IDPC (Malta) - EDPBI:MT:OSS:D:2019:70

From GDPRhub
Revision as of 13:48, 9 February 2022 by Hha (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IDPC (Malta) -
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 15 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 28.10.2019
Published:
Fine: 8000 EUR
Parties: n/a
National Case Number/Name:
European Case Law Identifier: EDPBI:MT:OSS:D:2019:70
Appeal: Not appealed
Original Language(s): English
English
Original Source: EDPB (in EN)
EDPB (in EN)
Initial Contributor: n/a

The Maltese supervisory authority fined a bank €8000 for failing to respond to an access request.

English Summary

Facts

The complainant requested access to their personal data, but did not obtain a response from the controller (a bank). Upon investigation by the Maltese DPA (IDPC) the controller initially claimed that a response had been provided to the complainant. However, upon further investigation, the controller admitted that the response had not been sent. According to the controller the response had not been sent due to a mistake made by an individual employee, who had applied restrictive settings to their mailbox. Moreover, it found that said employee left the company without a proper transfer of the case to another employee.

Holding

The IDPC considered that the controller did not have adequate procedures in place to deal with access requests which resulted in the complainant actually being deprived of her right to access her data within the time-frame stipulated in the GDPR.

Comment

This a relatively high fine compared to other decisions on a failure to comply with the the right of access to personal data.

Also important because this decision was made in a cross-border situation, through the one-stop-shop mechanism, and other authorities did not raise objections to this decision by the IDPC.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

          Information and Data Protection Commissioner





                                                                             Vs






          COMPLAINT


          Reference is made to the complaint (registered internally with file number CDP/IMI/LSA/17/2019)

          received from the Polish Office for Personal Data Protection concerning                          ("the

          complainant") who is alleging that                       ("the controller" or "        ")breached her
                                                                                              1
          data protection rights, as enshrined under the General Data Protection Regulation ("GDPR" or the

          "Regulation"). The complainant contended that the controller did not comply with her right of access

          request in terms ofArticle 15 ofthe GDPR within the established thirty (30) days' time frame.

          From the information provided by the complainant, it transpires that she filed her right ofaccess request

          on the 3'd ofOctober 2018 and on the 5th February 2019, the date when she filed the complaint with the

          Polish DPA, the controller did not yet provide her with a reply.


          INVESTIGATION


          As part of the investigation process, on the 26th of July 2019, through an email, the Commissioner

          requested the controller to put forward their submissions on the allegation raised by the complainant.

          The submissions, that were received through an email on the 9th ofAugust 2019, contained a letter that

          supposedly was sent to the complainant on the 4th of October 2018, the day after the complainant's

          request was received by           ,together with the file containing the copy of her data. As this letter

          was in the Polish language, the Commissioner kindly requested the controller to provide an English


          translation.


          On the 12th ofAugust 2019, the Commissioner was informed, through an email, that while working on

          the English translation,         realised that neither the letter nor the file containing the personal data

          was ever sent to the complainant, due to (verbatim) "a wrong use ofthe security classification settings

          by the                   's employee with access to the mailbox (                           ) used to

          correspond with the said customer [the complainant]". The security classification was set to be


           1
            Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
           and on the free movement of such data, and repealing Directive 95/46/EC(General Data Protection Regulation)

Airways Hause, Second Floor\. 1+3561 23287100
H i g hStreet, Slie1549LM  8  idpc.infa@idpc.org.mt

MALTA.                     e  www.idpc.arg.mt,idf;!C.
           PROJ'ECTION COMMISSlDN�olo



          "Internal only". This setting does not allow communications to be sent outside the organization's

          network domain.


          Following an internal investigation on this matter, the controller found out that (verbatim) "after

          internal organizational changes the person in charge of this particular customer request left the

          company without concluding the case and ensuring that a reply wasproperly sent to the customer. For
          this reason, the file containing the list ofpersonal data processed by [          has not reach the

          customer, together with the usual letter sent to customer'sfollowing a Data Subject Access Request".

          The same day the error on the email setting was discovered, meaning on the 12th August 2019, in order

          to immediately address the incident,          sent the complainant another email apologising for the
          late reply, attaching a letter giving details about the processing of personal data, together with the

          requested information in the form ofa PDF file.


          On the 13th ofAugust, the Commissioner requested a copy ofthe above-mentioned email and attached

          PDF file, as evidence that action has been taken in that regard. The copy was eventually received on

          the 14th August 2019.


          The controller was further requested, through an email dated 19th August 2019, to put forward further
          submissions on the organizational and security measures implemented following this incident, to

          prevent such a similar incident from occurring again. From this submission, received on the 23rd August

          2019, it transpires that now           has extended its backup continuity procedure to ensure that

          customers' requests to exercise their rights under the GDPR are addressed promptly, (verbatim) "The
          procedure is designed to ensure an adequatefollow-up and mirroring ofthe tasks within the Customer

          Service Unit. All the customer requests are nowfollowed-up by twopersons, one been the main contact

          (principal) and a second person following the correspondence as a back-up, with the capability to

          intervene when the principal is not capable ofdoing so. The principal is a senior Customer Service
          Agent while the "back-up" is either a Senior Team Member or a senior customer service officer having

          experience and knowledge on the various internalprocedures regarding the types ofrequests received

          at by the Customer Services team. In case thefirst contact is away, sick or unavailable, the back-up is

          able to take over the tasks ifthese are notfinalizedor achieved, thereby closing ofthe customer requests

          without impacting the customer negatively. Controls andchecks have been integratedwithin theprocess
          in order to avoid such an incidentfrom occurring again in thefuture".,DECISION


On the basis of the foregoing the Commissioner considers that                      did not have

adequate procedures in place to deal with subject access requests, resulting with the

complainant actually deprived of her right to access her data within the timeframe stipulated

within the Regulation. Consequently,   the data controller is found to be in violation ofArticle:

15 of the GDPR.


After having taken into consideration:

        the controller's degree ofcooperation with this Office;

        that the controller took immediate action to comply with the complainant's request as soon as

        the error in the security settings ofthe mail box used to communicate with the complainant was

        discovered;

        that the controller has now in place a better procedure introducing measures to improve the

        process to deal with the customers' requests to exercise their rights under the GDPR and to
        keep within the legal timeframes;



and also giving due regard to the circumstances contemplated under Article 83.2 of the

GDPR and taking into account Article 83.1,                         is hereby being served with

an administrative fine of eight thousand euros (€ 8,000).


The administrative fine shall be paid to the Commissioner within twenty-five (25) days

from receipt of this decision.


In addition,                    is hereby being instructed to implement the appropriate technical

measures to further enhance the measures already in place.


A copy ofthis decision is also being sent to the Polish Office for Personal Data Protection.









Information and Data Protection Commissioner

Today, the                   day ofOctober, 2019