Commissioner (Cyprus) - 11.17.001.009.100

From GDPRhub
Revision as of 22:25, 25 July 2024 by Nikolaos.konstantis (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Cyprus |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoCY.jpg |DPA_Abbrevation=Commissioner |DPA_With_Country=Commissioner (Cyprus) |Case_Number_Name=11.17.001.009.100 |ECLI= |Original_Source_Name_1=Office of the Commissioner for Personal Data Protection- Cyprus |Original_Source_Link_1=https://www.dataprotection.gov.cy/dataprotection/dataprotection.nsf/all/302559D9BA5154FFC2258B3F003066F6/$file/20240208%20ΑΠΟΦΑΣΗ%20AYLO.pdf?o...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Commissioner - 11.17.001.009.100
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 1500 EUR
Parties: n/a
National Case Number/Name: 11.17.001.009.100
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Office of the Commissioner for Personal Data Protection- Cyprus (in EN)
Initial Contributor: Nikolaos. Konstantis

A complaint was filed against the company MG Social LTD (now renamed Aylo Social LTD) for not fulfilling the right to deletion.

English Summary

Facts

The complaint was filed with the German Supervisory Authority against the company MG Social LTD (now renamed Aylo Social LTD) . This company operates the website mydirtyhobby.de and is accused of not fulfilling the right to deletion.Given that the controller is based in Cyprus, the DPA has taken on the investigation of the complaintThe data subject requested the deletion of his data through two emails, claiming that he received no response from the controller.The controller stated that their support staff replied to the data subject in both instances, providing the available options for deactivating or deleting his account, and offering further information on what each option entails. Additionally, a link was provided at the end of the message, directing the data subject to an online platform where he was required to verify his email address.However the data subject did not take any relevant or further action regarding the provided instructions.

Holding

The DPA found that the controller violated the Article 12(4) GDPR because the controller did not inform the data subject about the non-fulfillment of the deletion request within the specified timeframe. Also the controller violated the Article 13 GDPR, because they did not provide adequate information during the visit to the online platform, and the Article 17 GDPR because the right to deletion was not fulfilled.Following the above, the DPA issued a reprimand to the controller for the first two violations and imposed an administrative fine of €1,500 for the violation of Article 17.Furthermore, the DPA issued an order to the controller to immediately fulfill the deletion request, to comply with their obligations regarding informing visitors on the online platform about the fulfillment of rights, and to revise the procedure for handling data subject requests.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.