IDPC (Malta) - CDP COMP 583 2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 59: Line 59:
}}
}}


NA
The Maltese DPA ordered a controller to rectify a record for international protection under Article 16 GDPR.


== English Summary ==
== English Summary ==

Revision as of 13:55, 6 December 2023

IDPC - CDP_COMP_583_2022
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 16 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: CDP_COMP_583_2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: CDP_COMP_583_2022 (in EN)
Initial Contributor: sh

The Maltese DPA ordered a controller to rectify a record for international protection under Article 16 GDPR.

English Summary

Facts

In 2016 the data subject gave Maltese authorities (the controller) false information about her spouse's identity and stated that their traditional marriage, not their civil marriage, was the date of their marriage for security purposes.

In 2022, The data subject informally requested a correction to her name and marriage date, which was denied. The data subject tried again formally, explaining her situation and supplying her marriage certificate, which showed the correct details for her spouse and marriage date. This was again rejected by the controller on the grounds that it was the data subjects' responsibility to ensure that her information was correct when filling out the forms. Moreover, the controller argued that they were under no legal obligation to change this data. This was not simply an issue of "correcting details", but would require a complete change in the personal details of her alleged husband.

The data subject complained to the Maltese DPA that the controller refusal to corrrect her personal data breached her right to rectification under Article 16 GDPR.

Holding

The DPA upheld the complaint and ordered the controller to rectify the data subject's record within 20 days.

Under a strict interpretation of Article 16 GDPR, it is unclear that the controller would be bound to correct the data. The GDPR does not define the terms 'inaccurate' and 'incomplete' data. Moreover, the data which the data subject was seeking to rectify relates to information which she knowingly provided wrongly to the controller at the time of applying for international protection in Malta. This makes the data accurate because it reflects the data which the data subject submitted at the time.

However, the DPA interpreted Article 16 in a broad sense in conjunction with the accuracy and accountability principles found in Article 5(1)(d) GDPR and Article 5(2) GDPR, respectively. The controller bears the responsibility of maintaining up-to-date data and proving compliance with this obligation. As a result, the controller needs to have policies in place to verify the accuracy of the data submitted during an application. For this purpose, an internal note attesting to the applicant's verification of the data against official sources would be adequate. Therefore, the controller was legally required to make the necessary corrections, particularly after the data subject provided sufficient evidence for the controller to verify the accuracy of her personal information.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Idpc.
Information and Data Protection Commissioner
CDP/COMP/583/2022
vs
COMPLAINT
1.
On
the
22"4
December
2022,
es
brough
her
legal
counsel
(the “complainant” or the “data subject”) lodged a complaint with the Information
and Data Protection Commissioner (the “Commissioner”) pursuant to article 77(1) of
the General Data Protection Regulation! (the “Regulation” or the “GDPR”), alleging
that the x (the or the “controller”) has
refused to rectify her personal data without any valid legal reason, and therefore the
ME “has breached my client’s right to rectification as provided for in article 16 of
the General Data Protection Regulation”.
FACTS OF THE CASE
2. For the purpose of this complaint, the Commissioner assessed the relevant facts
surrounding the complaint:
Summary of Events
'
Regulation (EU)
2016/679
of the
European
Parliament
and
of the
Council
of 27
April
2016
on the
protection
of
natural
persons
with regard
to
the
processing
of
personal
data
and
on the free
movement
of
such
data,
and
repealing
Directive
95/46/EC.
Page 1 of 13
that the complainant is a beneficiary of subsidiary protection;
that upon her arrival to Malta, the complainant had given the authorities a different
name to that of her spouse for security purposes. Moreover, the date of marriage
listed in the records of the JJ relates to the date of their traditional marriage,
rather than that of their civil marriage being the 4 January 2015;
that the complainant had previously made an informal request in order to amend
the above-mentioned details on her documents, however, she was never given the
opportunity to explain her situation, and her request was consequently turned
down;
that following this, an email was sent to the J from her lawyer in order to
formally request the authorisation of the fC] to amend the marital information
retained by the same Jj. Together with the email, the Jj was provided
with the public marnage certificate showing the correct details for her spouse and
containing the correct marriage date. The complainant confirmed that the spouse
was willing to provide a DNA test if the Jj has any further doubts regarding
the family relationship;
that the i rejected the complainant’s request stating that the complainant’s
“sole responsibility to ensure that the details submitted to this Jj when
lodging her application for international protection on 15/06/2016 were correct.
In this regard, it should be noted that she was given the services of an interpreter
to ensure proper communication, and that the application form was duly re-read
to her prior signing to ensure that the information contained therein was indeed
correct’; and
that in this regard, the complainant submitted a complaint on the basis that by
refusing to change the above-mentioned personal information on the complainant’s
documentation, without any valid legal basis, the JJ has breached her right to
rectification as provided for in article 16 of the Regulation.
Page 2 of 13
INVESTIGATION
Request for submissions
3. Pursuant to article 58(1)(a) of the Regulation, the Commissioner provided the (Si
with a copy of the complaint, including the documentation attached thereto, and
requested it to put forward its submissions in order to defend itself against the
allegations raised by the complainant. By means of an email dated the 15" February
2023, the J submitted the following principal arguments for the Commissioner
to consider in the legal analysis of the case:
a. that when the complainant applied for international protection in Malta back in
2016, she was duly informed of her obligation to provide this Jj with all the
information at her disposal as per the following: “/o/bliged to cooperate with the
a ns with a view to establishing his identity and other
elements referred to in the Act and in these regulations’,
b. that the complainant was informed of this obligation, when filling in her application
form, and nonetheless she provided a completely different name to that of her
alleged husband. Furthermore, the same details were reconfirmed by the
complainant during her personal interview;
c. that the Jj noted that despite the fact that the complainant was married when
she lodged her application for international protection, she did not present her
marriage certificate, or any other document attesting to her marriage, at the time of
the application. Indeed, the J further noted that the complainant only
submitted her marriage certificate six (6) years later when she decided to file a
request to change the details, she had originally submitted to the [J vis-a-vis
her spouse during the asylum procedure;
> Article 13 of the Directive 2013/32/EU of the European Parliament and of the Council of 26 June 2013 on
common procedures for granting and withdrawing international protection (recast), and Article 4(3)(a) of Chapter
420.7 of the Laws of Malta.
Page 3 of 13
d. that the jj remarked that this is not simply an issue of ‘correcting details’,
but rather a complete change in the personal details of her alleged husband,
including his name and surname. In connection with this, the Jj submitted
that such a request does not simply entail a slight modification in the details as
originally declared by the complainant during the asylum procedure, but rather a
complete change, as there are no similarities whatsoever with the initial data
provided to the I:
e. that the J noted a gap with respect to her marriage date. Specifically, when
the complainant was asked about her marriage details both at registration, lodging
her application and at interview stage, she allegedly provided incorrect dates in
both instances. In this regard, the JJ is of the opinion that the complainant,
could have easily highlighted the difference between her traditional marriage and
her civil marriage when she was questioned during her personal interview, which
took place a month after the lodging of her application;
f. that the JJ also highlighted the fact that the complainant “trusted the
enough to apply for international protection in Malta. She come forth with the
reasons why she was in need of international protection, including the situation of
her alleged husband in QJ however, she allegedly did not trust he 7:
enough to provide the correct personal details of her alleged husband for fear that
something might happen to him in J. Therefore, she trusted the Jj with
assessing her application for international protection but knowingly provided
wrong information, all while being well aware of the fact that the] is legally
bound by the principle of confidentiality”; and
g. that the J submitted that the complainant was granted subsidiary protection
status back in 2016; however, she only submitted this request six (6) years after, in
2022. The I remarked that this delay is significant and cannot simply be
overlooked considering all the available opportunities she had to provide the
correct details pertaining to her spouse and marriage.
Page 4 of 13
On the 16" February 2023, the Commissioner provided the complainant with the
opportunity to rebut the arguments made by the [jg On the 1S March 2023, the
complainant through her legal counsel, rebutted the arguments made by the controller
and submitted the following principal arguments:
a.
that
the
complainant
has
a
right
to
the
rectification
of
inaccurate
data
and
the
MH.
2s
a
controller
of
personal
data,
has
an
obligation
to
ensure
that
personal
data
held
by
it
is
accurate.
Furthermore,
the
complainant
noted
that the
ay
failed to inform the complainant of her right to lodge a complaint;
b.
that
personal
data
should
be
processed
in
accordance
with
the
data
protection
laws
and
policies
to
preserve
the
right
to
privacy
of
a
data subject.
The
right
to
data
protection
concerns
the
safeguarding
of
a
person’s
fundamental
human
rights
in
connection
with
the
right
to
a
private
and
family
life
as
enshrined
in
the
Universal
Declaration
of
Human
Rights
and
as
also
enshrined
in
the
EU
Charter
of
Fundamental
Rights
and
the
Treaty
on
the
Functioning
of
the
European
Union,
which
give
effect
to
individuals’
right
to
privacy
by
providing them
with control
over the way information about them is collected and used;
c.
that
it
is
hence important
to
note
that the
principles
enshrined
in
the
Regulationshould
be
applied
to
asylum
seekers,
persons
with
subsidiary
status
and
refugees
in
the same manner as it would be applied to European nationals;
d.
that
Chapter
III
of
the
Regulation
provides
a
list
of
rights
which
data
subjects
may
exercise
regarding
their
personal
data.
The
Regulation
specifically
provides
data
subjects with
the
right
to
obtain
from
the
controllers,
without
undue
delay,
the
rectification
of
inaccurate personal
data
concerning
them.
The
right
of
rectification
is
an
important
complement
to
the
right of
access and
is
essential
for
maintaining
a high level of data quality;
e.
that the
complainant
explicitly
requested
the
J
to
rectify
the
marital
information which
is
retained by
the
same
J
With
her
request,
the
Page 5 of 13
lOpc. complainant included documentation which clearly proved that the data which was
held by the J was inaccurate;
that the complainant explained that upon lodging her application for international
protection, she had not given the correct information of her spouse, due to security
reasons, since her husband was still in Jj and so she feared that by providing
his real name to the J her husband would be in trouble in his country of
origin. Therefore, the complainant felt that she could not reach out to the aaa
before since she was afraid of the consequences of having her spouses’ name
disclosed;
that moreover, when she was asked to provide their date of marriage, she provided
the date of their religious wedding rather than the date of their civil marriage. Since
their civil marriage is the one which is recognised in Malta, the date of their
marriage on her documentation should be amended. By reviewing the
documentation provided by the complainant, including the official public marriage
certificate, the Jj was provided with sufficient information in order to easily
ascertain that the personal data that it held was inaccurate;
that the JJ stated that the right to rectification should not be adhered to since
the complainant is requesting the complete change in personal details in relation to
her husband, and not merely a slight modification, such as the request to change
one or two letters. In this regard, it should be noted that the right to rectification as
expounded in the Regulation does not state that the rectification must be limited to
a slight modification in details;
that the complainant referred to article 5(1)(d) and article 5(2) of the Regulation,
and noted that the controller is responsible for ensuring that the data processed is
accurate and updated when necessary;
that when a request for the rectification of data is made by a data subject, the
controller must evaluate whether the data in question is incomplete or inaccurate
Page 6 of 13
Ipc. with regard to the purposes of processing. In this case, the BS did not oppose
the claim that the data held by it is inaccurate, but merely stated that the data subject
is responsible for ensuring that the personal data provided is accurate, this in spite
of the obligations and responsibilities placed on the data controller by the relevant
data protection laws;
that the controller shall facilitate the exercise of data subject rights under Articles
15 to 22 of the Regulation. In the cases referred to in Article 11(2) of the
Regulation, the controller shall not refuse to act on the request of the data subject
for exercising his or her rights under Articles 15 to 22 of the Regulation, unless the
controller demonstrates that it is not in a position to identify the data subject;
that according to article 12 of the Regulation, if the controller does not take action
on the request of the data subject, the controller shall inform the data subject
without delay and at the latest within one (1) month of receipt of the request of the
reasons for not taking action and on the possibility of lodging a complaint with a
supervisory authority and seeking a judicial remedy. In this regard, the a. in
its reply merely stated that it ‘will not be taking any further cognisance of other
requests [the complainant] might submit in relation to this matter’.
5. In line with the Office’s complaint-handling procedure, the Commissioner provided the
Sa with the final opportunity to rebut the arguments made by the complainant. In
this regard, on the 20" March 2023, the controller submitted its reply and highlighted
the following salient arguments:
a. that the complainant had a legal obligation to co-operate with the =|
throughout the asylum procedure, including with a view to establish her identity;
that the JJ noted that as an applicant for international protection, it was the
complainant’s sole responsibility to ensure that the details submitted to the aaa
throughout the asylum procedure, including when filling-in her application form
and during the personal interview, were correct;
Page 7 of 13
c, that the J stressed that, provided it is true that the original details submitted
by the complainant are incorrect, this means that when filling in her application
form for international protection, the complainant was fully aware of the fact that
she was not providing the details of her real husband. Indeed, this would entail that
she purposefully provided wrong information to the J, allegedly due to
concerns for the safety of her husband in yyy
that the J reiterates that it is inconceivable that while the complainant trusted
the [MJ with assessing her application for international protection, she
allegedly did not trust the J enough to comply with her legal obligations and
provide the correct personal details of her alleged husband, all while being well
aware of the fact that the Jj is legally bound by the principle of
confidentiality. Moreover, the J noted that even after her alleged husband
was no longer in J, it took the complainant a total of six (6) years before she
finally decided to approach the Jj to request a rectification of the details
provided. The same applies with respect to her marriage date, which is also
allegedly incorrect;
that the J is well aware of the data protection legislation and the obligations
that emanate from this legal framework. Indeed, the Jj does not dispute that
the Regulation should be applied to asylum seekers, persons with subsidiary status
and refugees in the same manner as it would be applied to European nationals;
that the IMJ applied article 16 of the Regulation, which stipulates that data
subjects have the right to obtain from the controllers, without undue delay, the
rectification of inaccurate personal data concerning them. However, the J
noted that the complainant, provided completely different details vis-a-vis her
alleged husband, as well as a different marriage date. Therefore, it is amply clear
that this is not simply a matter of ‘correcting details’, but of completely changing
the details provided to this j- Moreover, the J noted that considering
the nature of the request, it is possible, that the complainant was indeed married to
the man she provided details of. Hence why, as already highlighted by the [,
Page 8 of 13
requests
for
rectifications require
an
understanding
of
the
personal
circumstances
as well as their legal weight;
that
by
the
standard
of
the
complainant’s
request,
everyone
has
a
right
to
change
details,
which
were
knowingly
incorrect,
there
is
an
automatic acceptance
that
deception
of
the
authorities
is
veiled
by data
protection
legislation,
which
in
the
opinion
of
the
a]
goes
against
the
spirit
of
the
Regulation.
Therefore,
the
BM
opines
that
while
data
subjects
have
the
right
to
request
the
rectification
of
inaccurate
personal
data
concerning
them,
there
are
strong
legal
responsibilities
attached to the information provided throughout the asylum procedure;
that the
=e
further
noted
that
“the
complainant
is
incorrect
to
quote
the
following
“has
no
legal
obligation
whatsoever
to
process
change
of
details
requests,
and
that
these
requests
are
ultimately
being carried
out
ex-gratia
thereby
completely
ignoring
the
obligations
of
a
data
controller
as set
forth
in
Regulation(EU)
2016/679”.
The
original request
submitted
by
the
complainant,
was
not
a
request
for
rectification
as
per
GDPR
regulations,
consequently,
the
IPA was
not
ignoring
its
obligations
as
a
data
controller
as set
forth
in
Regulation
(EU)
2016/679.
Therefore,
the
complainant’s submissions
provide
a
tweaked
account
of
the
request
submitted
by
a)
who
at
that
point
was
not
considered
as
a
complainant.
As
a
result,
the
disputes
the
complainant’s
assertion
that
IPA
did not
‘inform
the
complainant,
of
the
possibility
of
lodging
a
complaint
with
the
Office
of
the
Information
and
Data
Protection
Commissioner
or
that
the
complainant
could
seek judicial
redress.
If
the
complainant’s
request
for
rectification
was
filed
in
terms
of
GDPR
regulations,
hs
m7
would
have
complied
with article
12
of
the
regulation and
informed
the
complainant
accordingly”;
LEGAL ANALYSIS AND DECISION
6.
For
the
purpose
of the
investigation
of
this
complaint,
the
Commissioner
proceeded
to
assess
the
request
of the
complainant, wherein
she
requested
the
controller
to
rectify
Page 9 of 13
her personal data in terms of article 16 of the Regulation (annexed and marked as
‘Doc. IDPC 1’). By means of an email dated the 28" October 2022, the controller
informed the complainant that her request could not be met because it was her sole
responsibility “to ensure that the details submitted to this BE wher lodging her
application for international protection on 15/06/2016 were correct. In this regard, it
should be noted that she was given the services of an interpreter to ensure proper
communication, and that the application form was duly re-read to her prior signing to
ensure that the information contained therein was indeed correct” (annexed and
marked as ‘Doc. IDPC 27’).
7. The Commissioner examined the complaint submitted in terms of article 77(1) of the
Regulation, wherein the complainant confirmed that she had knowingly provided
incorrect data to the controller upon applying for international protection in Malta, back
in 2016. The complainant held that “/u/pon arrival into Malta J had given
the authorities a different name to that of her spouse for security purposes, as she
feared that he would be sought out. Moreover, the date of marriage listed in the records
of the: _[ee (he GE) relates to their traditional
marriage, rather than that of their civil marriage being the 4" of January 2015”
[emphasis has been added].
8. In the submissions dated the 14" February 2023, the controller provided that the
personal data pertaining to the complainant were collected for the purpose of processing
her application form for international protection. It therefore follows that the processing
activity, which is being contested by means of this complaint, refers to personal data
which the controller collected directly from the data subject.
9. In this regard, the Commissioner assessed the right to rectification as provided by article
16 of the Regulation, which provides that the “data subject shall have the right to obtain
jrom the controller without undue delay the rectification of inaccurate personal data
concerning him or her. Taking into account the purposes of the processing, the data
subject shall have the right to have incomplete personal data completed, including by
means of providing a supplementary statement ”.
Page 10 of 13
10.
The
Commissioner
emphasises
that the
right
to
rectification
is
a
key aspect
of
the
11.
13.
fundamental right to data protection, which is recognised in article 8(2) of the Charter
of Fundamental Rights of the European Union. Within this context, article 16 of the
Regulation provides for the right to rectify inaccurate data and the right to complete
incomplete data. Where the data is deemed to be incomplete, the data subject shall have
the right to have incomplete data completed, by adding new elements instead of
correcting existing data, and this could be done by means of a providing a
supplementary statement.
The law does not define the terms “inaccurate” and “incomplete”, however, the Court
of Justice of the European Union (the “CJEU”) sheds further light on this by providing
that the accuracy and completeness of the personal data have to be determined based
on the purpose of the processing activity conducted by the controller. The judgment
‘Peter Nowak vs Data Protection Commissioner’ provided that “fi]s apparent from
Article 6(1)(d) of Directive 95/46 that the assessment of whether personal data is
accurate and complete must be made in the light of the purpose for which that data was
collected”?
. After examining the circumstances of the case and in light of the purpose for which the
data were collected by the controller, the Commissioner established that the data which
the complainant is seeking to rectify relate to information which she knowingly
provided wrong to the controller at the time of applying for international protection in
Malta. Thus, the data recorded by the controller in relation to the processing of her
application form, is in itself accurate because it reflects the information which the
complainant submitted to the controller by means of the application form dated the 15"
June 2016.
Nonetheless, the controller should not ignore the fact that it is responsible for keeping
the data up-to-date, and thus, the controller should take every reasonable step to ensure
respect of the accuracy principle as set forth in article 5(1)(d) of the Regulation. In this
3
Court
of
Justice
of the
European
Union, Peter
Nowak
vs
Data Protection
Commissioner
(Case C-434/16),decided
on the
20"
December
2017,
para. 53
Page 11 of 13
regard, the Commissioner emphasises that the controller should effectively demonstrate
in terms of article 5(2) of the Regulation that the data are kept updated and accurate.
14. The Commissioner emphasises that it is incumbent on the controller to ensure that the
necessary procedures are in place to actually verify and ascertain that, in practice, any
information provided by an individual during the application process for international
protection is indeed verified against official documentation. The verification process
does not necessarily require the retention of actual documents, unless this clearly
derives from a law to which the controller is subject, but an internal note demonstrating
that the data provided by the applicant has been verified against official sources should
suffice.
15. Thus, the reply provided by the controller in relation to the request for rectification,
specifically, that it “has no legal obligation whatsoever to process change of details
requests, and that these requests are ultimately being carried out ex-gratia” is legally
incorrect [emphasis has been added]. In fact, the Commissioner emphasises that the
controller does indeed have a legal obligation to ensure compliance with the data
protection law, especially, after considering that the complainant had submitted
sufficient evidence to enable the controller to verify the accuracy of her personal data.
Furthermore, the CJEU had confirmed that it is the controller who shall bear the
responsibility to ensure compliance with its obligations regarding the quality of the
data. The CJEU stated that “the principles of protection must be reflected, on the one
hand, in the obligations imposed on persons responsible for processing, in particular
regarding data quality“ [emphasis has been added]. Within this context, ‘data quality’
refers to the requirement incumbent upon the controller to ensure that the data processed
by the controller are kept accurate, complete, and up to date.
On the basis of the foregoing considerations, and after having taken into account the
specific circumstances of the complainant at the time of applying for international
protection, the Commissioner hereby decides that the controller infringed article 16 of
4 Court of Justice of the European Union, College van burgemeester en wethouders van Rotterdam vs M.E.E.
Rijkeboer (Case C-553/07), decided on the 7" May 2009, para. 48.
Page 12 of 13
the
Regulation
when
it
failed
to
comply
with
the
request
made
by
the
complainant
to
rectify her personal data.
Pursuant
to
article
58(2)(c)
of
the
Regulation,
the
Commissioner
is
ordering
the
controller
to
rectify
the
complainant’s
record and
take
the
necessary
internal
measures
accordingly.
This
shall be
without prejudice
to
the
possibility
of
the
controller
to
retain
the
original
information
as
provided
by
the
complainant
given
that
such
record
reflects
a
true
representation
of
such
information, which
the
controller
processed
at
the
time
of
granting
the international protection status.
The
aforementioned
order
shall
be
complied
without
undue
delay
and
by
no later
than
twenty
(20)
days
from
receipt
of
this
legally-binding
decision
and
confirmation
of
the
action
taken
shall be
notified
to
the
Commissioner
immediately
thereafter.
lan Digitally signed
by lan DEGUARA
DEGUARA (Signature)
Date: 2023.05.22
(Signature) 56.35.50 +02'00
Ian Deguara
Information and Data Protection Commissioner
Page 13 of 13