IDPC (Malta) - CDP/COMP/344/2022
IDPC - CDP/COMP/344/2022 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 4(7) GDPR Article 5(2) GDPR Article 12(1) GDPR Article 12(3) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 24(1) GDPR Article 24(2) GDPR Article 38(1) GDPR Article 38(1) GDPR Article 39(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 50000 EUR |
Parties: | n/a |
National Case Number/Name: | CDP/COMP/344/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IDPC (in EN) |
Initial Contributor: | Sainey Belle |
The Maltese DPA fined a school €50,000 for failing to respond to an access request within the time frame and having no appropriate internal measures to handle personal data.
English Summary
Facts
The complainant submitted an access request under Article 15 GDPR on behalf of her son (the data subject). The data subject attended a school which provides therapy sessions. As part of the curriculum, the therapists would assess the data subject at the beginning of the year and set goals for them. At the end of the year, these goals are reviewed and a report is then created which is stored on the data subjects file.
Intending to access the report, the complainant submitted the access request directly to the therapists. A response was not received from either therapist. Over the next few weeks, the complainant encountered a number of delays from the school, including back and forth emails with the school’s Director, which culminated in the report being provided 5 weeks after the initial request was made.
The following complaints were submitted to the DPA.
- The data subject request was not adhered to within the 30 day timeframe.
- The controller’s privacy policy was not easily accessible and contained a number of shortcomings.
- It was not clear whether the Director was a controller under Article 4(7)GDPR.
- There is no process outlining how the controller handles data subject rights requests.
Holding
The DPA decided that the school (the controller) had failed to adhere to the 30 day deadline. As per the complainant, the request was made on 24.05.2022 to the therapist. The DPA dismissed the controller's argument that the request was made on 10.06.22, which is when the complainant got in touch with the director requesting a follow up. As per the EDPB guidance 01/2022 on the exercise of data subject rights, a controller may not be required to respond to a request made to an employee who is not involved in the processing of requests concerning data subjects if they have clearly provided the data subject with an appropriate communication channel. However, the request is not considered random if they contact an employee who has been assigned to them as their regular contact person, which was the case here.
The DPA agreed that the privacy policy did not contain the minimum information needed under Article 13 GDPR. The policy lacked clarity on the categories of personal data processed, the legal basis or purpose of processing, how a data subject can request access and data retention timelines (the policy only made reference to an internal guideline which was not published on the controllers website).
The DPA held the Director should be considered a controller within the meaning of Article 4(7) GDPR. The DPA analysed the requirements under Article 4(7) GDPR and Article 5(2) GDPR, together with the EDPB guidelines. A specifically appointed natural person (such as a director) is considered to be acting on behalf of the legal entity (the school) which is responsible in case of infringement.
Laslty, there were no internal policies on the appropriate handling of personal data contrary to Article 24(1)-(2) GDPR and Article 32(4) GDPR. The controller did not have an adequate training procedure in place for all employees responsible for handling personal data. Due to the lack of internal processes, the therapists, contrary to Article 38(1) GDPR, failed to involve the DPO in the initial request.
The controller was ordered to revise the data protection policy on its website to be compliant with Article 13 GDPR and establish an internal data protection policy per Article 24 GDPR. The Commissioner also imposed a fine of €50,000 with - with an additional €50 each day for which the violation persists.
Comment
This case touches on a lot of important data protection concepts that tend to be overlooked by controllers and processors. Data protection should not be an afterthought, in addition DPOs are not a simple formality - their role is of particular importance to an organisation.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.