IDPC (Malta) - CDP/COMP/344/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(4 intermediate revisions by one other user not shown)
Line 25: Line 25:
|Date_Published=
|Date_Published=
|Year=
|Year=
|Fine=50000
|Fine=2500
|Currency=EUR
|Currency=EUR


Line 79: Line 79:
}}
}}


The Maltese DPA fined a school €50,000 for failing to respond to an access request within the time frame and having no appropriate internal measures to handle personal data.  
The Maltese DPA fined a school €2,500 for failing to respond to an access request within the time frame and having no appropriate internal measures to handle personal data.  


== English Summary ==
== English Summary ==
Line 88: Line 88:
Intending to access the report, the complainant submitted the access request directly to the therapists. A response was not received from either therapist. Over the next few weeks, the complainant encountered a number of delays from the school, including back and forth emails with the school’s Director,  which culminated in the report being provided 5 weeks after the initial request was made.  
Intending to access the report, the complainant submitted the access request directly to the therapists. A response was not received from either therapist. Over the next few weeks, the complainant encountered a number of delays from the school, including back and forth emails with the school’s Director,  which culminated in the report being provided 5 weeks after the initial request was made.  


The following complaints were submitted to the DPA.
The following complaints were submitted to the DPA:


* The data subject request was not adhered to within the 30 day timeframe.
* The data subject request was not adhered to within the 30 day timeframe.
Line 97: Line 97:
=== Holding ===
=== Holding ===
    
    
Whether the Director can be considered the controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]].
The DPA decided that the school (the controller) had failed to adhere to the 30 day deadline. As per the complainant, the request was made on 24.05.2022 to the therapist. The DPA dismissed the controller's argument that the request was made on 10.06.22, which is when the complainant got in touch with the director requesting a follow up.  As per the EDPB guidance 01/2022 on the exercise of data subject rights, a controller may not be required to respond to a request made to an employee who is not involved in the processing of requests concerning data subjects if they have clearly provided the data subject with an appropriate communication channel. However, the request is not considered random if they contact an employee who has been assigned to them as their regular contact person, which was the case here.  
The Commissioner held analysed the requirements under [[Article 4 GDPR#7|Article 4(7) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]], together with the EDPB guidelines on the concepts of controller and processor 07/2020 and held that it was clear that even if a specific natural person is appointed to endure compliance with data protection rules, they will be acting on behalf of the legal entity which is ultimately responsible in case of infringement of the rules in its capacity as a controller.  


Failure to adhere to the 30 day deadline.
The DPA agreed that the privacy policy did not contain the minimum information needed under [[Article 13 GDPR|Article 13 GDPR.]] The policy lacked clarity on the categories of personal data processed, the legal basis or purpose of processing, how a data subject can request access and data retention timelines (the policy only made reference to an internal guideline which was not published on the controllers website).  
As per the complainant, the request was made on 24.05.2022, however the controller sought to argue that the request was made on 10.06.22, when the complainant got in touch with the director requesting a follow up. It was held that, even hough the complainant did not submit their request though the email address provided on the data protection policy, their request was still valid on the date it was sent to the therapist. The therapist dealt with the data subject on a daily basis. As per the EDPB guidance 01/2022 on the exercise of data subject rights, a controller may not be required to respond to a request made to and employee who is not involved in the processing of requests concerning data subjects if they have clearly provided the data subject with an appropriate communication channel, however, the request is not considered random if they contact an employee who has been assigned to them as their regular contact person.  


As the date in which the complainant submitted the request was the first date they got in touch with the therapists, it was held that the controller failed to adhere to the one month deadline established in [[Article 15 GDPR|Article 15 GDPR]]. Furthermore, no explanation was provided to the complainant for this delay. In addition, [[Article 12 GDPR|Article 12 GDPR]], requires that the rights of data subjects should be safeguarded by establishing clear, proportionate and effective conditions as to how and when data subjects shall exercise their rights.  
The DPA held the Director should be considered a controller within the meaning of [[Article 4 GDPR#7|Article 4(7) GDPR]]. The DPA analysed the requirements under [[Article 4 GDPR#7|Article 4(7) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]], together with the EDPB guidelines. A specifically appointed natural person (such as a director) is considered to be acting on behalf of the legal entity (the school) which is responsible in case of infringement.


In addition, access to the data was not facilitated due to the fact that they would only permit the receipt of the information if the therapist would explain the data contained within it. Per [[Article 12 GDPR#1|Article 12(1) GDPR]], the controller must provide individuals with information regarding the processing of their personal data in writing, or by other means, including electronic means where appropriate. In addition, per [[Article 15 GDPR#3|Article 15(3) GDPR]], where the data subject makes a request via electronic means, the information should be provided in that manner.  
Lastly, there were no internal policies on the appropriate handling of personal data contrary to [[Article 24 GDPR|Article 24(1)-(2) GDPR]] and [[Article 32 GDPR#4|Article 32(4) GDPR]]. The controller did not have an adequate training procedure in place for all employees responsible for handling personal data. Due to the lack of internal processes, the therapists, contrary to [[Article 38 GDPR#1|Article 38(1) GDPR]], failed to involve the DPO in the initial request.  


The privacy policy had a number of shortcomings.
The controller was ordered to revise the data protection policy on its website to be compliant with [[Article 13 GDPR]] and establish an internal data protection policy per [[Article 24 GDPR]]. The Commissioner also imposed a fine of €50,000 with - with an additional €50 each day for which the violation persists.
In the complaint, the complainan also highlighted that the privacy policy was missing key terms required per [[Article 13 GDPR|Article 13 GDPR]]. Aside from the identity of the controller, this included: a lack of clarity on the categories of personal data concerned and the identity of the data subject, the legal basis or purpose of processing (including whether or not special categories of data are included - which they were), lack of clarity on the request of data subject rights and retention timelines (the policy only made reference to an internal guideline which was not published on the controllers website). 
 
The commissioner stressed that the controller should be held accountable in relation to the transparency of the processing of personal data throughout the processing life cycle. After examining the contents of the policy, they held that it did not contain the minimum information which shall be provided to data subjects.
 
In addition, there were no internal policies on the appropriate handling of personal data which are binding on all employees handling personal data contrary to Article 24(1)-(2) GDPR and [[Article 32 GDPR#4|Article 32(4) GDPR]]. It is crucial that controllers take active responsibility for ensuring compliance and developing an accountability nature. The controller hould have a training procedure in place for all employees responsible for handling personal data in order to foster a culture of data protection and raise awareness among employees about their responsibilities in line with [[Article 39 GDPR#1|Article 39(1) GDPR]] on the role of the DPO. In order to ensure that data is protected in accordance with the regulation, comprehensive training is an essential tool for reducing delayed responses and missed deadlines.
 
In addition to the above, the Commissioner also held that due to the lack of internal processes, the herapists, contrary to [[Article 38 GDPR#1|Article 38(1) GDPR]], did not involve the DPO in the initial request. In another Belgian case - it was held that the DPOs role has a crucial importance in terms of consulting, they should not be merely informed on matters relating to data protection.
 
The controller was ordered to revise the data protection policy on its website to be compliant with [[Article 13 GDPR|Article 13 GDPR]] and establish an internal data protection policy per [[Article 24 GDPR|Article 24 GDPR]]. The Commissioner also imposed a fine of €50,000 with - an additional €50 each day for which the violation persists.


== Comment ==
== Comment ==

Latest revision as of 09:56, 13 November 2023

IDPC - CDP/COMP/344/2022
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 4(7) GDPR
Article 5(2) GDPR
Article 12(1) GDPR
Article 12(3) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 24(1) GDPR
Article 24(2) GDPR
Article 38(1) GDPR
Article 38(1) GDPR
Article 39(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 2500 EUR
Parties: n/a
National Case Number/Name: CDP/COMP/344/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IDPC (in EN)
Initial Contributor: Sainey Belle

The Maltese DPA fined a school €2,500 for failing to respond to an access request within the time frame and having no appropriate internal measures to handle personal data.

English Summary

Facts

The complainant submitted an access request under Article 15 GDPR on behalf of her son (the data subject). The data subject attended a school which provides therapy sessions. As part of the curriculum, the therapists would assess the data subject at the beginning of the year and set goals for them. At the end of the year, these goals are reviewed and a report is then created which is stored on the data subjects file.

Intending to access the report, the complainant submitted the access request directly to the therapists. A response was not received from either therapist. Over the next few weeks, the complainant encountered a number of delays from the school, including back and forth emails with the school’s Director, which culminated in the report being provided 5 weeks after the initial request was made.

The following complaints were submitted to the DPA:

  • The data subject request was not adhered to within the 30 day timeframe.
  • The controller’s privacy policy was not easily accessible and contained a number of shortcomings.
  • It was not clear whether the Director was a controller under Article 4(7)GDPR.
  • There is no process outlining how the controller handles data subject rights requests.

Holding

The DPA decided that the school (the controller) had failed to adhere to the 30 day deadline. As per the complainant, the request was made on 24.05.2022 to the therapist. The DPA dismissed the controller's argument that the request was made on 10.06.22, which is when the complainant got in touch with the director requesting a follow up. As per the EDPB guidance 01/2022 on the exercise of data subject rights, a controller may not be required to respond to a request made to an employee who is not involved in the processing of requests concerning data subjects if they have clearly provided the data subject with an appropriate communication channel. However, the request is not considered random if they contact an employee who has been assigned to them as their regular contact person, which was the case here.

The DPA agreed that the privacy policy did not contain the minimum information needed under Article 13 GDPR. The policy lacked clarity on the categories of personal data processed, the legal basis or purpose of processing, how a data subject can request access and data retention timelines (the policy only made reference to an internal guideline which was not published on the controllers website).

The DPA held the Director should be considered a controller within the meaning of Article 4(7) GDPR. The DPA analysed the requirements under Article 4(7) GDPR and Article 5(2) GDPR, together with the EDPB guidelines. A specifically appointed natural person (such as a director) is considered to be acting on behalf of the legal entity (the school) which is responsible in case of infringement.

Lastly, there were no internal policies on the appropriate handling of personal data contrary to Article 24(1)-(2) GDPR and Article 32(4) GDPR. The controller did not have an adequate training procedure in place for all employees responsible for handling personal data. Due to the lack of internal processes, the therapists, contrary to Article 38(1) GDPR, failed to involve the DPO in the initial request.

The controller was ordered to revise the data protection policy on its website to be compliant with Article 13 GDPR and establish an internal data protection policy per Article 24 GDPR. The Commissioner also imposed a fine of €50,000 with - with an additional €50 each day for which the violation persists.

Comment

This case touches on a lot of important data protection concepts that tend to be overlooked by controllers and processors. Data protection should not be an afterthought, in addition DPOs are not a simple formality - their role is of particular importance to an organisation.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.