CNIL (France) - 2c1s196162814

From GDPRhub
Revision as of 12:57, 1 January 2023 by Kv (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=2c1s196162814 |ECLI=EDPBI:FR...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - 2c1s196162814
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(c) GDPR
Article 12(3) GDPR
Article 14 GDPR
Article 56(1) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Article L561-12 of the French Monetary and Financial Code
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 20.05.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 2c1s196162814
European Case Law Identifier: EDPBI:FR:OSS:D:2022:369
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 procedure, The French DPA decided three complaints regarding one controller. Among other violations, the controller did not respond to access requests in time, did not provide information and did not take necessary measures to only.

English Summary

Facts

This decision by the French DPA consisted of several complaints by different data subjects regarding the same controller. The nature of this controller was not disclosed, but was most likely a provider of consumer credit. The first data subject was French and requested access to his data at the controller. The data subject received responses from the controller but these were incomplete according to the data subject. After an intervention of the French DPA, the request was granted by the controller. The second data subject had repeatedly requested the source of personal data concerning him, the retention period and the deletion of his data. The data subject filed a complaint at the French DPA (DPA). After discussions between the DPA and the controller, the controller informed the data subject that his phone number and his address had been obtained from an investigative agency, located in Israel. The controller added that the use of such an agency only occurred when the data collected from the ‘transferring institution’ was inadequate. The controller also informed the data subject about the ‘exceptional’ closure of his case and that the personal data would be deleted after a period of 6 years. The controller stated that it was obliged to keep this data for a minimum of five years for anti-money laundering purposes. The complaint of the third data subject was transferred by the Polish DPA pursuant of Article 56(1) GDPR. The controller was not able to reach the data subject concerning his supposed debt. Therefore, it appealed to an investigative agency, which sent the contact details of the data subject on 13 July 2018. The data subject was contacted by the controller to pay his debt despite never being a client of the controller. After communication between the data subject and the controller and an intervention of the DPA, the controller acknowledged that there had been a mistake regarding the identity of the data subject. The controller anonymized the data subject’s address and telephone number following the intervention of the DPA. The data subject complained at the DPA about the unlawfulness of processing of personal data concerning him and requested erasure of his data. The data subject stated that he was not a debtor and had never been a client of the controller.

Holding

The DPA held that the controller had disregarded Article 12(3) GDPR regarding the third complaint, because it had taken the controller four months to respond to the data subjects first request and did not answer as soon as possible. The controller also violated Article 5(1)(d) GDPR regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject, who was not a debtor. The controller continued to process the data and only anonymized the data after the French DPA interfered. The DPA also determined that the controller violated Article 5(1)(c) GDPR regarding the second complaint because of the 6-year retention period, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code). The DPA also stated that Article 14 GDPR had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy with each financial claim, indicating the possibility of recourse to an investigative agency, does not mean that the obligation of Article 14 GDPR is fulfilled. This information is not specific enough and does not provide information on the exact source of the data. The DPA issued a reprimand pursuant of Article 58(2)(b) GDPR and Article 20.II of the French data protection act with regard to the obligation to respond to requests for the exercise of rights of individuals and the obligation to process accurate and updated personal data. The DPA also issued a formal notice pursuant of Article 58(2)(d) GDPR and Article 20.II of the French data protection act to limit the retention period of personal data to five years and to correctly inform individuals about the origin of their personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=CNIL_(France)_-_2c1s196162814&oldid=30096"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki