AKI (Estonia) - 14.02.2024
| AKI - 14.02.2024 | |
|---|---|
 | |
| Authority: | AKI (Estonia) |
| Jurisdiction: | Estonia |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(d) GDPR Article 12(3) GDPR Article 12(4) GDPR Article 16 GDPR Article 24(1) GDPR Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 14.02.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Bolt |
| National Case Number/Name: | 14.02.2024 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | Noyb (in EN) |
| Initial Contributor: | wp |
The DPA reprimanded Bolt for failing to enable the rectification of a data subject’s phone number. However, the controller implemented the respective possibility in the course of the procedure.
English Summary
Facts
A data subject was a user of the Bolt app. They tried to change the phone number used, but the app didn’t provide for such a functionality. The data subject contacted the provider of the Bolt app (the controller) by sending emails asking for correction of their phone number in accordance with Article 16 GDPR. The controller didn’t reply.
The data subject, represented by noby, lodged a complaint with the Estonian DPA (AKI).
During the proceedings, the controller stated that the user’s phone number served as a unique ID within the app’s system. Consequently, it was impossible to change the phone number used when first registering. The only available option was to delete the account and create a new one.
In response, the DPA suggested to the controller it might update its system to allow for users changing their phone number in the app. Moreover, the DPA suggested the controller might answer the data subject’s request.
As advised by the DPA, the controller updated the software and notified the DPA in August 2023. Also, the controller answered the requests of the data subject.
Holding
The DPA upheld the complaint.
The controller failed to reply to rectification request without undue delay, according to Article 12(3) GDPR. Eventually, the request was answerer but only after the DPA’s suggestion. However, as pointed out by the DPA, also during the proceedings the controller delayed to respond to the data subject.
Furthermore, the controller didn’t implement appropriate organisational and technical measures under Article 32(1) GDPR in conjunction with Article 24(1) GDPR to ensure the confidentiality of personal data. In particular, the controller didn’t envisage measures to prevent third-parties from unauthorised access to personal data of other users. That was possible when the owner of the phone number assigned to the account changed in the meantime since the new owner could then access the account created by the previous owner.
As a result, the DPA reprimanded the controller for violation of Article 5(1)(d) GDPR, Article 5(1)(f) GDPR, Article 12(3) GDPR, Article 12(4) GDPR, Article 16 GDPR, Article 24(1) GDPR, Article 32(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Irish regulator proposes 36 mln euro Facebook privacy fine - document The complaint, lodged by Austrian privacy activist Max Schrems, concerned the lawfulness of Facebook's processing of personal data, specifically around its terms of service.
