Commissioner (Cyprus) - 11.17.001.009.100
Commissioner - 11.17.001.009.100 | |
---|---|
Authority: | Commissioner (Cyprus) |
Jurisdiction: | Cyprus |
Relevant Law: | Article 12 GDPR Article 13 GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 1500 EUR |
Parties: | n/a |
National Case Number/Name: | 11.17.001.009.100 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Office of the Commissioner for Personal Data Protection- Cyprus (in EN) |
Initial Contributor: | Nikolaos. Konstantis |
MG Social LTD (now renamed Aylo Social LTD) was fined €1,500 for not taking action on data subjects’ erasure request under Article 17 GDPR.
English Summary
Facts
The complaint was filed with the German Supervisory Authority against the controller - MG Social LTD (now renamed Aylo Social LTD). The controller operated the website mydirtyhobby.de and was accused of not fulfilling the right to erasure under Article 17 GDPR. Given that the controller was based in Cyprus, the Cyprus DPA took on the investigation of the complaint.
The data subject requested the deletion of his data through two emails, claiming that he received no response from the controller. The controller stated that their support staff replied to the data subject in both instances, providing the available options for deactivating or deleting his account, and offering further information on what each option entails. Additionally, a link was provided at the end of the message, directing the data subject to an online platform where he was required to verify his email address. However the data subject did not take any relevant or further action regarding the provided instructions.
Holding
The DPA found that the controller violated the Article 12(4) GDPR because the controller did not inform the data subject about the non-fulfillment of the deletion request within the specified timeframe. Also the controller violated the Article 13 GDPR, because they did not provide adequate information during the visit to the online platform, and the Article 17 GDPR because the right to deletion was not fulfilled.
Following the above, the DPA issued a reprimand to the controller for the first two violations and imposed an administrative fine of €1,500 for the violation of Article 17.
Furthermore, the DPA issued an order to the controller to immediately fulfill the deletion request, to comply with their obligations regarding informing visitors on the online platform about the fulfillment of rights, and to revise the procedure for handling data subject requests.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.