Commissioner (Cyprus) - 11.17.001.008.222
|Commissioner - 11.17.001.008.222
|Article 12(3) GDPR
Article 15 GDPR
Article 58 GDPR
Article 83 GDPR
Article 24(b) of National Law 125(I)/2018
|National Case Number/Name:
|European Case Law Identifier:
|Cyprus Commissioner (in EN)
The Cyprus Commissioner reprimanded Tarlun Limited for violating Article 12(3) GDPR by failing to respond to an access request within one month due to a misperception. The decision recognised mitigating factors like measures taken in retrospect.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant (the data subject) was wrongly charged for subscription services to the benefit of a website of Tarlun Limited (the controller). On 31 August 2020, the data subject exercised their right of access according to Article 15 GDPR to learn about which data was being held on her and where it was collected from. After receiving a refund in September 2019, but not the requested information, the data subject lodged a complaint with CNIL which was transmitted to the Cyprus Commissioner (the DPA).
In its investigation the DPA collected the information mentioned above and the following: the controller wrongfully believed the access request was only a request for refund and became aware of the access request after the notification of the complaint by the DPA on 15 December 2020. On 24 March 2022, the controller contacted the data subject, satisfied the access request, and apologised. Furthermore, the controller implemented measures to prevent the recurrence of the events. This included creating policies, appropriate technical and organisational measures and arranging training of the personnel on data protection and the provisions of the GDPR.
On 10 November 2022, the DPA issued a preliminary decision stating a violation of Article 12(3) GDPR by the controller due to not complying with the access request timely. The controller acknowledged this decision, clarified the misunderstanding, emphasised measures taken and cited further mitigating factors: no previous infringements, prompt cooperation, satisfaction of the access request in retrospect, minimal damage.
In the preliminary views the DPA pointed out that it is clear, the satisfaction of the request in first instance would have been possible if the staff had been properly trained in GDPR matters. With GDPR in force for over a year, the controller should have had at least measures in place concerning the Articles 15-22 GDPR and thus responded to the data subject’s access request timely.
Holding[edit | edit source]
Based information provided and the authority granted by Article 58 and 83 GDPR, as well as Article 24(b) of National Law 125(I)/2018, the DPA came to the following decision:
There was an infringement of Article 12(3) GDPR because of the lack of a timely compliance with the access request of the data subject. As mitigating factors, the DPA mentioned that there was no previous violation of the controller, that the request was satisfied upon realising, and the measures taken to ensure future compliance with the GDPR. As aggravating factors, the DPA stated that the controller only became aware of the data subject’s access request upon the complaint to the DPA, that there was no satisfaction within the legal timeframe and the lack of appropriate procedures and measures at the time of the access request of the data subject.
Thus, the DPA issued a reprimand, emphasising that this decision would be counted against the controller in case of a recurrence within 12 months.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Decision Failure to Fully Comply to a Subject Access Request by Tarlun Limited 1. A complaint was lodged with the French SA (CNIL - Commission nationale de l'informatique et des libertés) against Tarlun Limited (the controller), whose main establishment is in Cyprus. Moreover, the complaint was subsequently transmitted to Office of the Commissioner for Personal Data Protection (Cyprus SA) on 25/9/2020, in line with Article 56 of the General Data Protection Regulation. 2. On the basis of the above, the Commissioner for Personal Data Protection (the Commissioner) is acting as the lead authority in this matter. In the course of the investigation, other EU countries were identified as being concerned by this case. Description of the case 3.1. The complaint involves the controller’s (Tarlun Limited) failure to comply with the complainant’s access request (SAR) (article 15 of the GDPR) submitted to the controller, which operates the website www.funnycuistot.com. 3.2. In her complaint, the complainant stated that she was charged for subscription services to the benefit of the website www.funnycuistot.com, whereas she indicated that she did not remember having subscribed to this site. Following this, she exercised her right of access via email from XXX to email@example.com on 31 August 2020 to identify what data was being held on her and where the data was collected from. Moreover, she accepted a partial refund, but she had not received an answer as regards the Subject Access Request. After not receiving the requested information, the DS lodged a complaint regarding the controller’s failure to fulfill the request. Investigation by Cyprus SA 4. In the framework of the investigation by the Cyprus SA, the following information was collected: i. The complainant lodged a SAR via email with firstname.lastname@example.org, exercising her right of access as a data subject under Article 15 of the GDPR on 31/08/2019 as well as an inquiry in relation to the subscription to the Website. ii. The controller wrongfully believed that the SAR was a request for a reimbursement for the subscription paid to the Website and that they already fulfilled it by refunding the complainant in September 2019. iii. Following the reimbursement of the complainant, the controller’s Support Department was unable to recover and/or locate the complainant's SAR to reply and provide her with her personal data on time. iv. The controller became aware of the SAR on 15/12/2020, upon notification of the complaint by the Cyprus SA. v. As a result of reimbursement provided to the complainant, the controller continued to have a false impression that the SAR was satisfied until January 2022, when legal advisors were appointed, who clarified to the controller that the SAR was not satisfied. vi. Upon realising this, the controller on 24 March 2022 contacted the complainant and satisfied her SAR by providing her all the information she requested and further apologised for causing any inconvenience. vii. Moreover, the complainant confirmed the receipt of the above information and also stated: “This indicates a fraudulent use of my information and credit card number from an IP address in the Rhône- Alpes region (whereas I am in the Grand Est region) but this is no longer within the scope of the right of access request. So, I have obtained satisfaction concerning my complaint and I thank you for it.” viii. Furthermore, the controller took all necessary actions to avoid any recurrence of the above incident. Specifically, the controller commenced preparation of related policies and the appropriate technical and organizational measures for the compliance with the GDPR and also arranged for the conduction of further training/seminars of its personnel on the provisions of the GDPR and data protection in general. Preliminary Decision 5. On 10 November 2022, the Commissioner issued a Preliminary Decision regarding the controller’s failure to comply with the complainant’s SAR. In the said Preliminary Decision the Commissioner concluded that Tarlun Limited had not complied with the complainant's request in a timely manner, thus there is a violation of Article 12(3) GDPR since the controller did not respond to her SAR within the one-month time limit. 6. The controller’s legal representative responded on 15 December 2022, to the Preliminary Decision and stated, inter alia, that: i. The controller accepts the Commissioner’s conclusion that there is a violation of Article 12(3) GDPR since the Company did not reply to the request made within the one-month time limit; ii. The controller notes that customer service employees wrongfully believed that the request made was a request for a reimbursement for the subscription paid to the website of the Company. iii. Following the incident, the controller emphasizes that GDPR training has been conducted for all its employees including all support managers. 7. In addition to the above, the controller’s legal representative included the following mitigating factors to be taken into account by the Commissioner: i. There are no previous infringements committed by the controller, ii. the controller took every action and provided necessary information timely in order to cooperate with the Commissioner to remedy the incident as well as to help with the investigation and to mitigate the possible adverse effects of the incident, iii. the controller satisfied the access request as soon as the controller realized the incorrect handling of data subject request, iv. the incident in question involved only one data subject and the damage suffered by the data subject is minimal and v. no special categories of data were affected in this incident and to the extent the Company is concerned, any data received by the Company was provided by the complainant and the Company could not have known that the data was provided fraudulently (as claimed by the complainant). Legal framework 8. Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject. Pursuant to article 12(3) of the GDPR The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. 9. Article 15: Right of access by the data subject 1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from the data subject, any available information as to their source; (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. 3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. 10. Article 58. Corrective Powers 2. Each supervisory authority shall have all of the following corrective powers: ... (b) to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation; ... Preliminary Views of the Commissioner 11. After reviewing the information provided by the controller’s legal representative, in their response to my Preliminary Decision, specifically the fact that the controller appreciates that there was a lack of appropriate attention to the complainant’s request, I consider that the controller understands that the request could have been satisfied from the first instance if the support staff was properly trained in tackling GDPR requests in a timely manner. 12. Despite this, considering that the GDPR had been enforced for more than a year at the time of the complainant’s first SAR, the controller should have had the appropriate measures in place for at least satisfying data subject rights set out in Articles 15 to 22 of the GDPR. Moreover, the complainant should have received a valid response without delay to its first SAR, where he clearly requested to be informed of all his personal data which was processed by the controller at the time. Decision 13. Having regard to all the above information, and based on the powers vested in me by Articles 58 and 83 of Regulation (EU) 2016/679 and article 24(b) of National Law 125(I)/2018, I conclude that there is an infringement by Tarlun Limited of Article 12(3) of the GDPR, since the controller has not complied with the complainant's request in a timely manner. 14. Moreover, following an infringement of Article 12(3) GDPR, as explained above, under the provisions of Article 83 of the GDPR, I take into account the following mitigating (1-3) and aggravating (4-6) factors: 1. That there is no previous violation by the controller of the GDPR 2016/679. 2. The controller satisfied the access request as soon as the mistake was realized 3. The measures taken after the incident to ensure that all staff is appropriately trained in handling GDPR matters. 4. The controller only became aware of the SAR after being notified of the complaint by my Office. 5. The complainant’s request was not satisfied within the legal timeframe. 6. The lack of appropriate procedures and measures for handling data subject rights at the time of the request. 15. In view of the above and on the basis of the powers conferred on me by the provisions of subparagraph (b) of paragraph (2) of Article 58 of the GDPR, I have decided to issue a reprimand to Tarlun Limited for the infringement mentioned in paragraph 13 above. In the event of a recurrence of a similar infringement within 12 months from today, this Decision may be counted against the company. Irene Loizidou Nicolaidou Commissioner For Personal Data Protection