AKI (Estonia) - 2.1.-1/22/2643
|AKI - 2.1.-1/22/2643|
|Relevant Law:||Article 4(1) GDPR|
Article 6(1) GDPR
Article 17(1)(a) GDPR
|National Case Number/Name:||2.1.-1/22/2643|
|European Case Law Identifier:||n/a|
|Original Source:||AKI (in ET)|
The Estonian DPA ordered a controller to comply with an erasure request under Article 17 GDPR to delete a former work email address.
English Summary[edit | edit source]
Facts[edit | edit source]
The employment relationship between Retent AS (the controller) and the data subject ended in June 2022. Since then, the data subject repeatedly contacted the controller requesting the deletion of his former work email addresses. However, the controller did not block the address and continued sending emails to the data subject.
The data subject submitted a complaint before the Estonian DPA, which ordered the controller to comply with the data subject's request and delete the email addresses. However, the controller did not respond to the DPA's letters.
Holding[edit | edit source]
The DPA recalled that the name of a person contained in an e-mail address constitutes personal data in accordance with Article 4(1) GDPR. Personal data may only be processed if there is a valid legal basis referred to in Article 6(1) GDPR. As a general rule, an employee is given a named e-mail address to carry out tasks set out in the employment contract. Once the employment relationship ends, there is no longer a legal basis for the processing of the employee's personal data.
The data subject's former work e-mail addresses were still open despite the employment contract having ended and despite a request to delete the account. The DPA noted that Article 17(1)(a) GDPR requires the controller to erase personal data without undue delay where the personal data are no longer necessary for the purposes for which they were collected or otherwise processed. Since the controller had no legal basis for using the work email addresses, the continued disclosure of the data subject's personal data was unlawful. The DPA established a violation of Articles 6(1) and 17(1)(a) GDPR.
The DPA issued a mandatory injunction against the controller in order to put an end to the infringement as soon as possible and to guarantee the data subject's right to be forgotten under Article 17 GDPR. In case the controller does not comply with the injunction within a week, the DPA will impose a €2,500 fine for the GDPR infringements.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Estonian original. Please refer to the Estonian original for more details.
PRIVACY PROTECTION AGAINST STATE TRANSPARENCY Owner of information: Data Protection Inspectorate Note made: 07.12.2022 Access restriction is valid until: 07.12.2097 Basis: AvTS § 35 paragraph 1 point 12, AvTS § 35 paragraph 1 point 2 PRESCRIPTION WARNING personal data protection case no. 2.1.-1/22/2643 Data Protection Inspectorate lawyer Annika Kaljula Prescription maker Time of making the prescription 08.12.2022 in Tallinn and place Addressee of the injunction – Retent AS e-mail address of the personal data processor: firstname.lastname@example.org Personal data processor Board member Koit Pindmaa responsible person RESOLUTION: § 56 subsection 1, subsection 2 point 8, § 58 subsection 1 of the Personal Data Protection Act (IKS) and on the basis of Article 58(2)(g) of the General Regulation on Personal Data Protection and taking into account I make a mandatory prescription to comply with Article 17: Close the e-mail addresses Xx@retent.ee and Xx@retent.ee and send to the inspection and a confirmation of this to the applicant as well. I set the deadline for the execution of the order to be 15.12.2022. Report compliance with the order by this deadline at the Data Protection Inspectorate's e- mail to email@example.com. DISPUTE REFERENCE: This order can be challenged within 30 days by submitting either: - a complaint to the Data Protection Inspectorate under the Administrative Procedure Act or - a complaint to the administrative court according to the Code of Administrative Court Procedure (in this case it is no longer possible to review the argument in the same matter). Challenging an injunction does not suspend the obligation to fulfill it or the measures necessary for its fulfillment implementation. EXTORTION WARNING: If the injunction has not been fulfilled by the set deadline, the Data Protection Inspectorate will determine to the addressee of the injunction on the basis of § 60 of the Personal Data Protection Act: Extortion money 2500 euros A fine may be imposed repeatedly - until the injunction is fulfilled. If the recipient does not pay Tatari tn 39 / 10134 Tallinn / 627 4135 / firstname.lastname@example.org / www.aki.ee Registry code 70004235 extortion money, it will be forwarded to the bailiff to start enforcement proceedings. In this case, they are added bailiff's fee and other enforcement costs for the enforcement money. VIOLATION PENALTY WARNING: Protection of personal data against failure to comply with the injunction pursuant to Article 58 (2) of the General Regulation misdemeanor proceedings may be initiated based on § 69 of the Personal Data Protection Act. For this act a natural person may be fined up to 20,000,000 euros and a legal person may be punished with a fine of up to 20,000,000 euros or up to 4 percent of his previous one of the total worldwide annual turnover of the financial year, whichever is the amount bigger. The out-of-court procedure for a misdemeanor is the Data Protection Inspectorate. FACTUAL CIRCUMSTANCES: The Data Protection Inspectorate (inspection) received Xx's complaint regarding his former professional e-mail by not deleting the addresses (Xx@retent.ee and Xx@retent.ee) of the former employer Retent AS by. The employment relationship between Retent AS and Xx ended in June 2022, and after that the complainant has repeatedly turned to Retent AS with a request to close his former professional e-mails addresses. According to the applicant, however, the employer has not closed his e-mail addresses so far, and he can continued emails from them. Data Protection Inspectorate sent on 14.11.2022 Retent AS to the e-mail registered in the business register email@example.com proposal to close the e-mail addresses Xx@retent.ee and Xx@retent.ee and send confirmation to the inspectorate (firstname.lastname@example.org) and to the complainant (Xx) at the latest 21.11.2022. In case the data processor does not agree with the proposal, the inspectorate asked to clarify, on what legal basis are the professional e-mail addresses of former employee Xx of Retent AS kept Xx@retent.ee and Xx@retent.ee still open. Because no answer by the specified date came, the inspection sent the data processor a repeated proposal with the same content on 28.11.2022, setting the deadline for the response to 5.12.2022 and warning the data processor to issue an injunction and for the possibility of imposing fines in case of failure to respond. As of this date, Retent AS has not responded to the inspection's proposal or asked an additional extension of time to answer. GROUNDS FOR DATA PROTECTION INSPECTION: 1. Personal data is any information about an identified or identifiable natural person according to article 4, paragraph 1 of IKÜM. Therefore, personal data is also included in the e-mail address the person's name. 2. Personal data may be processed only if there is an IKÜM in Article 6 the stated legal basis (consent, contract performance, legal obligation, public task, legitimate interest). 3. As a rule, the employee is given a named e-mail address for the tasks specified in the employment contract for fulfillment. After the end of the employment relationship, the personal data of the employee (name e-mail address) will not be no longer the original legal basis for processing (there is no employment contract). 4. The employment relationship between Retent AS and Xx (complainant) ended in June 2022. 5. The applicant's former work e-mail addresses (Xx@retent.ee and Xx@retent.ee) are still open, they continue to be used to receive emails and for transmission. 6. The right to demand the deletion of your personal data (i.e. a named e-mail box) derives from IKÜM from Article 17, according to which the controller is obliged to delete personal data without unreasonable delay, if the personal data is no longer needed for the purpose for which in connection with which they have been collected or otherwise processed (Article 17(1)(a)). 7. The applicant has repeatedly turned to Retent AS with the demand to close his former offices work email addresses. 8. Because Retent AS does not have Xx to use work e-mail addresses after him termination of the employment relationship on a legal basis, keeping them open is contrary to the general regulation on the protection of personal data. 9. Pursuant to article 5 paragraph 2 of the IKÜM, the legality of data processing must be proven data processor. 10. According to IKS § 58 paragraph 1 and IKÜM article 58 paragraph 2 point g the inspection has the right to order the deletion of personal data based on Article 17. 11. According to § 27 (2) point 3 of the Administrative Procedure Act (HMS) it is read a document made available or transmitted electronically as delivered if the document or message has been sent to the e-mail registered in the company's business register to the address. 12. The inspection has sent a proposal and a repeated proposal in the commercial register of Retent AS to the reflected e-mail address and gave Retent AS a reasonable time to respond, including the inspection offered an opportunity to explain in case of disagreement with the proposal, on what legal basis are the professional e-mails of former employee Xx of Retent AS kept to XX@retent.ee and XX@retent.ee still open. With that is the inspection fulfilled the obligation arising from § 40 subsection 1 of the Administrative Procedure Act before the administrative act is issued, the party to the proceedings has the opportunity to present his opinion on the matter and objections. 13. Taking into account the factual circumstances and the fact that the applicant's e-mail addresses (XX@retent.ee and XX@retent.ee) is not available to keep it open to the knowledge of the inspection, a legal basis and the data processor has not responded to the two previous proposals made by the inspection, the inspection considers that mandatory issuing an injunction in this case is necessary in order to stop the offence as soon as possible and guarantee the complainant his right "to be forgotten" according to the IKÜM to Article 17. (signed digitally) Annika Kaljula lawyer on the authority of the Director General