DPC (Ireland) - Microsoft Operations Ireland Limited: Difference between revisions

Revision as of 15:04, 22 December 2023

DPC - Microsoft Operations Ireland Limited

Authority:	DPC (Ireland)
Jurisdiction:	Ireland
Relevant Law:	Article 12(4) GDPR Article 17 GDPR Article 58(2)(b) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	28.07.2021
Decided:	15.11.2023
Published:
Fine:	n/a
Parties:	Microsoft Operations Ireland Limited
National Case Number/Name:	Microsoft Operations Ireland Limited
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	English
Original Source:	DPC (in EN)
Initial Contributor:	Gauravpathak

In the context of a procedure under Article 60 GDPR, the Irish DPC reprimanded Microsoft Operations Ireland Limited for violations of Article 12(4) GDPR and Article 17 GDPR.

English Summary

Facts

A data subject submitted a complaint to the Bavarian DPA stating they submitted an erasure request to Microsoft to erase certain content from its search engine, which was from the data subject's website. However, Microsoft refused to do so by claiming public interest.

Subsequently, the data subject wrote to Microsoft seeking the deletion of all their personal data from Microsoft websites. Thereafter, Microsoft replied to the data subject that it would remove two URLs but not the others due to public interest.

Again, the data subject contacted Microsoft to erase their personal data, and this time, Microsoft shared the instructions to close a Microsoft account.

Meanwhile, the complaint was transferred to DPC as Lead Supervisory Authority and it started .

Through a series of communications with Microsoft, the DPC could get the data subject's personal data deleted. However, the data subject rejected the option of closing their complaint as Microsoft took a lot of time deleting their personal data, and the data subject feared its possible disclosure to third parties.

Accordingly, the DPC continued with its investigation and framed the following issue-

"Whether Microsoft's handling of the Complainant's erasure requests was compliant with Articles 12 and 17 of the GDPR"?

Holding

The DPC held that based on the documentation on record, it is clear that Microsoft did tell the data subject that they had the option of approaching a supervisory authority when Microsoft denied their erasure request. However, Microsoft did not inform the data subject about its right to a judicial remedy at any stage of its communications with Microsoft, thereby violating Article 12 GDPR.

In addition, Microsoft also admitted that it should have accepted certain URLs for delisting in the first instance but failed to do so. Microsoft's action on those complaints started only later; hence, the same was not without undue delay, as required under Article 17 GDPR.

Based on the above, the DPC reprimanded Microsoft under Article 58(2) GDPR and directed it to revise its internal policies and procedures to prevent future violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

@@ Line 65: / Line 65: @@
 }}
-The Irish DPC reprimanded Microsoft Operations Ireland Limited for failing to inform the data subject about the availability of a judicial remedy and for not erasing personal data upon request, thereby violating Article 12(4) and [[Article 17 GDPR|Article 17 GDPR]].
+In the context of a procedure under [[Article 60 GDPR|Article 60 GDPR,]] the Irish DPC reprimanded Microsoft Operations Ireland Limited for violations of [[Article 12 GDPR#4|Article 12(4) GDPR]] and [[Article 17 GDPR|Article 17 GDPR]].
 == English Summary ==
 === Facts ===
-A data subject submitted a complaint to Bavarian DPA stating they submitted an erasure request to Microsoft to erase certain content from its search engine, which was from the data subject's website. However, Microsoft refused to do so by claiming public interest.
+A data subject submitted a complaint to the Bavarian DPA stating they submitted an erasure request to Microsoft to erase certain content from its search engine, which was from the data subject's website. However, Microsoft refused to do so by claiming public interest.
 Subsequently, the data subject wrote to Microsoft seeking the deletion of all their personal data from Microsoft websites. Thereafter, Microsoft replied to the data subject that it would remove two URLs but not the others due to public interest.
@@ Line 76: / Line 76: @@
 Again, the data subject contacted Microsoft to erase their personal data, and this time, Microsoft shared the instructions to close a Microsoft account.
-Meanwhile, the complaint was transferred to DPC as it was the Lead Supervisory Authority.
+Meanwhile, the complaint was transferred to DPC as Lead Supervisory Authority and it started .
 Through a series of communications with Microsoft, the DPC could get the data subject's personal data deleted. However, the data subject rejected the option of closing their complaint as Microsoft took a lot of time deleting their personal data, and the data subject feared its possible disclosure to third parties.