AKI (Estonia) - EDPBI:EE:OSS:D:2022:362

From GDPRhub
AKI - EDPBI:EE:OSS:D:2022:362
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 02.05.2022
Fine: n/a
Parties: n/a
National Case Number/Name: EDPBI:EE:OSS:D:2022:362
European Case Law Identifier: EDPBI:EE:OSS:D:2022:362
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 GDPR decision, the Estonian DPA reprimanded a controller for a violation of Article 17 GDPR. The controller did not erase all personal data after an erasure request. The controller had designed its erasure procedure in such a way that when a data subject did not log out manually from the controller's service after the erasure request, the login details of the data subject would be kept in the controller's database.

English Summary

Facts

The data subject was unable to exercise his right to have his data deleted by the controller. The nature of the controller was not specified. According to the data subject, the data was not deleted despite several appeals and despite multiple confirmations from the controller that his personal data was deleted. The data subject filed a complaint at the Berlin DPA, which transferred the complaint to the Estonian DPA under Article 56 GDPR. The latter started an investigation into the controller and sent it several questions regarding its processing.

The controller stated that the data subject had requested deletion on 19 November 2020 and that the controller deleted the data on the same day. It also explained its standard account deletion procedure, which required the user to manually log out or to delete the controller’s application in order to complete the deletion process. If the user did not do this, his login details (e-mail address and account passcode) would be kept in a database. Where applicable, the controller would not delete, but encrypt and archive personal data in order to comply with the Estonian Money Laundering and Terrorist Financing Prevention Act (the “AML Act”). The controller also confirmed during the proceedings that all personal data of the data subject had now been deleted.

In order to prevent these situations in the future, the controller implemented a forced-logout to its user account deletion procedure. Therefore, data subjects did not have to logout themselves anymore to have all their data erased.

Holding

The Estonian DPA determined that the controller violated Article 17 GDPR. It had not deleted the personal data of data subjects because of its own procedural mistakes. The DPA acknowledged that these procedural mistakes had now been solved by the controller, now that all the personal data had been deleted. The DPA closed the proceedings and reprimanded the controller on the basis of Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

FOR DATAPRIVACYAND FREEDOM OF INFORMATION

                                                                  ASUTUSESISESEKS
                                                                  KASUTAMISEKS
                                                                  Märge tehtud: 02.05.2022 Inspektsioon
                                                                  Juurdepääsupiirang kehtib kuni:
                                                                  02.05.2097
                                                                  Alus: AvTS § 35 lg 1 p 2,AvTS § 35 lg 1
                                                                  p 12


IMI - Berlin DPA                                                  Yours: nr

                                                                  Ours:   {regDateTime}     nr
                                                                  {regNumber}





Reprimand for failure to comply with the requirements of the General Data Protection
Regulation & notice of termination of the proceeding in regard to the protection of
personal data


RESOLUTION:


Reprimand in a personal data protection case in which                                      has
violated the following norm arising from the General Data Protection Regulation

(GDPR): article 17


Case


The Estonian Data Protection Inspectorate (Estonian DPA) received a complaint from
                via Internal Market Information System.


According to the complaint the complainant was unable to exercise his right to have the data
deleted. The complainant stated that, despite several appeals, the data was not deleted.


The Estonian DPA explained to the controller that processing of personal data is permitted
only with the consent of the person or other legal basis abiding from law. In the absence of a

legal basis, personal data may not be processed. If personal information processing is not
permitted by law, a person has the right to ask for termination of data processing and

additionally for deletion of data.

Based on the information contained in the complaint, the controller have repeatedly confirmed

to the complainant that his personal information was deleted, so logically the controller had
no further legal basis to process the complainant's data. Additionally the controller did not

explain to the complainant the impossibility of deletion.


For above reasons the Estonian DPA started an investigation and asked questions listed with
answers below.


1.     On what date was the specific personal data of                     data deleted?

Tatari tn 39 / 10134 Tallinn / 627 4135 / info@aki.ee / www.aki.ee
Registrikood 70004235with the account.”

5) What is the legal basis for not deleting all the data and encrypting some of it? Please

be precise – bring out the legal act, provision, section, reason.

            s data retention obligations stem from § 47 of the Estonian Money Laundering

and Terrorist Financing Prevention Act (the “AML Act”). Under this provisions,
              is required to retain:


    -  Documents specified in §21, § 22 and §46 of the AML Act (which includes, but is not
        limited to documentation relating to proof of residence, date of birth, personal
        identification code), information registered in accordance with § 46 and the

        documents serving as the basis for identification and verification of persons, and the
        establishment of a business relationship for no less than five years after the
        termination of the business relationship;

    -  during the period specified in subsection 1 of § 47,                           must also
        retain the entire correspondence relating to the performance of its duties and
        obligations arising from the           and all the data and documents gathered in the

        course of monitoring the business relationship or occasional transactions as well as
        data on suspicious or unusual transactions or circumstances which were not reported
        to the Financial Intelligence Unit.
    -                             must also retain the documents prepared with regard to a

        transaction on any data medium and the documents and data serving as the basis for
        the notification obligations specified in § 49 of the AML Act for no less than five years
        after making the transaction or performing the duty to report.

    -                             must retain the documents and data specified in subsections
        1, 2 and 3 of § 47 in a manner that allows for exhaustively and without delay replying
        to the enquiries of the Financial Intelligence Unit or, in accordance with legislation,

        those of other supervisory authorities, investigative bodies or courts, inter alia,
        regarding whether              has or has had in the preceding five years a business
        relationship with the given person and what is or was the nature of the relationship.

    -   Lastly,                          deletes the data retained on the basis of § 47 after the
        expiry of the time limits specified in subsections 1–6 of § 47, unless the legislation
        regulating the relevant field establishes a different procedure. On the basis of a

        compliance notice issued by the competent supervisory authority, data of importance
        for prevention, detection or investigation of money laundering or terrorist financing
        may be retained for a longer period, but not for more than five years after the expiry

        of the first time limit.”

6) What exact data are you encrypting and archiving? Is it not possible to anonymize the

data and then archive it?

            ’s compliance department encrypts and archives the data that is required to be

retained for AML purposes (documentation relating to proof of residence, date of birth,
personal identification code, transaction data), as per the requirements listed in § 47 of the
AML Act.


3 (4)The reason why this data is not anonymized is that this data (documentation relating to proof
of residence, date of birth, personal identification code, transaction data) has a specific

function in relation to our obligations stemming from § 47 of the AML Act - this data is used
to duly verify the identity/residence of our users and screen them against a variety of
sanctions lists and lists pertaining to politically exposed persons. In turn, as per

§ 47,            should without delay reply to the enquiries of the Financial Intelligence Unit
or, in accordance with legislation, those of other supervisory authorities, investigative bodies
or courts, inter alia, regarding whether            has or has had in the preceding five years

a business relationship with the given person and what is or was the nature of the
relationship.


Anonymizing the above-described data (documentation relating to proof of residence, date of
birth, personal identification code, transaction data) is irreversible and would render it
impractical or even impossible for             to comply with its AML reporting obligations.”


Taking into account the fact that the controller did not delete the data subjects data due
to their own procedural mistakes the controller breached article 17 stipulated in the

General Data Protection Regulation (GDPR).

Although the controller has now confirmed that the complainant’s personal data is

deleted (besides the data that they are obligated to retain by law), procedural mistakes
are solved and the controller has improved its data processes (including deletion), we are
closing the proceedings and reprimand                                  on the basis of Article
58 (2) (b) of the GDPR.




Best regards



lawyer
authorised by Director General




















4 (4)