AKI (Estonia) - EDPBI:EE:OSS:D:2022:362: Difference between revisions
No edit summary |
(provided link to Article 56 GDPR) |
||
Line 64: | Line 64: | ||
=== Facts === | === Facts === | ||
The data subject was unable to exercise his right to have his data deleted by the controller. The nature of the controller was not specified. According to the data subject, the data was not deleted despite several appeals and despite multiple confirmations from the controller that his personal data was deleted. The data subject filed a complaint at the Berlin DPA, which transferred the complaint to the Estonian DPA under Article 56 GDPR. The latter started an investigation into the controller and sent it several questions regarding its processing. | The data subject was unable to exercise his right to have his data deleted by the controller. The nature of the controller was not specified. According to the data subject, the data was not deleted despite several appeals and despite multiple confirmations from the controller that his personal data was deleted. The data subject filed a complaint at the Berlin DPA, which transferred the complaint to the Estonian DPA under [[Article 56 GDPR]]. The latter started an investigation into the controller and sent it several questions regarding its processing. | ||
The controller stated that the data subject had requested deletion on 19 November 2020 and that the controller deleted the data on the same day. It also explained its standard account deletion procedure, which required the user to manually log out or to delete the controller’s application in order to complete the deletion process. If the user did not do this, his login details (e-mail address and account passcode) would be kept in a database. Where applicable, the controller would not delete, but encrypt and archive personal data in order to comply with the Estonian Money Laundering and Terrorist Financing Prevention Act (the “AML Act”). The controller also confirmed during the proceedings that all personal data of the data subject had now been deleted. | The controller stated that the data subject had requested deletion on 19 November 2020 and that the controller deleted the data on the same day. It also explained its standard account deletion procedure, which required the user to manually log out or to delete the controller’s application in order to complete the deletion process. If the user did not do this, his login details (e-mail address and account passcode) would be kept in a database. Where applicable, the controller would not delete, but encrypt and archive personal data in order to comply with the Estonian Money Laundering and Terrorist Financing Prevention Act (the “AML Act”). The controller also confirmed during the proceedings that all personal data of the data subject had now been deleted. |
Latest revision as of 10:11, 11 January 2023
AKI - EDPBI:EE:OSS:D:2022:362 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 02.05.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EDPBI:EE:OSS:D:2022:362 |
European Case Law Identifier: | EDPBI:EE:OSS:D:2022:362 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 GDPR decision, the Estonian DPA reprimanded a controller for a violation of Article 17 GDPR. The controller did not erase all personal data after an erasure request. The controller had designed its erasure procedure in such a way that when a data subject did not log out manually from the controller's service after the erasure request, the login details of the data subject would be kept in the controller's database.
English Summary
Facts
The data subject was unable to exercise his right to have his data deleted by the controller. The nature of the controller was not specified. According to the data subject, the data was not deleted despite several appeals and despite multiple confirmations from the controller that his personal data was deleted. The data subject filed a complaint at the Berlin DPA, which transferred the complaint to the Estonian DPA under Article 56 GDPR. The latter started an investigation into the controller and sent it several questions regarding its processing.
The controller stated that the data subject had requested deletion on 19 November 2020 and that the controller deleted the data on the same day. It also explained its standard account deletion procedure, which required the user to manually log out or to delete the controller’s application in order to complete the deletion process. If the user did not do this, his login details (e-mail address and account passcode) would be kept in a database. Where applicable, the controller would not delete, but encrypt and archive personal data in order to comply with the Estonian Money Laundering and Terrorist Financing Prevention Act (the “AML Act”). The controller also confirmed during the proceedings that all personal data of the data subject had now been deleted.
In order to prevent these situations in the future, the controller implemented a forced-logout to its user account deletion procedure. Therefore, data subjects did not have to logout themselves anymore to have all their data erased.
Holding
The Estonian DPA determined that the controller violated Article 17 GDPR. It had not deleted the personal data of data subjects because of its own procedural mistakes. The DPA acknowledged that these procedural mistakes had now been solved by the controller, now that all the personal data had been deleted. The DPA closed the proceedings and reprimanded the controller on the basis of Article 58(2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
FOR DATAPRIVACYAND FREEDOM OF INFORMATION ASUTUSESISESEKS KASUTAMISEKS Märge tehtud: 02.05.2022 Inspektsioon Juurdepääsupiirang kehtib kuni: 02.05.2097 Alus: AvTS § 35 lg 1 p 2,AvTS § 35 lg 1 p 12 IMI - Berlin DPA Yours: nr Ours: {regDateTime} nr {regNumber} Reprimand for failure to comply with the requirements of the General Data Protection Regulation & notice of termination of the proceeding in regard to the protection of personal data RESOLUTION: Reprimand in a personal data protection case in which has violated the following norm arising from the General Data Protection Regulation (GDPR): article 17 Case The Estonian Data Protection Inspectorate (Estonian DPA) received a complaint from via Internal Market Information System. According to the complaint the complainant was unable to exercise his right to have the data deleted. The complainant stated that, despite several appeals, the data was not deleted. The Estonian DPA explained to the controller that processing of personal data is permitted only with the consent of the person or other legal basis abiding from law. In the absence of a legal basis, personal data may not be processed. If personal information processing is not permitted by law, a person has the right to ask for termination of data processing and additionally for deletion of data. Based on the information contained in the complaint, the controller have repeatedly confirmed to the complainant that his personal information was deleted, so logically the controller had no further legal basis to process the complainant's data. Additionally the controller did not explain to the complainant the impossibility of deletion. For above reasons the Estonian DPA started an investigation and asked questions listed with answers below. 1. On what date was the specific personal data of data deleted? Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee Registrikood 70004235with the account.” 5) What is the legal basis for not deleting all the data and encrypting some of it? Please be precise – bring out the legal act, provision, section, reason. s data retention obligations stem from § 47 of the Estonian Money Laundering and Terrorist Financing Prevention Act (the “AML Act”). Under this provisions, is required to retain: - Documents specified in §21, § 22 and §46 of the AML Act (which includes, but is not limited to documentation relating to proof of residence, date of birth, personal identification code), information registered in accordance with § 46 and the documents serving as the basis for identification and verification of persons, and the establishment of a business relationship for no less than five years after the termination of the business relationship; - during the period specified in subsection 1 of § 47, must also retain the entire correspondence relating to the performance of its duties and obligations arising from the and all the data and documents gathered in the course of monitoring the business relationship or occasional transactions as well as data on suspicious or unusual transactions or circumstances which were not reported to the Financial Intelligence Unit. - must also retain the documents prepared with regard to a transaction on any data medium and the documents and data serving as the basis for the notification obligations specified in § 49 of the AML Act for no less than five years after making the transaction or performing the duty to report. - must retain the documents and data specified in subsections 1, 2 and 3 of § 47 in a manner that allows for exhaustively and without delay replying to the enquiries of the Financial Intelligence Unit or, in accordance with legislation, those of other supervisory authorities, investigative bodies or courts, inter alia, regarding whether has or has had in the preceding five years a business relationship with the given person and what is or was the nature of the relationship. - Lastly, deletes the data retained on the basis of § 47 after the expiry of the time limits specified in subsections 1–6 of § 47, unless the legislation regulating the relevant field establishes a different procedure. On the basis of a compliance notice issued by the competent supervisory authority, data of importance for prevention, detection or investigation of money laundering or terrorist financing may be retained for a longer period, but not for more than five years after the expiry of the first time limit.” 6) What exact data are you encrypting and archiving? Is it not possible to anonymize the data and then archive it? ’s compliance department encrypts and archives the data that is required to be retained for AML purposes (documentation relating to proof of residence, date of birth, personal identification code, transaction data), as per the requirements listed in § 47 of the AML Act. 3 (4)The reason why this data is not anonymized is that this data (documentation relating to proof of residence, date of birth, personal identification code, transaction data) has a specific function in relation to our obligations stemming from § 47 of the AML Act - this data is used to duly verify the identity/residence of our users and screen them against a variety of sanctions lists and lists pertaining to politically exposed persons. In turn, as per § 47, should without delay reply to the enquiries of the Financial Intelligence Unit or, in accordance with legislation, those of other supervisory authorities, investigative bodies or courts, inter alia, regarding whether has or has had in the preceding five years a business relationship with the given person and what is or was the nature of the relationship. Anonymizing the above-described data (documentation relating to proof of residence, date of birth, personal identification code, transaction data) is irreversible and would render it impractical or even impossible for to comply with its AML reporting obligations.” Taking into account the fact that the controller did not delete the data subjects data due to their own procedural mistakes the controller breached article 17 stipulated in the General Data Protection Regulation (GDPR). Although the controller has now confirmed that the complainant’s personal data is deleted (besides the data that they are obligated to retain by law), procedural mistakes are solved and the controller has improved its data processes (including deletion), we are closing the proceedings and reprimand on the basis of Article 58 (2) (b) of the GDPR. Best regards lawyer authorised by Director General 4 (4)