CNPD - DELIBERAÇÃO/2019/21

From GDPRhub
CNPD - Deliberação 2019/21
LogoPT.png
Authority: CNPD (Portugal)
Jurisdiction: Portugal
Relevant Law: Article 15(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: 05.02.2019
Published: 05.02.2019
Fine: 20.000 EUR
Parties: n/a
National Case Number/Name: Deliberação 2019/21
European Case Law Identifier: Processo n.º 2018/10788
Appeal: Unknown
Original Language(s): Portuguese
Original Source: CNPD (in PT)
Initial Contributor: {{{Initial_Contributor}}}

Portuguese DPA rules that phone call recordings must be made available to the data subject upon his/her request under article 15 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject made a data access request pursuant to article 15 GDPR, with a view to accessing several recordings of phone call in which he had participated. The call centre operator - the data processor - was instructed by the controller not to deliver any such recordings unless a judicial order or an administrative authority request was received. Upon expiration of the applicable 90 days storage period, the (chronologically) first phone call recording was deleted without having been sent to the data subject, as he had requested. The remaining three recordings were eventually handed to the data subject upon CNPD's order (through Deliberação n.º 1154/2018, of the 18th December).

Dispute[edit | edit source]

Are phone call recordings' contents covered by article 15 GDPR as personal data which a data subjects has a right to access upon request?

Holding[edit | edit source]

Contrary to what the controller argued, the reason why it refused to grant access to the phone call recordings was not because the controller could not assert that the data subject was (in fact) the person sending the access request, but because it had defined an internal rule of not granting access to phone call recordings without a judicial or administrative authority order. In that view, and since (i) the controller knowingly breached the data subject's access right and (ii) given the particularly sensitive nature of the data at stake - electronic communications content data, which is protected under article 34 of the Portuguese Constitution and article 7 of the Charter of Fundamental Rights of the European Union -, the Portuguese DPA decided to sanction the controller with a EUR 20,000 fine.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Portuguese original. Please refer to the Portuguese original for more details.