IMY (Sweden) - DI-2020-10538
Datainspektionen - DI-2020-10538 | |
---|---|
Authority: | Datainspektionen (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(3) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 22.01.2021 |
Published: | 22.01.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | DI-2020-10538 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | Integritetsskyddsmyndigheten (in SV) |
Initial Contributor: | Elisavet Dravalou |
The Swedish DPA held that MAG Interactive AB (controller) has violated article 12.3 GDPR, because, although they complied with an erasure request, they did not notify the data subject by negligence.
English Summary
Facts
A data subject made an erasure request at MAG Interactive AB on the 29th of November 2018. Since the request came from an email address that wasn't linked with the data subject's account, the controller asked for proof of identity. The data subject provided proof of identity on the 29th of May 2019. MAG Interactive AB complied with the request and deleted the personal data concerned 16 days upon the reception of the request, but out of negligence, they did not informed the data subject regarding the action taken. The reason why the data subject wasn't notified was that the second request with the proof of identity came by regular post and MAG Interactive AB normally handles requests in a system where notifications of actions taken are sent automatically.
Dispute
Holding
The Swedish DPA held that MAG Interactive AB in first place, had the right to verify the identity of the data subject. Upon the reception of the proof of the data subject's identity, MAG Interactive AB deleted the personal data concerned in compliance with article 17 GDPR. Despite that, they did not notify the data subject about the action taken (deletion of his personal data) and therefore they violated article 12.3. As MAG Interactive AB reassured the DPA that they will take appropriate organisational measures to ensure that this will not occur again, the DPA closed the case and no fine was issued.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1 (3) MAG Interactive AB Org.nr: 556804-3524 Drottninggatan 95A 113 60 Stockholm Record number: DI-2020-10538 Decision after supervision according to Date: Data Protection Regulation - MAG 2021-01-22 Interactive AB The decision of the Integrity Protection Authority The Privacy Protection Authority states that MAG Interactive AB has processed personal data in breach of Article 12 (3) of the Data Protection Regulation by not without unnecessary delay informed the complainant of the outcome of the complainant's request for deletion pursuant to Article 17 of 29 May 2019 until 6 November 2020. The case is closed without action. Report on the supervisory matter The Privacy Protection Authority (IMY) has initiated supervision regarding MAG Interactive AB (the company) in connection with a complaint. The complaint has been submitted to IMY, i as the supervisory authority responsible for the company's activities in accordance with Article 56 the Data Protection Regulation, from the supervisory authority of the country where the complainant has left lodged its complaint in accordance with the provisions of the Regulation on cooperation in cross-border cases. The complaint alleges that the company has not handled the complainant's request deletion of the complainant's personal data in accordance with Article 17 of the Data Protection Regulation. MAG Interactive AB has mainly stated the following. The company first received a request on deletion of the complainant's account on the company's services on 29 November 2018 (on first request). Because the request came from a different email address than the one that linked to the account, the company requested that the complainant return with evidence to proof of his identity, which the complainant did not do. On May 29, 2019, a new one was added request for deletion of the complainant's account, but then by post and with the required evidence to prove the identity of the complainant (the second request). The company deleted Postal address: the complainant's information manually on 15 June 2019 in accordance with the request, except those Box 8114 information needed to show that the request has been processed. Due to oversight 104 20 Stockholm, however, the complainant was not informed of the outcome of the request in connection with that Website: www.imy.se E-mail: imy@imy.se REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of Telephone: natural persons with regard to the processing of personal data and on the free movement of such data and on 08-657 61 00 Repeal of Directive 95/46 / EC (General Data Protection Regulation). Integrity Protection Authority Record number: DI-2020-10538 2 (3) Date: 2021-01-22 request was processed. Instead, it took place only in connection with a review before answers in this supervisory matter, ie on 6 November 2020. The processing has taken place through correspondence. Given that it applies to one cross-border complaints, the IMY has used the mechanisms of cooperation and uniformity contained in Chapter VII of the Data Protection Regulation. Affected regulators have been the data protection authorities in Norway, Ireland, France, Austria, Denmark, Poland and Germany. Justification of decision Applicable regulations According to Article 12 (3) of the Data Protection Regulation, the controller shall: request without undue delay and in any case no later than one month after to have received the request to provide the data subject with information on the measures taken taken in accordance with Article 17. This period may, if necessary, be extended by a further two months, taking into account the complexity of the request and the number received requests. The personal data controller shall notify the data subject of a such extension within one month of receipt of the request and state the reasons to the delay. According to Article 12 (6), the controller may, if he has reasonable grounds for: question the identity of the natural person submitting a request under Article 17; request additional information necessary to confirm the data subject's identity is provided. According to Article 17 (1) (a), the data subject shall have the right to be informed by the controller without undue delay have their personal data deleted and it the person responsible for personal data shall be obliged to delete without undue delay personal data if the personal data are no longer necessary for the purposes for which which they have collected or otherwise treated. According to Article 17 (3) (b), this shall not be the case apply to the extent that the processing is necessary to comply with a legal obligation requiring treatment under Union law. Pursuant to Article 57 (1) (f), each supervisory authority in its territory shall be responsible for: process complaints from a data subject and, where appropriate, investigate the matter to which the complaint relates. The Integrity Protection Authority's assessment Regarding the first request, IMY states that MAG Interactive AB was reasonable reasons to doubt the identity of the appellant and thus justifiable to request that the appellant provided additional evidence, which the appellant did not do. IMY considers against this background that the company has not been obliged to take any further measures due to that request. With regard to the second request, IMY notes that the company deleted the complainant's information, in addition to the information required to demonstrate that the request has been processed, within 16 days from the company receiving the request on May 29, 2019. IMY believes that the company has deleted the complainant's information without undue delay within the meaning of Article 17 Data Protection Regulation. Furthermore, the company has been justified in retaining the information. The Privacy Protection Agency Record number: DI-2020-10538 3 (3) Date: 2021-01-22 needed to demonstrate that the request has been processed in accordance with the Data Protection Regulation. However, the company first informed the complainant of the outcome of the second request 6 November 2020. Since the data controller pursuant to Article 12 (3) without unnecessary delay and in any case no later than one month after receipt request, with no exception here, shall inform the data subject of the measures taken pursuant to Article 17, MAG Interactive AB has violated Article 12 (3) the Data Protection Regulation. The company has stated that the reason why the complainant was not informed of the result of the request was due to an oversight. According to the company, this was mainly caused by that the request was handled manually because it was received by mail and that the company normally handles requests in a system where notifications of actions taken are sent automatically. Due to what happened, the company has stated that it will see over their routines so that what happened is not repeated. The company will, among other things, put set up a separate log for manual cases to ensure that all steps are followed, including that the user is notified in the manner he has requested. IMY states that it is of course important that the person responsible for personal data notifies the data subject on what measures have been taken in connection with his request, even in cases where the request is fully complied with to the extent that may be required. In light of the circumstances regarding the infringement that the company has highlighted - and the measures that the company has stated that it has taken and will take - considers however, IMY that the substance of the complaint has been investigated to the extent appropriate Article 57 (1) (f) of the Data Protection Regulation. Against this background, the case is closed without action. This decision has been made by Catharina Fernquist, Head of Unit, after a presentation by lawyer Olle Pettersson. Catharina Fernquist, 2021-01-22 (This is an electronic signature)