AKI (Estonia) - 14.02.2024

From GDPRhub
Revision as of 12:06, 25 September 2024 by Wp (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=14.02.2024 |ECLI= |Original_Source_Name_1=Noyb |Original_Source_Link_1=https://noyb.eu/en |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type=Complaint |Outcome=Upheld |Date_Started= |D...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AKI - 14.02.2024
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(d) GDPR
Article 12(3) GDPR
Article 12(4) GDPR
Article 16 GDPR
Article 24(1) GDPR
Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.02.2024
Published:
Fine: n/a
Parties: Bolt
National Case Number/Name: 14.02.2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Noyb (in EN)
Initial Contributor: wp

The DPA reprimanded Bolt for failing to enable the rectification of a data subject’s phone number. However, the controller implemented the respective possibility in the course of the procedure.

English Summary

Facts

A data subject was a user of the Bolt app. They tried to change the phone number used, but the app didn’t provide for such a functionality. The data subject contacted the provider of the Bolt app (the controller) by sending emails asking for correction of their phone number in accordance with Article 16 GDPR. The controller didn’t reply.

The data subject, represented by noby, lodged a complaint with the Estonian DPA (AKI).

During the proceedings, the controller stated that the user’s phone number served as a unique ID within the app’s system. Consequently, it was impossible to change the phone number used when first registering. The only available option was to delete the account and create a new one.

In response, the DPA suggested to the controller it might update its system to allow for users changing their phone number in the app. Moreover, the DPA suggested the controller might answer the data subject’s request.

As advised by the DPA, the controller updated the software and notified the DPA in August 2023. Also, the controller answered the requests of the data subject.

Holding

The DPA upheld the complaint.

The controller failed to reply to rectification request without undue delay, according to Article 12(3) GDPR. Eventually, the request was answerer but only after the DPA’s suggestion. However, as pointed out by the DPA, also during the proceedings the controller delayed to respond to the data subject.

Furthermore, the controller didn’t implement appropriate organisational and technical measures under Article 32(1) GDPR in conjunction with Article 24(1) GDPR to ensure the confidentiality of personal data. In particular, the controller didn’t envisage measures to prevent third-parties from unauthorised access to personal data of other users. That was possible when the owner of the phone number assigned to the account changed in the meantime since the new owner could then access the account created by the previous owner.

As a result, the DPA reprimanded the controller for violation of Article 5(1)(d) GDPR, Article 5(1)(f) GDPR, Article 12(3) GDPR, Article 12(4) GDPR, Article 16 GDPR, Article 24(1) GDPR, Article 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Irish regulator proposes 36 mln euro Facebook privacy fine - document
The complaint, lodged by Austrian privacy activist Max Schrems, concerned the lawfulness of Facebook's processing of personal data, specifically around its terms of service.