AP (The Netherlands) - z2019-28837
AP - z2019-28837 | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 12(3) GDPR Article 17(1) GDPR Article 58(2)(i) GDPR Article 83(4) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 30.07.2020 |
Published: | 04.06.2024 |
Fine: | 6,000 EUR |
Parties: | Ambitious People Group |
National Case Number/Name: | z2019-28837 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Overturned RvS (Netherlands) 202401169/1/A3 |
Original Language(s): | Dutch |
Original Source: | Autoriteit Persoonsgegevens (in NL) |
Initial Contributor: | ec |
The DPA imposed a fine of €6,000 on a controller for failing to comply with erasure requests by ignoring erasure requests that were not send to the controller’s designated email address that was provided in their privacy policy.
English Summary
Facts
The controller, Ambitious People Group (“APG”) is a recruitment agency. To match jobseekers with a suitable job, the controller asked for the name, address, email address, phone number, date of birth and CV of the jobseeker and stored this in a database. After finding a relevant vacancy, the controller would contact the jobseeker via e-mail. The controller operated under five different labels that each focus on a specific market: LMH, SAM, Four Life Sciences, Ardekay and Five Finance.
On 30 November 2018, the Dutch DPA ("Autoriteit Persoonsgegevens) received a complaint by three data subject against the controller for failing to comply with their requests for erasure. Even after multiple erasure requests, the three data subjects received e-mails from the controller with open vacancies.
Data subject 1 first requested erasure on 15 November 2018 and still received e-mails from the controller's label SAM with vacancies on 28 November 2018. Even after a second erasure request on 28 November 2018, data subject 1 still received an email with vacancies from the controller on 10 January 2019.
Data subject 2 received an email on 26 March 2018 from the controller's label LMH Engineering with a vacancy. Data subject 2 requested erasure on the same day. On 30 November 2018, data subject 2 still received an email from the controller. On the same day, data subject 2 requested erasure again. On 19 February 2019, data subject 2 still received an email with a vacancy from the controller.
Data subject 3 received an email on 17 October from the controller's label Five Finance with a vacancy. Data subject 3 requested erasure on the same day, also for the controller's label LMH Engineering. The controller replied on 19 October 2018 that this was a one-time non-recurring e-mail. Data subject 3 replied on the same day with another erasure request, which was confirmed by the controller on the day itself. However, data subject 3 still received an e-mail with a vacancy on 20 March 2019 and 1 August 2019 from the controller's label LMH Engineering.
The DPA started an investigation to review the possible violation by the controller and thereby send information requests to the controller. The controller confirmed that they erased the personal data of the three data subjects on 11 September 2019, and informed the data subjects the next day about this erasure via e-mail.
Furthermore, the controller explained to the DPA that individuals can request erasure via a designated email address provided in their privacy policy. The requests of the three data subjects were not made to their designated email address, but to the recruiters themselves who send the data subjects emails with vacancies. The controller has since then updated their internal procedure that erasure requests send to recruiters are also forwarded to the designated email address that handles erasure requests.
Holding
The DPA held that the controller under Article 17(1) GDPR read together with Article 12(3) GDPR needed to comply with erasure requests without undue delay and in any event within one month of receipt of the requests. According to the DPA, the fact that the data subjects did not use the designated email address, but the email address of the recruiter that approached them, does not change the controller’s duty to comply. The DPA noted that it also did not detract from the severity of the violation.
The DPA also stated that the controller bears responsibility for the actions of its employees who, in this case, failed to respond to the erasure requests. This responsibility includes preventing human mistakes. Although the controller had complied with more than 650 erasure requests and only three incidents occurred due to human mistake, the DPA held that it did not excuse the controller from its responsibility.
The controller therefore violated Article 17(1) in combination with Article 12(3) by not complying with the erasure requests, at least not within one month of receiving the requests. Thus, the DPA issued a fine of €6,000 on the grounds of Article 58(2)(i) and article 83(4) GDPR. The DPA took into account the fact that the failure of complying with the erasure requests was most probably a human mistake of one of the controller’s employees, the fact that the controller described in detail how to handle (erasure) requests and GDPR-related complaints they receive in their personal inbox or via telephone, and the fact that the controller has now strengthened its policy regarding (erasure) requests to prevent cases like this in the future.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Job seekers can register with APG* if they are interested in mediation by this recruitment agency. People can of course also request that their personal data be deleted, for example if they no longer want mediation. But that did not go well for several people. Names, home addresses, e-mail addresses, telephone numbers, dates of birth and CVs containing information about education and work experience remained in the APG database after the persons requested their removal. APG also approached these people about vacancies. Right to oblivionPeople have the right to be forgotten. This means that in many cases an organization must delete someone's data if that person so requests. So that people's privacy is protected. Organizations must also do their best not to collect and store more personal data than necessary. If there is no good reason to retain and use personal data any longer, it is important that the organization deletes that data. Because information that an organization does not have cannot create a privacy problem. This data minimization is a starting point of the General Data Protection Regulation (GDPR). Method adjusted After an investigation by the AP, it turned out that APG did have a method for requests to delete data. Yet in practice things went wrong a number of times. APG has examined its internal policy and adjusted a number of points. The AP took this into account when determining the fine amount. Procedure for publication of fine The AP imposed the fine on APG in 2020. The AP may now make this decision public, after APG had initiated proceedings regarding the fine and its publication.*APG now operates under a different name: The Ambitious Group.