IDPC (Malta) - CDP/COMP/344/2022
IDPC - CDP/COMP/344/2022 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 4(7) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 24(1) GDPR Article 24(2) GDPR Article 38(1) GDPR Article 38(1) GDPR Article 39(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 50000 EUR |
Parties: | n/a |
National Case Number/Name: | CDP/COMP/344/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IDPC (in EN) |
Initial Contributor: | Sainey Belle |
A controller was fined €50,000 for failing to adhere to a data subject rights request, failure to provide a compliant data protection policy and for ensuring appropriate internal measures for the handling of data.
English Summary
Facts
The complainant submitted an access request under Article 15 GDPR on behalf of her son (the data subject). The data subject attended a school which provides therapy sessions. As part of the curriculum, the therapists would assess the data subject at the beginning of the year and set goals for them. At the end of the year, these goals are reviewed and a report is then created which is stored on the data subjects file.
Intending to access the report, the complainant submitted the access request directly to the therapists. A response was not received from either therapist. Over the next few weeks, the complainant encountered a number of delays from the school, including back and forth emails with the school’s Director, which culminated in the report being provided 5 weeks after the initial request was made.
The following complaints were submitted to the DPA.
- The data subject request was not adhered to within the 30 day timeframe.
- The controller’s privacy policy was not easily accessible and contained a number of shortcomings.
- It was not clear whether the Director was a controller under Article 4(7)GDPR.
- There is no process outlining how the controller handles data subject rights requests.
Holding
Whether the Director can be considered the controller within the meaning of Article 4(7) GDPR. The Commissioner held analysed the requirements under Article 4(7) GDPR and Article 5(2) GDPR, together with the EDPB guidelines on the concepts of controller and processor 07/2020 and held that it was clear that even if a specific natural person is appointed to endure compliance with data protection rules, they will be acting on behalf of the legal entity which is ultimately responsible in case of infringement of the rules in its capacity as a controller.
Failure to adhere to the 30 day deadline. As per the complainant, the request was made on 24.05.2022, however the controller sought to argue that the request was made on 10.06.22, when the complainant got in touch with the director requesting a follow up. It was held that, even hough the complainant did not submit their request though the email address provided on the data protection policy, their request was still valid on the date it was sent to the therapist. The therapist dealt with the data subject on a daily basis. As per the EDPB guidance 01/2022 on the exercise of data subject rights, a controller may not be required to respond to a request made to and employee who is not involved in the processing of requests concerning data subjects if they have clearly provided the data subject with an appropriate communication channel, however, the request is not considered random if they contact an employee who has been assigned to them as their regular contact person.
As the date in which the complainant submitted the request was the first date they got in touch with the therapists, it was held that the controller failed to adhere to the one month deadline established in Article 15 GDPR. Furthermore, no explanation was provided to the complainant for this delay. In addition, Article 12 GDPR, requires that the rights of data subjects should be safeguarded by establishing clear, proportionate and effective conditions as to how and when data subjects shall exercise their rights.
In addition, access to the data was not facilitated due to the fact that they would only permit the receipt of the information if the therapist would explain the data contained within it. Per Article 12(1) GDPR, the controller must provide individuals with information regarding the processing of their personal data in writing, or by other means, including electronic means where appropriate. In addition, per Article 15(3) GDPR, where the data subject makes a request via electronic means, the information should be provided in that manner.
The privacy policy had a number of shortcomings. In the complaint, the complainan also highlighted that the privacy policy was missing key terms required per Article 13 GDPR. Aside from the identity of the controller, this included: a lack of clarity on the categories of personal data concerned and the identity of the data subject, the legal basis or purpose of processing (including whether or not special categories of data are included - which they were), lack of clarity on the request of data subject rights and retention timelines (the policy only made reference to an internal guideline which was not published on the controllers website).
The commissioner stressed that the controller should be held accountable in relation to the transparency of the processing of personal data throughout the processing life cycle. After examining the contents of the policy, they held that it did not contain the minimum information which shall be provided to data subjects.
In addition, there were no internal policies on the appropriate handling of personal data which are binding on all employees handling personal data contrary to Article 24(1)-(2) GDPR and Article 32(4) GDPR. It is crucial that controllers take active responsibility for ensuring compliance and developing an accountability nature. The controller hould have a training procedure in place for all employees responsible for handling personal data in order to foster a culture of data protection and raise awareness among employees about their responsibilities in line with Article 39(1) GDPR on the role of the DPO. In order to ensure that data is protected in accordance with the regulation, comprehensive training is an essential tool for reducing delayed responses and missed deadlines.
In addition to the above, the Commissioner also held that due to the lack of internal processes, the herapists, contrary to Article 38(1) GDPR, did not involve the DPO in the initial request. In another Belgian case - it was held that the DPOs role has a crucial importance in terms of consulting, they should not be merely informed on matters relating to data protection.
The controller was ordered to revise the data protection policy on its website to be compliant with Article 13 GDPR and establish an internal data protection policy per Article 24 GDPR. The Commissioner also imposed a fine of €50,000 with - an additional €50 each day for which the violation persists.
Comment
This case touches on a lot of important data protection concepts that tend to be overlooked by controllers and processors. Data protection should not be an afterthought, in addition DPOs are not a simple formality - their role is of particular importance to an organisation.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.