IDPC (Malta) - CDP/IMI/LSA/17/2022

From GDPRhub
Revision as of 16:31, 8 November 2022 by Kv (talk | contribs) (Grammar and sentence construction)
IDPC - CDP/IMI/LSA/17/2022
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 12(1) GDPR
Article 12(3) GDPR
Article 17(1) GDPR
Article 17(3) GDPR
Article 56 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started: 28.05.2020
Decided: 28.02.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: CDP/IMI/LSA/17/2022
European Case Law Identifier: EDPBI:MT:OSS:D:2022:340
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In a Article 60 GDPR procedure, the DPA of Malta reprimanded a controller (Article 58(2)(b) GDPR) for requesting the data subject to sign an agreement in order to process his erasure request. The controller also had to reply to the request (Article 58(2)(d) GDPR).

English Summary

Facts

The data subject stated that he opened an account with the controller in October 2019 to carry out operations on the stock market. He stated that in December 2019, he requested the controller to close his account. However, the controller did not close his account and still send him messages. The controller also requested the data subject to sign an agreement in order to close his account, because this agreement had not been signed upon subscription. The data subject also stated that one day before he submitted his complaint at the DPA, he received a document from the controller’s external auditor. In his document, not only his personal data were shown, but also data of other customers, including postal addresses, (sir)names and account balances.

The DPA determined that is was actually on 23 February 2020 when the data subject requested the controller to close his account and unsubscribe him from e-mail notifications. The controller replied on 24 May 2020 describing the procedure to unsubscribe from e-mail notifications. The data subject answered the same day stating that he was not able to close his account using this procedure.

On 26 May 2020 the controller asked the data subject to sign and return the subscription agreement, because this agreement had not been signed upon subscription. The data subject replied that he was still receiving e-mails despite the fact he had requested the controller to remove him from its server. The controller then replied that when the data subject would sign the agreement, the controller would close the account and would not receive any e-mails. The data subject rejected and stated that the controller had already said that the account would be deleted, which apparently had not happened yet.

On May 27 2020, the data subject also received a document from the controller’s external auditor. In this document, not only the data subject’s balances were shown, but also those of third parties.

The data subject submitted a complaint at the Spanish DPA against the controller. The Spanish DPA transferred the case to the information and data protection commissioner of Malta (DPA), which decided to handle the case as lead supervisory authority pursuant of Article 56 GDPR. Therefore, the DPA handled the complaint in terms of Article 60 GDPR and started an investigation into the controller.

During the investigation, the controller stated that is was a company performing investment services and was therefore subject to various obligations. The controller stated that is was subject to a yearly audit by an independent third party. The processing of personal data was necessary to comply with this legal obligation. The controller made specific reference to Article 17(3)(b) GDPR and stated that it had not deleted all the data to comply with its legal obligation, despite the erasure request of the data subject. The controller further stated that it was obligated to keep personal data to comply with its obligations to prevent money laundering. The controller also determined that its request for the data subject to sign the subscription agreement had nothing to do with the erasure request and was also necessary to comply with its legal obligations. The controller acknowledged the data subject's right for erasure, but stated that none of the grounds under Article 17(1) GDPR applied in this case.

In an answer to a follow up request from the DPA, the controller specified that it relied on Article 6(1)(c) GDPR for its processing. It also provided a 'Operation Department manual procedure', which contained the procedure for handling of erasure requests, and its 'compliance manual'. The controller also reiterated that it asked the data subject to sign the contract but that the data subject rejected this. The controller also provided screenshots to prove that it closed the account of the data subject.

Holding

Document containing personal data of third parties

The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerns the data subject (Article 77(1) GDPR). This part of the complaint was dismissed since it only concerned personal data of third parties disclosed in the document. The data subject was not affected by this. However, the DPA reserved the right to start a separate investigation on this alleged data breach.

The DPA proceeded to examine the erasure request and the timing of the request, pursuant of Article 57(1)(f) GDPR.

Erasure request

The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of Article 17 GDPR. However, this is different when Article 17(3) GDPR applies, which describes that Article 17(1) and 17(2) do not apply when processing is necessary for certain, specific purposes or compelling requirements described in these provisions. The DPA continued by stating that Article 17(3)(b) GDPR states that the right of erasure does not apply when the controller has a legal obligation to process data for a task in the public interest or in the exercise of official authority vested in the controller.

The DPA agreed with the controller that it had to keep the personal data to comply with national law, specifically Subsidiary Legislation 373.01. Article 13(2) of this national regulation states that under certain conditions, specific data must be retained for 5 years. The DPA determined that the controller was subject to this provision.

Because the data subjects account had been closed on 26 May 2020, the 5 year period had not elapsed at the time that the data subject filed his complaint at the DPA. Therefore, the DPA concluded that Article 17(1) GDPR did not apply did not apply because the processing was necessary to comply with the legal obligation in Article 13(2) of S.L. 373.01.

Timing of the request

The DPA determined that the controller violated Article 12(3) GDPR, because it failed to provide the data subject with information on action taken regarding the erasure request within one month of the receipt of the request. Instead, it had requested the data subject to sign the subscription agreement. The DPA stated that any failure on the controller’s part to fulfil its own procedural obligation, in this case the signing of the subscription agreement, shall be independent and shall have not effect on the exercise of data subject’s data protection rights.

The DPA also determined that the controller did not follow its own guidelines (described in the 'Operations department manual') on how to handle erasure requests, which was an indicator that the controller had acted negligently when the request was not handled in a timely manner, as prescribed in Article 12(3) GDPR. The DPA also referred to the WP29 Guidelines 17/EN WP 253 (p. 12) to support its argument.

The DPA reprimanded the controller pursuant of Article 58(2)(b) GDPR and held that in case of a similar infringement in the future, the DPA would impose a fine. The DPA also ordered the controller to provide an answer to the erasure request, pursuant of Article 58(2)(d) GDPR. This reply had to be provided in a concise, transparent, intelligible an easily accessible form, using clear and plain language, in particular by including information relating to specific regulation which obligates the controller to store personal data for the specific timeframe (Article 12(1) GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.