Commissioner (Cyprus) - 11.17.001.009.100

From GDPRhub
Commissioner - 11.17.001.009.100
LogoCY.jpg
Authority: Commissioner (Cyprus)
Jurisdiction: Cyprus
Relevant Law: Article 12 GDPR
Article 13 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 1500 EUR
Parties: Aylo Social LTD
National Case Number/Name: 11.17.001.009.100
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Office of the Commissioner for Personal Data Protection- Cyprus (in EN)
Initial Contributor: Nikolaos. Konstantis

The DPA fined the operator of an adult-content website €1,500 for ignoring a data subject’s erasure request under Article 17 GDPR and referring them to a third-party platform dedicated to data protection requests.

English Summary

Facts

The data subject requested the deletion of his data by the controller - MG Social LTD (now renamed Aylo Social LTD). The controller operated the website mydirtyhobby.de The data subject sent two emails, requesting their data to be erased but allegedly received no response from the controller.

The controller stated that their support staff replied to the data subject in both instances, providing the available options for deactivating or deleting his account, and offering further information on what each option entails. Additionally, a link was provided at the end of the message, directing the data subject to an online platform (third-party) where he was required to verify his email address. However the data subject did not take any relevant or further action regarding the provided instructions.

Nevertheless, the data subject accused the controller of not fulfilling the right to erasure under Article 17 GDPR and filed a compliant.

The complaint was filed with the German Supervisory Authority. Given that the controller was based in Cyprus, the Cyprus DPA (DPC) took over the investigation of the complaint.

Holding

The DPA found that the controller violated Article 12(4) GDPR because the controller did not inform the data subject about the non-fulfillment of the deletion request within the specified time frame. Although the data subject received a link to a dedicated platform, their request to delete the data was not fulfilled in accordance with Article 12(4) GDPR.

Also the controller violated Article 13 GDPR because they did not provide adequate information during the visit on the online platform of the third-party, and Article 17 GDPR because, eventually, the right to deletion was not fulfilled.

Following the above, the DPA issued a reprimand to the controller for the first two violations and imposed an administrative fine of €1,500 for the violation of Article 17 GDPR.

Furthermore, the DPA issued an order to the controller to immediately fulfill the deletion request, to comply with their obligations regarding informing visitors on the online platform about the fulfillment of rights, and to revise the procedure for handling data subject requests.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.