IDPC (Malta) - CDP/COMP/332/2024
IDPC - CDP/COMP/332/2024 | |
---|---|
Authority: | IDPC (Malta) |
Jurisdiction: | Malta |
Relevant Law: | Article 5(1)(a) GDPR Article 15 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 22.07.2024 |
Decided: | 14.01.2025 |
Published: | 17.01.2025 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | CDP/COMP/332/2024 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | IDPC (in EN) |
Initial Contributor: | ao |
The DPA issued a reprimand to a bank which did not fully explain why it only partially responded to an access request and further as it could have supplied the requested information in a redacted format.
English Summary
Facts
On the 22 July 2024, the data subject lodged a complaint with the Maltese DPA (Office of the Information and Data Protection Commissioner – IDPC) alleging that the controller, here a bank, had failed to handle their data access request.
The data subject had requested full access, including internal emails exchanged among employees and any other documents or briefs written about him. The data subject had lodged the access request on the 3 June 2024 to which the controller responded on the 28 June 2024 with a supply of documents relating to the data subject. However, the requested internal email and documents in connection with a certain case was not included. The data subject reiterated his request.
The controller then cited Article 15(4) of the Regulation on professional and bank secrecy as the reason to refuse sharing internal communications. The data subject clarified that his request related specifically to his personal data, did not contain any third-party data and therefore the bank secrecy law should not apply to it. To this, the controller responded that all the personal data relevant had already been provided and that no further data existed.
In the complaint to the DPA, the data subject highlighted that this communication with the controller highlights a contradiction as initially the controller recognized there was more information to be provided but is prohibited by the secrecy law but then in the next step claimed that no additional data existed.
Throughout the course of the investigation, the controller submitted that several bank employees and their data were involved in the investigation of the case concerning the data subject and that this prohibited it from supplying the data.
Holding
Primarily, the DPA highlighted that the controller had failed to mention the bank secrecy law in its first response to the data subject. The DPA demonstrated that it was only due to the data subject’s further inquiries that they found out the reason for the limitation. It therefore concluded that the reply lacked the necessary requirements under Article 15 GDPR.
The DPA stated that the controller had not complied with the requirements under Article 5(1)(a) GDPR as the data subject was not made to understand how their data was being processed.
Making use of its investigative powers under Article 58(1)(e) GDPR, the DPA had requested the relevant internal communications. It concluded that some but not all of the communications included personal data of the data subject under Article 4(1) GDPR. The DPA ordered the controller to explain how the rights of other could be affected under Article 15(4) GDPR if the communications were provided. The DPA stated that under Article 5(2) GDPR the honous is clearly on the controller to show that is undertook a proper assessment of these conflicts.
The DPA further held that the requested communications were subject to the bank secrecy law but at the same time contained personal data which were processed within the context of a complaint with the Arbiter for Financial Services which had already been concluded. The DPA therefore declared that the controller should not have refused the disclosure of personal data outright. Instead it should have anonymized information relating to third parties. The DPA held that this would balance both parties rights. Therefore, the controller was held to have infringed Article 15(3) GDPR.
The DPA issued a reprimand under Article 58(2)(b) GDPR and under Article 58(2)(c) GDPR order the controller to supply the relevant information.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.