order to remedy
the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the infringement became known to the supervisory
authority, in particular whether, and if so to what extent, the controller or processor
notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered
against the controller or processor concerned with regard to the same subject-
matter, compliance with those measures;
(j) adherence to approved codes of conduct pursuant to Article 40 or approved
certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances
of the case, such as financial benefits gained, or losses avoided, directly or
indirectly, from the infringement.”.
3. If a controller or processor intentionally or negligently, for the same or linked
processing operations, infringes several provisions of this Regulation, the total
amount of the administrative fine shall not exceed the amount specified for the
gravest infringement.
4. Infringements of the following provisions shall, in accordance with paragraph
2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an
undertaking, up to 2 % of the total worldwide annual turnover of the preceding
financial year, whichever is higher:
(a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39 and 42 and 43;
(b) the obligations of the certification body pursuant to Articles 42 and 43;
(c) the obligations of the monitoring body pursuant to Article 41(4).
5. Infringements of the following provisions shall, in accordance with
paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the
case of an undertaking, up to 4 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher:
9(a) the basic principles for processing, including conditions for consent,
pursuant to Articles 5, 6, 7 and 9;
(b) the data subjects' rights pursuant to Articles 12 to 22;
(c) the transfers of personal data to a recipient in a third country or an
international organisation pursuant to Articles 44 to 49;
(d) any obligations pursuant to Member State law adopted under Chapter IX;
(e) non-compliance with an order or a temporary or definitive limitation on
processing or the suspension of data flows by the supervisory authority pursuant
to Article 58(2) or failure to provide access in violation of Article 58(1).
6. Non-compliance with an order by the supervisory authority as referred to in
Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to
administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to
4 % of the total worldwide annual turnover of the preceding financial year,
whichever is higher.”.
Commissioner’s Views
7.1. The Controller’s website provides information about organizations/
professionals/ individuals providing services, along with clients’ reviews. The
GDPR applies only to natural persons and does not cover the processing of
personal data which concerns legal persons and in particular undertakings
established as legal persons. However, information in relation to one-person
companies may constitute personal data where it allows the identification of a
natural person. The same applies to all personal data relating to natural persons
in the course of a professional activity, such as the employees of a
company/organization, business email addresses which reveals the individual’s
name etc.
7.2. The complaints in question concern information published in the
Controller’s website, referring to the complainants as individuals providing
services. To that end, this information constitutes personal data and the GDPR
applies. The collection and publication of the said information constitutes
processing activities.
7.3. The Controller did not take actions within the one-month period specified
by the GDPR as regard to the complainants’ request made under article 17 of the
GDPR, for erasure of the aforementioned information, in violation of the provisions
of the Article 12(3). The complainants’ requests had been fulfilled bythe Controller,
only after the intervention of my Office.
7.4. It should be noted that the aforementioned complaints were not the first
time my Office dealt with the Controller, since it had previously investigated a
10similar complaint against the Controller regarding an unsatisfied erasure request,
lodged by an Italian citizen.
7.5. According to the information provided by the Controller as regard to the
investigation of all the above complaints, all emails sent to legal@nicelocal.com,
privacy@nicelocal.com and content@nicelocal.com are collected in a single
cluster for their primary processing by a special AI system that recognizes the type
of request and passes it on to the correspondent specialist for further
consideration. As it seems, the failure of the Controller to respond/fulfil the relevant
requests, is a result of a system failure to properly recognize the requests and
pass them to the relevant department.
7.6.1. Due to the repeated nature of the Controller’s failure to fulfill data subjects’
requests for erasure of their personal data, my Office proceeded with further
investigation of the matter. To that end, it requested additional information as
regards to the operation of the said system and the technical measures taken in
this regard (paragraph 3.2 of letter dated 5/1/2024). Despite my Office repeated
efforts, the Controller failed to provide a response in this regard. It should be noted
that the relevant questions were deliberately ignored by the Controller, since in
their latest response, the Controller addressed other matters, avoiding to refer to
the above.
7.6.2. The information requested in paragraph 3.2. of the aforementioned letter is
of outmost importance. The absence of clear and specific information, as regard
to the operation of the automated system used to recognise and forward the said
requests to the relevant department to be handled, prevents proper evaluation of
the risks involved. Systematic failures of the system in question, which
consequently lead to mishandling of data subjects’ requests, may be considered
as failure of the Controller to facilitate the exercise of data subject rights under
Articles 15 to 22, in violation of article 12(2) GDPR. Moreover, possible lack of
appropriate technical measures implemented by the Controller to safeguard data
subject’s rights and freedoms, may constitute violation of article 24(1) and 32(1)
GDPR.
7.6.3. In the Preliminary Decision, I ordered the controller to provide the
information requested by my office in paragraphs 3.2. and 4.4. of the email dated
5/1/2024. Although a response was provided for paragraph 4.4., which referred to
the legal basis of the processing, it was noted that the controller did not provide:
(a) detailed description of how this system operates,
(b) safeguards applied by the company to ensure that the system will properly
handle all the requests,
(c) actions/measures taken by the company after our Office brought to its attention,
through the first complaint, that the system does not works as it should,
11(d) whether the company carried out a data processing impact assessment in
accordance with article 35 of GDPR
as requested in paragraph 3.2. if the above email. The lack of response to these
constitutes a violation of Article 31 GDPR.
7.7. As regards the legal basis for the collection and publication of personal data
of individuals in the websites, the controller considered that the processing is
lawful the achievement of the legitimate interests pursued by them. In that end,
considering the following facts:
i. the personal data in question were originally made public on widely known
public sources by the complainants themselves,
ii. the purpose of the processing of the data by the controller has not changed
from the original purpose, i.e. the publication of the contact details of their
businesses,
iii. there is no indication that the controller has used the data for any purposes
other than the initial purpose and
iv. no harm can come to the data subjects from the further publication of their
data since they were already published on a public source.
I find that the relevant processing is lawful and necessary for the purposes of the
legitimate interests pursued by the controller as per paragraph 1(f) of Article 6
GDPR. This is enhanced by considering the exception for allowing the processing
of special categories of personal data as it is stated in paragraph 2(e) Article 9
GDPR:
[the prohibition in] “Paragraph 1 shall not apply if one of the following applies: …
(e) processing relates to personal data which are manifestly made public by the
data subject…”
According to the GDPR special categories of data are to be held at a higher level
of protection, therefore the above exception can be proportionally applied on the
processing of non-special categories of personal data.
7.8. In addition to the above, the controller is still obligated to “take appropriate
measures to provide any information referred to in Articles 13 and 14 and any
communication under Articles 15 to 22 and 34 relating to processing to the data
subject in a concise, transparent, intelligible and easily accessible form, using
clear and plain language” as per Article 12 GDPR. Moreover, the privacy policy on
the controller’s website should also include the sources used to collect the
personal data in compliance with Article 14 GDPR and the transparency principle.
7.9. The failure of the Controller to respond all the Commissioner’s questions and
provide sufficient and conclusive information as explained above in paragraphs
7.6.1, 7.6.2 and 7.6.3, is in violation of article 31 GDPR.
12Conclusion
8. Having regard to all the above information, and based on the powers vested in
me by Articles 58 and 83 of Regulation (EU) 2016/679 and article 24(b) of National
Law 125(I)/2018, I conclude that there is an infringement of Articles 12(3) and
31 GDPR on behalf of Senira Limited for the reasons mentioned above.
9. Moreover, following an infringement of Article 12(3) and 31 GDPR, as explained
above, under the provisions of Article 83 of the GDPR, the following mitigating (1-
3) and aggravating (4-6) factors are taken into account:
(1) The complainants’ erasure requests were all satisfied eventually
(2) No harm has occurred to the data subjects from the further processing.
(3) The relevant processing does not involve sensitive data.
(4) The increasing number of complaints regarding the unsatisfied erasure
requests
(5) The lack of appropriate procedures and measures for handling data subject
rights.
(6) The lack of response to the Order issued on the Preliminary Decision
10. In view of the above, I have decided to issue to Senira Limited:
a. a reprimand for the infringement of Article 12(3) GDPR and
b. an administrative fine of €3,000 (three thousand euro) pursuant to
Article 83 for the infringement of Article 31 on the basis of Article 58 (2)(i)
GDPR.
11. In addition to the above I have decided to order Senira Limited to bring
processing operations into compliance on the basis of Article 58 (2)(d) GDPR,
specifically review the procedure for handling data subjects request so that no data
subject requests are lost and inform the Commissioner’s Office of relevant action
within 2 months.
Irene Loizidou Nicolaidou
Commissioner
For Personal Data Protection
13
