Commissioner (Cyprus) - 11.17.001.009.232

From GDPRhub
Revision as of 11:17, 6 February 2024 by Mg (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Commissioner - 11.17.001.009.232
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 12(3) GDPR
Article 17 GDPR
Article 24(1) GDPR
Article 58(2) GDPR
Type: Complaint
Outcome: Upheld
Started: 18.09.2021
Decided: 07.09.2023
Published: 24.01.2024
Fine: n/a
Parties: Freedom Finance Europe Ltd
National Case Number/Name: 11.17.001.009.232
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: Commissioner for Personal Data Protection (in EN)
Initial Contributor: nikolaos.konstantis

The Cypriot DPA reprimanded the controller, Freedom Finance Europe Ltd, fro breaching Article 12(3) GDPR, since it failed to notify the data subject that her erasure request was satisfied, as well as Article 24(1) GDPR, given that the controller should have implemented appropriate measures to tackle GDPR requests.

English Summary

Facts

A data subject made a request for the deletion of her data with Freedom Finance Germany TT GmbH, a subsidiary of Freedom Finance Europe Ltd (the controller). Since the data subject never got a reply, she requested again the erasure of her data.

Having not received a reply again; the data subject filed a complaint with the German DPA against the controller regarding the non-fulfilment of her right to erasure. However, given that the controller has its main establishment in Cyprus, under Article 60 GDPR, the complaint was transmitted to the Cypriot DPA as the lead supervisory authority in line with Article 56 GDPR.

The Cypriot DPA requested the controller its views on the matter and proof that the complainant's personal data had been deleted, which the controller confirmed to have done after it was notified of the complaint. Additionally, the controller explained that it was not aware of the data subject’s erasure request since the data subject contacted the email used for initial customer communication and not the appropriate email address of the DPO.

Holding

The DPA held that the controller should have informed the data subject, under Article 12(3) GDPR, in a clear and concise manner and without undue delay that her erasure request was satisfied.

Moreover, considering that at the time of the data subject's first erasure request, the GDPR had been enforced for more than two years, the controller should have had in place appropriate measures to comply with data subject rights set out in Articles 15 to 22 of the GDPR. Pursuant to Article 24(1) GDPR, the controller should have implemented appropriate technical and organisational measures to ensure that all emails received relating to data subject rights would be acknowledged without further delay.

On the basis of the infringements found and considering that the controller satisfied the erasure request after being notified of the complaint, the DPA issued a reprimand to the controller under Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

ur ref.: 11.17.001.009.232 7 September 2023
Decision
Failure to Fully Comply to an Erasure Request by Freedom Finance Europe
Ltd
1. A complaint was lodged with the Federal Commissioner for Data Protection
and Freedom of Information in Germany (Berlin SA) against Freedom Finance
Europe Ltd (the Controller), whose main establishment is in Cyprus. Moreover,
the complaint was subsequently transmitted to the Office of the Commissioner
for Personal Data Protection (Cyprus SA) on 18/9/2021, in line with Article 56 of
the General Data Protection Regulation.
2. On the basis of the above, the Commissioner for Personal Data Protection
(the Commissioner) is acting as the lead authority in this matter. In the course of
the investigation, other EU countries were identified as being concerned by this
case.
Description of the case
3.1. The complaint involved the Controller’s failure to comply with the
complainant’s erasure request (article 17 of the GDPR) submitted to Freedom
Finance Germany TT GmbH in Germany which is a subsidiary of the Controller.
3.2. In her complaint, the complainant stated that she initiated a registration
process, through the Controller’s webpage (https://freedomfinance.eu/), but did not
complete the verification required. Following this, she sent an email on
26/01/2021 at clients@freedom24.com requesting the deletion of her data.
3.3. On 10/02/2021 she sent a reminder to the same email address and on
15/2/2021 she got a reply from an investment consultant of Freedom Finance
Germany TT GmbH, informing her that the verification process was not
completed and asking her whether she needed any assistance. She replied back
the same day, requesting again the deletion of her data, together with a
corresponding email confirmation. As she claims, she never got a reply.
3.4. Upon receiving the complaint, the Berlin SA requested the views of the
subsidiary in Germany on 22/6/2021. The Berlin SA received a reply by the
subsidiary on 22/07/2021, through which they were informed, the following:
a) the complainant’s emails were lost, and therefore not answered, due to
the abundance of communication via email address
clients@freedom24.com,
b) the complainant’s personal data that were processed were her name and
email address,
c) the data were processed for the purpose of opening a demo account, and
by opening a demo account, the data subject agreed to the Controller’s
General Terms and Conditions and consequently to the data processing,
d) the complainant’s data was deleted immediately upon receipt of the Berlin
SA’s letter.
e) the complainant’s erasure request was not sent to the appropriate email
address. More specifically, the email address clients@freedom24.com, is
used for initial customer communication, to which the DPO does not have
access. Additionally, data protection enquiries should be sent to email
address info@ffineu.eu or to the DPO’s direct email address
dpo@ffineu.eu, as it is clearly stated in the Privacy Policy.
Investigation by Cyprus SA
4.1. The Commissioner’s Office contacted the Controller on 19/4/2022, and
requested their views on the matter raised by the complainant as also proof that
the complainant’s personal data had been deleted.
4.2. In their reply, the Controller confirmed that the complainant’s personal data
was deleted on 25/6/2021 and provided proof in the form of a screenshot from
the relevant database, which was deemed satisfactory. The Controller also
provided the relevant email communication where the complainant was informed
of the erasure. It is noted that the email was dated 25/4/2022, i.e. after the
reception of the email from the Commissioner’s Office.
4.3. The privacy policy, which can be found on the Controller’s website, clearly
states the appropriate email to be used for data protection matters. Despite this,
the complainant sent her requests to an email that is used for initial customer
communication and receives a large number of emails daily.
Preliminary Decision
5. On 31 May 2023, the Commissioner issued a Preliminary Decision regarding
the controller’s failure to notify the complainant of the erasure of his data. In the
said Preliminary Decision, the Commissioner concluded that
a. Although it is evident that the controller did not have any intention of not
satisfying the complainant’s request, the controller did not notify the
complainant of the erasure of his data within the timeframe set in Article
12(3) GDPR.
b. The Controller should have implemented appropriate technical and
organizational measures to ensure that all emails received by employees
relating to data subject rights are acknowledged without further delay in
accordance with Article 24(1) GDPR.
6. The controller’s legal representative responded on 26 June 2023 to the
Preliminary Decision and stated, inter alia, that:
a. The personal data concerned, only included the name and email address
of the complainant and was not submitted to further processing other than
the initial registration.
b. Instead of sending his request to the email addresses mentioned in the
privacy policy, the complainant used the German subsidiary's email
address clients@freedom24.com along with the personal email of one of
the employees of the German subsidiary.
c. With the deletion of said data the complainant did not have access to his
profile thus it can reasonably be assumed that the controller provided the
complainant with a clear message that the data was deleted.
d. The inadvertent mistake of the employees of the German subsidiary is
found in not forwarding the deletion request to the relevant employees in
time.
7. In addition to the above, the controller’s legal representative included the
following mitigating factors to be taken into account by the Commissioner:
a. the nature, gravity and duration of the breach, taking into account the
nature, extent or purpose of the relevant processing, as well as the
number of data subjects affected by the breach and the degree of damage
suffered by them.
b. The absence of any element that implies bad intentions from the controller
towards the complainant.
c. The absence of any precedent at the expense of the controller.
d. The absence of any benefit ultimately derived by the controller from the
alleged infringement.
e. The immediate compliance with the complainant’s request once received
from a non-generic corporate e-mail.
f. the non-notification of the action to the complainant was an isolated event
that, in the light of the company's experience, the procedure has now
been modified as the Commissioner states in her letter to prevent it from
happening again.
g. the full cooperation with the competent Control Authority to remedy the
violation and limit its possible adverse effects.
h. the intention compliance by immediately improving the company's
regulations in order to prevent a recurrence of the incident.
Legal framework
8.1. Article 12: Transparent information, communication and modalities for
the exercise of the rights of the data subject.
Pursuant to article 12(3) of the GDPR The controller shall provide information on
action taken on a request under Articles 15 to 22 to the data subject without
undue delay and in any event within one month of receipt of the request. That
period may be extended by two further months where necessary, taking into
account the complexity and number of the requests. The controller shall inform
the data subject of any such extension within one month of receipt of the
request, together with the reasons for the delay. Where the data subject makes
the request by electronic form means, the information shall be provided by
electronic means where possible, unless otherwise requested by the data
subject.
8.2. Article 17: Right to erasure (‘right to be forgotten’)
“1. The data subject shall have the right to obtain from the controller the erasure
of personal data concerning him or her without undue delay and the controller
shall have the obligation to erase personal data without undue delay where one
of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for
which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based
according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there
is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there
are no overriding legitimate grounds for the processing, or the data subject
objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in
Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information
society services referred to in Article 8(1).
…”
8.3. Pursuant to article 24(1) of the GDPR Taking into account the nature,
scope, context and purposes of processing as well as the risks of varying
likelihood and severity for the rights and freedoms of natural persons, the
controller shall implement appropriate technical and organisational measures to
ensure and to be able to demonstrate that processing is performed in
accordance with this Regulation. Those measures shall be reviewed and
updated where necessary.
8.4. Pursuant to Article 58(2) GDPR, Each supervisory authority shall have all
of the following corrective powers:
…(b)to issue reprimands to a controller or a processor where processing
operations have infringed provisions of this Regulation;
…(i) to impose an administrative fine pursuant to Article 83, in addition to, or
instead of measures referred to in this paragraph, depending on the
circumstances of each individual case;
Views of the Commissioner
9. Firstly, following the controller’s claim in paragraph 6(c), I consider that it
cannot be assumed that the inability of the complainant to sign in to this account,
is considered as a notification that his erasure request was satisfied.
Furthermore, the information provided following Article 12(3) GDPR should be
transmitted in a clear and concise manner.
10. After reviewing the information provided by the controller’s legal
representative, in their response to my Preliminary Decision, specifically the fact
that the controller appreciates that there was a lack of appropriate attention to
the complainant’s request, I consider that the controller understands that the
request could have been satisfied from the first instance if the support staff was
properly trained in tackling GDPR requests in a timely manner. I also consider
that the controller did not intend to act in a way that would negatively affect the
complainant’s rights and freedoms.
11. Despite this, considering that the GDPR had been enforced for more than 2
years at the time of the complainant’s first erasure request, the controller should
have had the appropriate measures in place for at least satisfying data subject
rights set out in Articles 15 to 22 of the GDPR. Moreover, the complainant should
have been informed of the satisfaction of his request without delay.
Decision
12. Having regard to all the above information, and based on the powers vested
in me by Articles 58 and 83 of Regulation (EU) 2016/679 and article 24(b) of
National Law 125(I)/2018, I conclude that there is an infringement by Freedom
Finance Europe Ltd of Article 12(3) and 24(1) of the GDPR, for the reasons
mentioned above.
13. Moreover, following an infringement of Article 12(3) and 24(1) GDPR, as
explained above, under the provisions of Article 83 of the GDPR, I take into
account the following mitigating (1-3) and aggravating (4-6) factors:
1. That there is no previous violation by the controller of the GDPR.
2. The controller satisfied the erasure request as soon as the mistake was
realised.
3. The measures taken after the incident to ensure that all staff is appropriately
trained in handling GDPR matters.
4. The controller only became aware of the erasure request after being notified of
the complaint by my the Berlin SA.
5. The complainant’s request was not satisfied within the legal timeframe.
6. The lack of appropriate procedures and measures for handling data subject
rights at the time of the request.
14. In view of the above and on the basis of the powers conferred on me by the
provisions of subparagraph (b) of paragraph (2) of Article 58 of the GDPR, I have
decided to issue a reprimand to Freedom Finance Europe Ltd for the
infringement mentioned in paragraph 12 above. In the event of a recurrence of a
similar infringement within 12 months from today, this Decision may be counted
against the company.
Irene Loizidou Nicolaidou
Commissioner
For Personal Data Protection