AKI (Estonia) - EDPBI:EE:OSS:D:2022:362
| AKI - EDPBI:EE:OSS:D:2022:362 | |
|---|---|
 | |
| Authority: | AKI (Estonia) |
| Jurisdiction: | Estonia |
| Relevant Law: | Article 17 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 02.05.2022 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | EDPBI:EE:OSS:D:2022:362 |
| European Case Law Identifier: | EDPBI:EE:OSS:D:2022:362 |
| Appeal: | n/a |
| Original Language(s): | English |
| Original Source: | EDPB (in EN) |
| Initial Contributor: | n/a |
In an Article 60 GDPR decision, the Estonian DPA reprimanded a controller for a violation of Article 17 GDPR. The controller did not erase all personal data after an erasure request. The controller had designed its erasure procedure in such a way that when a data subject did not log out mannually from the controllers service after the erasure request, the login details of the data subject would be kept in the controllers database.
English Summary
Facts
The data subject was unable to exercise his right to have his data deleted by the controller. The nature of the controller was not specified. According to the data subject, the data was not deleted despite several appeals and despite multiple confirmations from the controller that his personal data was deleted.
The data subject filed a complaint at the Berlin DPA, which transferred the complaint to the Estonian DPA. The latter was the lead supervisory authority in this case and started an investigation into the controller. It sent the controller several questions regarding its processing.
The controller stated that the data subject had requested deletion on 19 November 2020 and that the controller deleted the data on the same day. It also explained its standard account deletion procedure, which required the user to manually log out or to delete the controller’s application. If the user did not do this, his login details (e-mail address and account passcode) would be kept in a database. The remainder of his personal data would be deleted and, where applicable, encrypted and archived.
The controller stated that in the future, when a data subject would request deletion, this data subject would automatically be logged out from his account by the controller. The controller also confirmed during the proceedings that all personal data of the data subject had been deleted.
Holding
The Estonian DPA determined that the controller violated Article 17 GDPR. It had not deleted the personal data of data subjects because of its own procedural mistakes. The DPA acknowledged that these procedural mistakes had now been solved by the controller, now that all the personal data had been deleted.
The DPA closed the proceedings and reprimanded the controller on the basis of Article 58(2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
FOR DATAPRIVACYAND FREEDOM OF INFORMATION
ASUTUSESISESEKS
KASUTAMISEKS
Märge tehtud: 02.05.2022 Inspektsioon
Juurdepääsupiirang kehtib kuni:
02.05.2097
Alus: AvTS § 35 lg 1 p 2,AvTS § 35 lg 1
p 12
IMI - Berlin DPA Yours: nr
Ours: {regDateTime} nr
{regNumber}
Reprimand for failure to comply with the requirements of the General Data Protection
Regulation & notice of termination of the proceeding in regard to the protection of
personal data
RESOLUTION:
Reprimand in a personal data protection case in which has
violated the following norm arising from the General Data Protection Regulation
(GDPR): article 17
Case
The Estonian Data Protection Inspectorate (Estonian DPA) received a complaint from
via Internal Market Information System.
According to the complaint the complainant was unable to exercise his right to have the data
deleted. The complainant stated that, despite several appeals, the data was not deleted.
The Estonian DPA explained to the controller that processing of personal data is permitted
only with the consent of the person or other legal basis abiding from law. In the absence of a
legal basis, personal data may not be processed. If personal information processing is not
permitted by law, a person has the right to ask for termination of data processing and
additionally for deletion of data.
Based on the information contained in the complaint, the controller have repeatedly confirmed
to the complainant that his personal information was deleted, so logically the controller had
no further legal basis to process the complainant's data. Additionally the controller did not
explain to the complainant the impossibility of deletion.
For above reasons the Estonian DPA started an investigation and asked questions listed with
answers below.
1. On what date was the specific personal data of data deleted?
Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registrikood 70004235with the account.”
5) What is the legal basis for not deleting all the data and encrypting some of it? Please
be precise – bring out the legal act, provision, section, reason.
s data retention obligations stem from § 47 of the Estonian Money Laundering
and Terrorist Financing Prevention Act (the “AML Act”). Under this provisions,
is required to retain:
- Documents specified in §21, § 22 and §46 of the AML Act (which includes, but is not
limited to documentation relating to proof of residence, date of birth, personal
identification code), information registered in accordance with § 46 and the
documents serving as the basis for identification and verification of persons, and the
establishment of a business relationship for no less than five years after the
termination of the business relationship;
- during the period specified in subsection 1 of § 47, must also
retain the entire correspondence relating to the performance of its duties and
obligations arising from the and all the data and documents gathered in the
course of monitoring the business relationship or occasional transactions as well as
data on suspicious or unusual transactions or circumstances which were not reported
to the Financial Intelligence Unit.
- must also retain the documents prepared with regard to a
transaction on any data medium and the documents and data serving as the basis for
the notification obligations specified in § 49 of the AML Act for no less than five years
after making the transaction or performing the duty to report.
- must retain the documents and data specified in subsections
1, 2 and 3 of § 47 in a manner that allows for exhaustively and without delay replying
to the enquiries of the Financial Intelligence Unit or, in accordance with legislation,
those of other supervisory authorities, investigative bodies or courts, inter alia,
regarding whether has or has had in the preceding five years a business
relationship with the given person and what is or was the nature of the relationship.
- Lastly, deletes the data retained on the basis of § 47 after the
expiry of the time limits specified in subsections 1–6 of § 47, unless the legislation
regulating the relevant field establishes a different procedure. On the basis of a
compliance notice issued by the competent supervisory authority, data of importance
for prevention, detection or investigation of money laundering or terrorist financing
may be retained for a longer period, but not for more than five years after the expiry
of the first time limit.”
6) What exact data are you encrypting and archiving? Is it not possible to anonymize the
data and then archive it?
’s compliance department encrypts and archives the data that is required to be
retained for AML purposes (documentation relating to proof of residence, date of birth,
personal identification code, transaction data), as per the requirements listed in § 47 of the
AML Act.
3 (4)The reason why this data is not anonymized is that this data (documentation relating to proof
of residence, date of birth, personal identification code, transaction data) has a specific
function in relation to our obligations stemming from § 47 of the AML Act - this data is used
to duly verify the identity/residence of our users and screen them against a variety of
sanctions lists and lists pertaining to politically exposed persons. In turn, as per
§ 47, should without delay reply to the enquiries of the Financial Intelligence Unit
or, in accordance with legislation, those of other supervisory authorities, investigative bodies
or courts, inter alia, regarding whether has or has had in the preceding five years
a business relationship with the given person and what is or was the nature of the
relationship.
Anonymizing the above-described data (documentation relating to proof of residence, date of
birth, personal identification code, transaction data) is irreversible and would render it
impractical or even impossible for to comply with its AML reporting obligations.”
Taking into account the fact that the controller did not delete the data subjects data due
to their own procedural mistakes the controller breached article 17 stipulated in the
General Data Protection Regulation (GDPR).
Although the controller has now confirmed that the complainant’s personal data is
deleted (besides the data that they are obligated to retain by law), procedural mistakes
are solved and the controller has improved its data processes (including deletion), we are
closing the proceedings and reprimand on the basis of Article
58 (2) (b) of the GDPR.
Best regards
lawyer
authorised by Director General
4 (4)
