DPC (Ireland) - Microsoft Operations Ireland Limited: Difference between revisions

From GDPRhub
(substantiated the facts & chronological order; added references to Articles.Great summary! :))
 
Line 70: Line 70:


=== Facts ===
=== Facts ===
A data subject submitted an erasure request under [[Article 17 GDPR]] to Microsoft, as a controller, to delete his website and other content from Microsoft's search engine (Bing). However, Microsoft refused to do so by claiming public interest.   
A data subject submitted an erasure request under [[Article 17 GDPR]] to Microsoft, the controller, to delete his website and other content from Microsoft's search engine (Bing). However, Microsoft refused to do so by claiming public interest.   


The data subject thus filed a complaint with the Bavarian DPA, which transferred it to the Irish DPC as Lead Supervisory Authority under [[Article 56 GDPR]] and it initiated a cooperation mechanism according to [[Article 60 GDPR]].   
The data subject thus filed a complaint with the Bavarian DPA, which transferred it to the Irish DPC as Lead Supervisory Authority under [[Article 56 GDPR]] and initiated a cooperation mechanism according to [[Article 60 GDPR]].   


Subsequently, the data subject again wrote to Microsoft seeking the deletion of all his personal data from Microsoft search engine. Thereafter, Microsoft replied to the data subject that it would remove two URLs but not the others because it claimed that public interest ouweighed his interest in privacy.  
Subsequently, the data subject again wrote to Microsoft seeking the deletion of all his personal data from Microsoft search engine. Thereafter, Microsoft replied to the data subject that it would remove two URLs but not the others because it claimed that public interest ouweighed his interest in privacy.  


Again, the data subject contacted Microsoft to have his personal data deleted, and this time, Microsoft shared instructions to close a Microsoft account. Through a series of communications with the DPC Microsoft finally proceeded to delist the remaining URLs of the data subject, upon which the DPC, via the Bavarian DPA informed the data subject of deletion. Still, the data subject rejected the amicable settlement proposed thereafter by the Bavarian DPA as Microsoft took a lot of time deleting his personal data, and he feared its possible disclosure to third parties.   
Again, the data subject contacted Microsoft to have his personal data deleted, and this time, Microsoft shared instructions to close a Microsoft account. Through a series of communications with the DPC, Microsoft finally proceeded to delist the remaining URLs of the data subject, upon which the DPC, via the Bavarian DPA, informed the data subject of deletion. Still, the data subject rejected the amicable settlement proposed thereafter by the Bavarian DPA as Microsoft took a lot of time deleting his personal data, and he feared its possible disclosure to third parties.   


After another series of exchanges, the DPC continued its investigation in order to issue a draft decision on "''Whether Microsoft's handling of the Complainant's erasure requests was compliant with Articles 12 and 17 of the GDPR''".  
After another series of exchanges, the DPC continued its investigation in order to issue a draft decision on "''Whether Microsoft's handling of the Complainant's erasure requests was compliant with Articles 12 and 17 of the GDPR''".  
Line 83: Line 83:
The DPC initiated its inquiry on the matter on 29 June 2023.   
The DPC initiated its inquiry on the matter on 29 June 2023.   


First of all, the DPC held that based on the documentation on record, it was clear that Microsoft did inform the data subject that he had the option of approaching a supervisory authority when Microsoft denied his erasure request. However, Microsoft did not inform the data subject about his right to a judicial remedy at any stage of its communications, thereby violating [[Article 12 GDPR|Article 12(4) GDPR]].  
First, the DPC held that based on the documentation on record, it was clear that Microsoft did inform the data subject that he had the option of approaching a supervisory authority when Microsoft denied his erasure request. However, Microsoft did not inform the data subject about his right to a judicial remedy at any stage of its communications, thereby violating [[Article 12 GDPR|Article 12(4) GDPR]].  


In addition, Microsoft also admitted that it should have accepted certain URLs for delisting in the first instance but failed to do so. Microsoft's action on those complaints started only later; hence, the same was not without undue delay, as required under [[Article 17 GDPR]]. For this reason, the DPC also found that Microsoft infringed [[Article 17 GDPR]].
In addition, Microsoft also admitted that it should have accepted certain URLs for delisting in the first instance but failed to do so. Microsoft's action on those complaints started only later; hence, the same was not without undue delay, as required under [[Article 17 GDPR]]. For this reason, the DPC also found that Microsoft infringed [[Article 17 GDPR]].

Latest revision as of 13:59, 2 January 2024

DPC - Microsoft Operations Ireland Limited
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 12(4) GDPR
Article 17 GDPR
Article 58(2)(b) GDPR
Type: Complaint
Outcome: Upheld
Started: 28.07.2021
Decided: 15.11.2023
Published:
Fine: n/a
Parties: Microsoft Operations Ireland Limited
National Case Number/Name: Microsoft Operations Ireland Limited
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: Gauravpathak

In the context of a procedure under Article 60 GDPR, the Irish DPC reprimanded Microsoft Operations Ireland Limited for violations of Article 12(4) GDPR and Article 17 GDPR.

English Summary

Facts

A data subject submitted an erasure request under Article 17 GDPR to Microsoft, the controller, to delete his website and other content from Microsoft's search engine (Bing). However, Microsoft refused to do so by claiming public interest.

The data subject thus filed a complaint with the Bavarian DPA, which transferred it to the Irish DPC as Lead Supervisory Authority under Article 56 GDPR and initiated a cooperation mechanism according to Article 60 GDPR.

Subsequently, the data subject again wrote to Microsoft seeking the deletion of all his personal data from Microsoft search engine. Thereafter, Microsoft replied to the data subject that it would remove two URLs but not the others because it claimed that public interest ouweighed his interest in privacy.

Again, the data subject contacted Microsoft to have his personal data deleted, and this time, Microsoft shared instructions to close a Microsoft account. Through a series of communications with the DPC, Microsoft finally proceeded to delist the remaining URLs of the data subject, upon which the DPC, via the Bavarian DPA, informed the data subject of deletion. Still, the data subject rejected the amicable settlement proposed thereafter by the Bavarian DPA as Microsoft took a lot of time deleting his personal data, and he feared its possible disclosure to third parties.

After another series of exchanges, the DPC continued its investigation in order to issue a draft decision on "Whether Microsoft's handling of the Complainant's erasure requests was compliant with Articles 12 and 17 of the GDPR".

Holding

The DPC initiated its inquiry on the matter on 29 June 2023.

First, the DPC held that based on the documentation on record, it was clear that Microsoft did inform the data subject that he had the option of approaching a supervisory authority when Microsoft denied his erasure request. However, Microsoft did not inform the data subject about his right to a judicial remedy at any stage of its communications, thereby violating Article 12(4) GDPR.

In addition, Microsoft also admitted that it should have accepted certain URLs for delisting in the first instance but failed to do so. Microsoft's action on those complaints started only later; hence, the same was not without undue delay, as required under Article 17 GDPR. For this reason, the DPC also found that Microsoft infringed Article 17 GDPR.

Based on the above, the DPC reprimanded Microsoft under Article 58(2)(b) GDPR and directed it to revise its internal policies and procedures to prevent future violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.