Commissioner (Cyprus) - 11.17.001.009.100

From GDPRhub
Revision as of 12:39, 29 July 2024 by Mba (talk | contribs) (→‎Holding)
Commissioner - 11.17.001.009.100
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 1500 EUR
Parties: n/a
National Case Number/Name: 11.17.001.009.100
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Office of the Commissioner for Personal Data Protection- Cyprus (in EN)
Initial Contributor: Nikolaos. Konstantis

MG Social LTD (now renamed Aylo Social LTD) was fined €1,500 for not taking action on data subjects’ erasure request under Article 17 GDPR.

English Summary

Facts

The complaint was filed with the German Supervisory Authority against the controller - MG Social LTD (now renamed Aylo Social LTD). The controller operated the website mydirtyhobby.de and was accused of not fulfilling the right to erasure under Article 17 GDPR. Given that the controller was based in Cyprus, the Cyprus DPA took over the investigation of the complaint.

The data subject requested the deletion of his data via two emails, claiming that he received no response from the controller. The controller stated that their support staff replied to the data subject in both instances, providing the available options for deactivating or deleting his account, and offering further information on what each option entails. Additionally, a link was provided at the end of the message, directing the data subject to an online platform where he was required to verify his email address. However the data subject did not take any relevant or further action regarding the provided instructions.

Holding

The DPA found that the controller violated Article 12(4) GDPR because the controller did not inform the data subject about the non-fulfillment of the deletion request within the specified timeframe. Also the controller violated Article 13 GDPR because they did not provide adequate information during the visit on the online platform, and Article 17 GDPR because the right to deletion was not fulfilled.

Following the above, the DPA issued a reprimand to the controller for the first two violations and imposed an administrative fine of €1,500 for the violation of Article 17.

Furthermore, the DPA issued an order to the controller to immediately fulfil the deletion request, to comply with their obligations regarding informing visitors on the online platform about the fulfilment of rights, and to revise the procedure for handling data subject requests.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.