CNIL (France) - Unknown: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=Unknown |ECLI= |Original_So...")
 
 
Line 68: Line 68:


=== Facts ===
=== Facts ===
A data subject wished to exercise his right to erasure under Article 17 regarding two customer accounts linked to him with a company (controller). He claimed that he was forced to provide an identity document to make his request and that he did not receive confirmation that his requests had been taken into account. This led him to lodge a complaint with his local DPA (in Germany). The controller's DPO informed the German DPA that the data subject's requests for erasure of his personal data had been taken into account and that the data subject had been informed.
A data subject wished to exercise his right to erasure under Article 17 regarding two customer accounts linked to him with a company (controller). He claimed that he was forced to provide an identity document to make his request and that he did not receive confirmation that his requests had been taken into account. This led him to lodge a complaint with his local DPA (in Germany).


In accordance with Article 56(1) and Article 60, the German DPA transferred this complaint to the French DPA, the CNIL.  
In accordance with Article 56(1) and Article 60, the German DPA transferred this complaint to the French DPA, the CNIL. During the proceedings, the controller explained that this type of identity verification - through the user's ID document - was systematically required when the data subject exercised their rights via the website form. 


The CNIL exchanged with the controller's DPO, who explained the following: Concerning the prior communication of the identity document, it was systematically required when the data subject used the form available on the controller's website to make his request without logging into his personal account. In this particular case, there was an error in the redirections that led the data subject to this form. The DPO reported that he rose staff's awareness in this respect. The controller also now placed a notice under the form inviting customers to log in to their personal account so that they do not have to prove their identity.
In this particular case, instead of being redirected to his personal account, from within which he could have exercised his erasure request, the data subject had been wrongfully routed into another ID verification process. The controller's DPO reported that he had already risen staff's awareness in this respect. The controller also now placed a notice under the online form inviting customers to log in to their personal account so that they do not have to prove their identity.  


=== Holding ===
=== Holding ===

Latest revision as of 17:43, 15 February 2023

CNIL - Unknown
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 17 GDPR
Article 56(1) GDPR
Article 60 GDPR
Type: Complaint
Outcome: Other Outcome
Started:
Decided: 26.07.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: Unknown
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: ls

The CNIL decided to close a complaint related to the right to erasure following the measures taken by the controller to prevent this situation from arising again.

English Summary

Facts

A data subject wished to exercise his right to erasure under Article 17 regarding two customer accounts linked to him with a company (controller). He claimed that he was forced to provide an identity document to make his request and that he did not receive confirmation that his requests had been taken into account. This led him to lodge a complaint with his local DPA (in Germany).

In accordance with Article 56(1) and Article 60, the German DPA transferred this complaint to the French DPA, the CNIL. During the proceedings, the controller explained that this type of identity verification - through the user's ID document - was systematically required when the data subject exercised their rights via the website form.

In this particular case, instead of being redirected to his personal account, from within which he could have exercised his erasure request, the data subject had been wrongfully routed into another ID verification process. The controller's DPO reported that he had already risen staff's awareness in this respect. The controller also now placed a notice under the online form inviting customers to log in to their personal account so that they do not have to prove their identity.

Holding

Taking into account the explanations provided by the DPO and the measures that were already in place, the CNIL decided that the chances of a repetition such facts were avoided and therefore closed the complaint.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.