CNIL (France) - 2c1s196162814: Difference between revisions
(minor rewrites) |
(changed link to Article 5(1)(e) GDPR) |
||
Line 90: | Line 90: | ||
The DPA held that the controller had disregarded [[Article 12 GDPR#3|Article 12(3) GDPR]] regarding the third complaint, because it had taken the controller four months to respond to the data subjects first request and did not answer as soon as possible. The controller also violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject, who was not a debtor. The controller continued to process the data and only anonymized the data after the French DPA interfered. | The DPA held that the controller had disregarded [[Article 12 GDPR#3|Article 12(3) GDPR]] regarding the third complaint, because it had taken the controller four months to respond to the data subjects first request and did not answer as soon as possible. The controller also violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject, who was not a debtor. The controller continued to process the data and only anonymized the data after the French DPA interfered. | ||
The DPA also determined that the controller violated [[ | The DPA also determined that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] regarding the second complaint because of the 6-year retention period of personal data, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code). | ||
The DPA also stated that [[Article 14 GDPR]] had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy with each financial claim, indicating the possibility of recourse to an investigative agency, does not mean that the obligation of [[Article 14 GDPR]] is fulfilled. This information is not specific enough and does not provide information on the exact source of the data. | The DPA also stated that [[Article 14 GDPR]] had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy with each financial claim, indicating the possibility of recourse to an investigative agency, does not mean that the obligation of [[Article 14 GDPR]] is fulfilled. This information is not specific enough and does not provide information on the exact source of the data. |
Revision as of 14:46, 1 January 2023
CNIL - 2c1s196162814 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(d) GDPR Article 5(1)(c) GDPR Article 12(3) GDPR Article 14 GDPR Article 56(1) GDPR Article 58(2)(b) GDPR Article 58(2)(d) GDPR Article L561-12 of the French Monetary and Financial Code |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 20.05.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2c1s196162814 |
European Case Law Identifier: | EDPBI:FR:OSS:D:2022:369 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 procedure, The French DPA decided three complaints regarding one controller, a credit provider. Among other violations, the controller did not respond to access requests in time, did not provide information regarding the source of personal dat and did not take necessary measures to only process up-to-date personal data.
English Summary
Facts
This decision by the French DPA consisted of several complaints by different data subjects regarding the same controller. The nature and the name of this controller were not disclosed. Based on the information provided in the decision, the controller seemed to be a provider of consumer credit.
The first data subject requested access to his personal data. He received responses from the controller but these were incomplete according to the data subject. After an intervention of the French DPA, the request was granted by the controller.
The second data subject had repeatedly requested information about the source of personal data concerning him and the retention period of personal data. He also requested the deletion of his data. After discussions between the DPA and the controller, the controller informed the data subject that his phone number and his address had been obtained from an investigative agency, located in Israel. The controller added that it only hired such an investiagtive agency when the data collected from the ‘transferring institution’ was inadequate. It is not clear from the decision what it meant with a 'transferring institution'. The controller also informed the data subject about the ‘exceptional’ closure of his case and that the personal data would be deleted after a period of 6 years. The controller stated that it was obliged to keep this data for a minimum of five years for anti-money laundering purposes, despite French law only requiring a storage period of five years, without any mention of a minimum period.
The complaint of the third data subject was transferred by the Polish DPA pursuant of Article 56(1) GDPR. The controller was not able to reach the data subject concerning his supposed debt. Therefore, it hired an investigative agency, which sent the contact details of the data subject on 13 July 2018. The data subject was contacted by the controller to pay his debt despite never being a client of the controller. The data subject stated that he was not a debtor and had never been a client of the controller. After communication between the data subject and the controller and an intervention of the DPA, the controller acknowledged that there had been a mistake regarding the identity of the data subject. The controller anonymized the data subject’s address and telephone number following the intervention of the DPA. The data subject complained at the DPA about the unlawfulness of processing of personal data concerning him and requested erasure of his data.
Holding
The DPA held that the controller had disregarded Article 12(3) GDPR regarding the third complaint, because it had taken the controller four months to respond to the data subjects first request and did not answer as soon as possible. The controller also violated Article 5(1)(d) GDPR regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject, who was not a debtor. The controller continued to process the data and only anonymized the data after the French DPA interfered.
The DPA also determined that the controller violated Article 5(1)(e) GDPR regarding the second complaint because of the 6-year retention period of personal data, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code).
The DPA also stated that Article 14 GDPR had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy with each financial claim, indicating the possibility of recourse to an investigative agency, does not mean that the obligation of Article 14 GDPR is fulfilled. This information is not specific enough and does not provide information on the exact source of the data.
The DPA issued a reprimand pursuant of Article 58(2)(b) GDPR and Article 20.II of the French data protection act with regard to the obligation to respond to requests for the exercise of rights of individuals and the obligation to process accurate and updated personal data. The DPA also issued a formal notice pursuant of Article 58(2)(d) GDPR and Article 20.II of the French data protection act to limit the retention period of personal data to five years and to correctly inform individuals about the origin of their personal data.
Comment
Although the nature or the name of the controller were not specified, it seemed that the controller was a provider of consumer credit. Under section 1 of the decision (paragraph 1), there is a mention of a debt assignment agreement between the controller and the data subject. Also under section 1 (paragraph 5), one of the data subjects stated that he had never been a debtor of the controller.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.