IDPC (Malta) - CDP/IMI/LSA/22/2021
IDPC - CDP/IMI/LSA/22/2021 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 12(3) GDPR Article 15(1) GDPR Article 15(2) GDPR Article 15(3) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 27.12.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CDP/IMI/LSA/22/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IDPC (Malta) (in EN) |
Initial Contributor: | n/a |
In this Article 60 GDPR decision, the Maltese DPA found that a controller failed to reply to an access request within one month as the GDPR foresees, and failed to provide the data subject with a copy of their personal data.
English Summary
Facts
The data subject had made an access request to a controller pursuant to Article 15 GDPR. The controller failed to provide information to the data subject on the action taken on the access request within one month as the GDPR foresees. A data subject initially filed the complaint with the Austrian DPA.
The controller eventually responded after one month and two weeks and sent the lawyer of the data subject an email. The controller requested the data subject to confirm whether the response could be sent means of the service provided by Wetransfer. The Austrian DPA informed the Maltese DPA about the complaint pursuant to Article 56(3) GDPR. The Maltese DPA confirmed it was the lead supervisory authority, as the controller had its main establishment in Malta.
Holding
The DPA noted that when the controller makes personal data available to the data subject, this is deemed to be a processing operation, and therefore, the controller is obliged to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing in terms of Article 32(1) GDPR. Additionally, the DPA highlighted that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The DPA held that 1) the controller infringed Article 12(3) GDPR, when it failed to provide the complainant with information on the action taken on her subject access request within one (1) month from the date of receipt of the request, and 2) Articles 15(1), 15(2), 15(3) GDPR, when the controller failed to provide the data subject with a copy of her personal data undergoing processing and the information concerning the processing.
The DPA issued a reprimand. Furthermore, the controller was ordered to comply with the request and provide the complainant with the information prescribed under article 15(1)(a) to (h) GDPR and article 15(2) GDPR, and also with a copy of their personal data undergoing processing at the time of submitting the request pursuant to Article 15(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Information andData Protection Commissioner CDP/IMI/LSA/22/2021 vs COMPLAINT 1. On the 24 th June 2021, (the “complainant”) lodged a complaint with Österreichische Datenschutzbehörde, the Austrian Supervisory Authority, against 1(the“controller”) pursuant to article77(1) of the General DataProtection 2 Regulation (the“Regulation”). 2. Thecomplainant contended that, on the5 May 2021, shehad exercised theright to access her personal datain accordancewith article 15 of theRegulation. However, thecontroller failed to provide the complainant with information about the action taken within the time-frame stipulated by law. The complainant further argued that shewas not informed if the controller needed an extension to reply to her request. 3. On the22 September 2021, theAustrian Supervisory Authority informed theInformation and Data Protection Commissioner (the “Commissioner”) about thecomplaint pursuant to article 56(3) of the Regulation. Following an assessment carried out by the Commissioner, it was established that the controller has its main establishment in Malta. Thus, the Commissioner proceeded to handlethecaseas thelead supervisory authority. 1 is a private limited company registered under thelaws of Malta with number , havingits registeredaddressat . 2Regulation (EU) 2016/679 of the European Parliamentandof the Councilof 27April2016on theprotectionof natural persons with regardtothe processingof personal data and on the free movement of such data, and repealing Directive95/46/EC (GeneralDataProtectionRegulation). Page1 of 6INVESTIGATION 4. Pursuant to article 58(1)(a) of the Regulation, the Commissioner requested the controller to provide any information which it deemed necessary and relevant to defend itself against the allegation raised by thecomplainant. In terms of this Office’s internal investigation procedure, the controller was provided with a copy of the complaint, together with all the supporting documentation, provided by thecomplainant. 5. On the2 December 2021, thecontroller submitted thefollowing principal legalarguments for theCommissioner, to consider during thelegal analysis of this case: a. that, on the5 May 2021, thecontroller “received an emailfrom thelawfirm ”,where“[t]helawfirm requested accessto personal datafortheplayer ”; b. that the controller failed to comply with the subject access request submitted by the complainant within the stipulated time-frame “due to the massive inundation of data subject access requests that the relevant company has received as of late, thereby not allowing for the company to be able to reply within the stipulated period in this particularcase”; th 3 c. that, bymeans of an emaildated the19 June2021 , thecontroller informed thelawyer acting on behalf of thecomplainant, that her request has been processed and requested confirmation to send therequested dataviaWetransfer; th d. that thecontroller did not receive areply to the email dated the19 June2021, and, as a result, the controller did not provide a copy of the personal data undergoing processing to thecomplainant. 3 The controller provided a copy of the email dated the 19th June 2021 in German (original text) and English (translation). The English translation read “May we send you the requested data via the service provider "WeTransfer"? Page2 of 6LEGAL ANALYSIS AND DECISION TheTiming of theReply 6. The protection of natural persons in relation to the processing of their personal data is a fundamental right recognised by article 8(1) of the Charter of Fundamental Rights of the European Union. Within this context, therights of thedatasubjects as set forth in articles 12 to 22 of theRegulation are thefulcrum of the law, and their roleis absolutely crucial to ensurethe utmost protection of personal data processed by controllers. In this regard, the Commissioner emphasises the importance attributed to the right of access as laid down in article 15 of the Regulation, in particular, its special feature, which is derived from the fact that it is often a means, prerequisite or condition to enable data subjects to oversee and control their personal 4 data,andconsequently,exerciseotherdatasubjects,suchastherighttoerasureorrectification . 7. Theright of access as enshrined in article15 of theRegulation contains three(3) components: (i) confirmation of the processing of personal data; (ii) information about theprocessing itself; and (iii) access to a copy of personal data undergoing processing. Article 15(1) of the Regulation enables the datasubject to “obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data”, as well as other supplementary information pursuant to article 15(1)(a) to (h) and article 15(2) of the Regulation. Further to this, article 15(3) of the Regulation, which is more prescriptive, states that “the controller shall provide a copy of the personal data undergoing processing”. 8. In this connection, article 12 of the Regulation ensures that substantive rights of data subjects are safeguarded by establishing clear, proportionate and effective conditions as to how and when data subjects shall exercise their rights. For this reason, article 12 of the Regulation provides themodalities for theexerciseof thedatasubjects’rights and establishes an obligation upon thecontroller to facilitate the exerciseof theserights. 9. In particular, article 12(3) of the Regulation aims at ensuring the efficient exercise of information and access rights, and obliges the controller to “provide information on action 4CJEU, C-434/16, Nowak,para.56 Page3 of 6 taken on a request under Articles 15 to 22 to thedata subject without undue delay and in any event within onemonth of receipt of therequest”. Within this set timeframe, thecontroller shall either (i) comply with therequest; (ii) extend thedeadlineto two(2) furthermonths andprovide the reasons for such extension; or (iii) refuse to act on therequest in terms of article 12(5)(b) of theRegulation and inform thedatasubject accordingly. 10. On this aspect, with particular reference to the handling of data protection requests, the 5 European DataProtection Board emphasisesthat “[t]hecontrollershall react and, asa general rule, provide the information under Art. 15 without undue delay, which in other words means that the information should be given as soon as possible. This means that, if it is possible to provide the requested information in a shorter amount of time than one month, the controller should do so”. 11. After assessing the circumstances of the case, the Commissioner determined that, on the 5 th May 2021, thecomplainant exercised her right to access her personal data pursuant to article nd 15 of theRegulation. In thesubmissions provided to this Office on the 2 December 2021, the controller declared that it had contacted the lawyer of thecomplainant on the 19 June 2021 and that “due to the massive inundation of data subject access requests that the relevant companyhasreceived asof late,therebynot allowingforthecompanytobeabletoreplywithin the stipulated period in this particular case”. Thus, the Commissioner established that the controller failed to provide information to thecomplainant on the action taken on the request to access her personaldatawithin one (1) month of receipt of therequest. Making theinformation available 12. In theemail dated the 19 June2021, thecontroller informed thecomplainant that her request has been processed and requested thecomplainant to confirm whether the response could be sent by means of theserviceprovided by Wetransfer. 13. For this purpose, the Commissioner analysed article 12(1) of theRegulation, which establishes that the information shall be provided, where appropriate, by electronic means, in conjunction withtheprinciple ofintegrity and confidentiality assetforthin article5(1)(f)oftheRegulation. 5EDPB Guidelines 01/2022 ondatasubjectrights -Rightofaccess-Version1.0- Adoptedon18January2022 –Paragraph156 Page4 of 6 14. In this regard, the Commissioner noted that when thecontroller makes personal data available to the datasubject, this is deemed to bea processing operation, and therefore, thecontroller is obliged to implement appropriate technical and organisational measures to ensure a level of security appropriateto therisk of theprocessing in terms of article32(1) of theRegulation. In addition, the Commissioner considered article 15(3) of the Regulation, which states that where the datasubject makes therequest by electronic means, and unless otherwise requested by thedatasubject, theinformation shall beprovided in a commonly used electronic form. 15. The Regulation does not specify what is acommonly used electronic form, and thus, there are several conceivable formats that could be used by thecontroller. However, it is important to ensure that the format must enable the information to be presented in a way that is both intelligible and easily accessible. This naturally means that when the controller chooses the means of how to transmit the electronic file to the data subject, thecontroller shall ensure that thedatasubject is able to download theinformation in a commonly used electronic form. 16. Furthermore, recital 63 of the Regulation establishes that “[w]here possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his orher personal data”. 17. It therefore follows that it is theresponsibility of thecontroller to decide about the appropriate form in which the personal datashall be provided to thedatasubject and this is also in light of theaccountability principle as held in article5(2) of theRegulation. Onthebasisoftheforegoingconsiderations,theCommissionerherebydecidesthatthecontroller infringed: i. article 12(3) ofthe Regulation, when it failedto provide the complainant with information on the action taken on hersubject access request within one (1) month from the date of receipt of request; and ii. article 15(1), article 15(2) and article 15(3) of the Regulation, when it failed to provide the complainant with a copy of herpersonal data undergoing processing andthe information concerning theprocessing. Page5 of 6By virtue of article 58(2)(b) of the Regulation, the controller is hereby being served with a reprimand. Furthermore, in terms of article 58(2)(c) of the Regulation, the controller is hereby being ordered to comply with the request and provide the complainant with the information prescribedunderarticle 15(1)(a) to (h) and article 15(2) of the Regulation and also with a copy of herpersonal dataundergoing processing atthe time of submittingthe request pursuant to article 15(3) thereof. The controller shall comply with this order within ten (10) days from the date of receipt of this legally binding decision. Non-compliance with the order of the Commissioner within the stipulated timeframe shall result in the imposition of an administrative fine in terms of article 83(6) of the Regulation. In terms of article 26(1) of the DataProtection Act (Cap. 586 of the Laws of Malta), any party to this decision shall have the right to an effective judicial remedy by filing an appeal in writing before the Information and Data Protection Appeal Tribunal within twenty (20) days from the service of this 6 decision . Digitallysigned (Signature)ate: 2022.12.27 (Signature) 12:45:50 +01'00' Information andData Protection Commissioner 6MoreinformationabouttheTribunalandtheappeals procedureis accessibleonhttps://idpc.org.mt/appeals- tribunal/ Page6 of 6