Commissioner (Cyprus) - 11.17.001.008.222

The Cyprus Commissioner reprimanded Tarlun Limited for violating Article 12(3) GDPR by failing to respond to an access request within one month due to a misperception. The decision recognised mitigating factors like measures taken in retrospect.

English Summary

Facts

The complainant (the data subject) was wrongly charged for subscription services to the benefit of a website of Tarlun Limited (the controller). On 31 August 2020, the data subject exercised their right of access according to Article 15 GDPR to learn about which data was being held on her and where it was collected from. After receiving a refund in September 2019, but not the requested information, the data subject lodged a complaint with CNIL which was transmitted to the Cyprus Commissioner (the DPA).

In its investigation the DPA collected the information mentioned above and the following: the controller wrongfully believed the access request was only a request for refund and became aware of the access request after the notification of the complaint by the DPA on 15 December 2020. On 24 March 2022, the controller contacted the data subject, satisfied the access request, and apologised. Furthermore, the controller implemented measures to prevent the recurrence of the events. This included creating policies, appropriate technical and organisational measures and arranging training of the personnel on data protection and the provisions of the GDPR.

On 10 November 2022, the DPA issued a preliminary decision stating a violation of Article 12(3) GDPR by the controller due to not complying with the access request timely. The controller acknowledged this decision, clarified the misunderstanding, emphasised measures taken and cited further mitigating factors: no previous infringements, prompt cooperation, satisfaction of the access request in retrospect, minimal damage.

In the preliminary views the DPA pointed out that it is clear, the satisfaction of the request in first instance would have been possible if the staff had been properly trained in GDPR matters. With GDPR in force for over a year, the controller should have had at least measures in place concerning the Articles 15-22 GDPR and thus responded to the data subject’s access request timely.

Holding

Based information provided and the authority granted by Article 58 and 83 GDPR, as well as Article 24(b) of National Law 125(I)/2018, the DPA came to the following decision:

There was an infringement of Article 12(3) GDPR because of the lack of a timely compliance with the access request of the data subject. As mitigating factors, the DPA mentioned that there was no previous violation of the controller, that the request was satisfied upon realising, and the measures taken to ensure future compliance with the GDPR. As aggravating factors, the DPA stated that the controller only became aware of the data subject’s access request upon the complaint to the DPA, that there was no satisfaction within the legal timeframe and the lack of appropriate procedures and measures at the time of the access request of the data subject.

Thus, the DPA issued a reprimand, emphasising that this decision would be counted against the controller in case of a recurrence within 12 months.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Decision
Failure to Fully Comply to a Subject Access Request by Tarlun Limited
1. A complaint was lodged with the French SA (CNIL - Commission nationale
de l'informatique et des libertés) against Tarlun Limited (the controller), whose
main establishment is in Cyprus. Moreover, the complaint was subsequently
transmitted to Office of the Commissioner for Personal Data Protection (Cyprus
SA) on 25/9/2020, in line with Article 56 of the General Data Protection
Regulation.
2. On the basis of the above, the Commissioner for Personal Data Protection
(the Commissioner) is acting as the lead authority in this matter. In the course
of the investigation, other EU countries were identified as being concerned by
this case.
Description of the case
3.1. The complaint involves the controller’s (Tarlun Limited) failure to comply
with the complainant’s access request (SAR) (article 15 of the GDPR)
submitted to the controller, which operates the website www.funnycuistot.com.
3.2. In her complaint, the complainant stated that she was charged for
subscription services to the benefit of the website www.funnycuistot.com,
whereas she indicated that she did not remember having subscribed to this site.
Following this, she exercised her right of access via email from XXX to
support@funnycuistot.com on 31 August 2020 to identify what data was being
held on her and where the data was collected from. Moreover, she accepted a
partial refund, but she had not received an answer as regards the Subject
Access Request. After not receiving the requested information, the DS lodged
a complaint regarding the controller’s failure to fulfill the request.
Investigation by Cyprus SA
4. In the framework of the investigation by the Cyprus SA, the following
information was collected:
i. The complainant lodged a SAR via email with
support@funnycuistot.com, exercising her right of access as a data
subject under Article 15 of the GDPR on 31/08/2019 as well as an inquiry
in relation to the subscription to the Website.
ii. The controller wrongfully believed that the SAR was a request for a
reimbursement for the subscription paid to the Website and that they
already fulfilled it by refunding the complainant in September 2019.
iii. Following the reimbursement of the complainant, the controller’s Support
Department was unable to recover and/or locate the complainant's SAR
to reply and provide her with her personal data on time.
iv. The controller became aware of the SAR on 15/12/2020, upon
notification of the complaint by the Cyprus SA.
v. As a result of reimbursement provided to the complainant, the controller
continued to have a false impression that the SAR was satisfied until
January 2022, when legal advisors were appointed, who clarified to the
controller that the SAR was not satisfied.
vi. Upon realising this, the controller on 24 March 2022 contacted the
complainant and satisfied her SAR by providing her all the information
she requested and further apologised for causing any inconvenience.
vii. Moreover, the complainant confirmed the receipt of the above
information and also stated: “This indicates a fraudulent use of my
information and credit card number from an IP address in the Rhône-
Alpes region (whereas I am in the Grand Est region) but this is no longer
within the scope of the right of access request. So, I have obtained
satisfaction concerning my complaint and I thank you for it.”
viii. Furthermore, the controller took all necessary actions to avoid any
recurrence of the above incident. Specifically, the controller commenced
preparation of related policies and the appropriate technical and
organizational measures for the compliance with the GDPR and also
arranged for the conduction of further training/seminars of its personnel
on the provisions of the GDPR and data protection in general.
Preliminary Decision
5. On 10 November 2022, the Commissioner issued a Preliminary Decision
regarding the controller’s failure to comply with the complainant’s SAR. In the
said Preliminary Decision the Commissioner concluded that Tarlun Limited had
not complied with the complainant's request in a timely manner, thus there is a
violation of Article 12(3) GDPR since the controller did not respond to her
SAR within the one-month time limit.
6. The controller’s legal representative responded on 15 December 2022, to the
Preliminary Decision and stated, inter alia, that:
i. The controller accepts the Commissioner’s conclusion that there is a
violation of Article 12(3) GDPR since the Company did not reply to the
request made within the one-month time limit;
ii. The controller notes that customer service employees wrongfully
believed that the request made was a request for a reimbursement for
the subscription paid to the website of the Company.
iii. Following the incident, the controller emphasizes that GDPR training has
been conducted for all its employees including all support managers.
7. In addition to the above, the controller’s legal representative included the
following mitigating factors to be taken into account by the Commissioner:
i. There are no previous infringements committed by the controller,
ii. the controller took every action and provided necessary information
timely in order to cooperate with the Commissioner to remedy the
incident as well as to help with the investigation and to mitigate the
possible adverse effects of the incident,
iii. the controller satisfied the access request as soon as the controller
realized the incorrect handling of data subject request,
iv. the incident in question involved only one data subject and the damage
suffered by the data subject is minimal and
v. no special categories of data were affected in this incident and to the
extent the Company is concerned, any data received by the Company
was provided by the complainant and the Company could not have
known that the data was provided fraudulently (as claimed by the
complainant).
Legal framework
8. Article 12: Transparent information, communication and modalities for the
exercise of the rights of the data subject.
Pursuant to article 12(3) of the GDPR The controller shall provide information
on action taken on a request under Articles 15 to 22 to the data subject without
undue delay and in any event within one month of receipt of the request. That
period may be extended by two further months where necessary, taking into
account the complexity and number of the requests. The controller shall inform
the data subject of any such extension within one month of receipt of the
request, together with the reasons for the delay. Where the data subject makes
the request by electronic form means, the information shall be provided by
electronic means where possible, unless otherwise requested by the data
subject.
9. Article 15: Right of access by the data subject
1. The data subject shall have the right to obtain from the controller confirmation
as to whether or not personal data concerning him or her are being processed,
and, where that is the case, access to the personal data and the following
information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have
been or will be disclosed, in particular recipients in third countries or
international organisations;
(d) where possible, the envisaged period for which the personal data will be
stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or
erasure of personal data or restriction of processing of personal data
concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any
available information as to their source;
(h) the existence of automated decision-making, including profiling, referred to
in Article 22(1) and (4) and, at least in those cases, meaningful information
about the logic involved, as well as the significance and the envisaged
consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international
organisation, the data subject shall have the right to be informed of the
appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing
processing. For any further copies requested by the data subject, the controller
may charge a reasonable fee based on administrative costs. Where the data
subject makes the request by electronic means, and unless otherwise
requested by the data subject, the information shall be provided in a commonly
used electronic form.
10. Article 58. Corrective Powers
2. Each supervisory authority shall have all of the following corrective powers:
...
(b) to issue reprimands to a controller or a processor where processing
operations have infringed provisions of this Regulation; ...
Preliminary Views of the Commissioner
11. After reviewing the information provided by the controller’s legal
representative, in their response to my Preliminary Decision, specifically the
fact that the controller appreciates that there was a lack of appropriate attention
to the complainant’s request, I consider that the controller understands that the
request could have been satisfied from the first instance if the support staff was
properly trained in tackling GDPR requests in a timely manner.
12. Despite this, considering that the GDPR had been enforced for more than
a year at the time of the complainant’s first SAR, the controller should have had
the appropriate measures in place for at least satisfying data subject rights set
out in Articles 15 to 22 of the GDPR. Moreover, the complainant should have
received a valid response without delay to its first SAR, where he clearly
requested to be informed of all his personal data which was processed by the
controller at the time.
Decision
13. Having regard to all the above information, and based on the powers vested
in me by Articles 58 and 83 of Regulation (EU) 2016/679 and article 24(b)
of National Law 125(I)/2018, I conclude that there is an infringement by Tarlun
Limited of Article 12(3) of the GDPR, since the controller has not complied with
the complainant's request in a timely manner.
14. Moreover, following an infringement of Article 12(3) GDPR, as explained
above, under the provisions of Article 83 of the GDPR, I take into account the
following mitigating (1-3) and aggravating (4-6) factors:
1. That there is no previous violation by the controller of the GDPR 2016/679.
2. The controller satisfied the access request as soon as the mistake was
realized
3. The measures taken after the incident to ensure that all staff is
appropriately trained in handling GDPR matters.
4. The controller only became aware of the SAR after being notified of the
complaint by my Office.
5. The complainant’s request was not satisfied within the legal timeframe.
6. The lack of appropriate procedures and measures for handling data subject
rights at the time of the request.
15. In view of the above and on the basis of the powers conferred on me by the
provisions of subparagraph (b) of paragraph (2) of Article 58 of the GDPR, I
have decided to issue a reprimand to Tarlun Limited for the infringement
mentioned in paragraph 13 above. In the event of a recurrence of a similar
infringement within 12 months from today, this Decision may be counted
against the company.
Irene Loizidou Nicolaidou
Commissioner
For Personal Data Protection