DPC - C-19-X-XXX Ryanair DAC - November 2020
From GDPRhub
| DPC - C-19-X-XXX Ryanair DAC - November 2020 | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 4(22) GDPR Article 12(3) GDPR Article 15 GDPR Article 24(1) GDPR Article 32(1) GDPR Article 32(4) GDPR Article 58(2)(b) GDPR Article 60 GDPR Article 60(3) GDPR Article 60(4) GDPR 109(2) of the Data Protection Act 113 of the Data Protection Act |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 10.11.2020 |
| Published: | |
| Fine: | None |
| Parties: | Ryanair DAC |
| National Case Number/Name: | C-19-X-XXX Ryanair DAC - November 2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | Data Protection Commission (in EN) |
| Initial Contributor: | Cellular |
The Irish DPA (DPC) found that Ryanair infringed Article 15 of the GDPR by failing to provide the complainant with a copy their personal data. The DPC was acting in its capacity as lead supervisory authority, to examine the complaint originally received by the UK Data Protection Authority.
English Summary
Facts
The Irish Data protection Commission (DPC), acting in its capacity as lead supervisory authority, commenced an examination of a complaint originally received by the U.K. Data Protection Authority. The complaint concerned cross-border processing in which the DPC was competent to act as lead supervisory authority.
The complaint concerned a subject access request made by the complainant to Ryanair. Ryanair provided the complainant with certain personal data on foot of the request. However, it failed to provide the complainant with a copy of a recording of a call that the complainant had made. Due to the delay on Ryanair’s part in processing the request, Ryanair had since deleted the call recording in accordance with company policy and they had been unable to retrieve it.
Holding
The decision found that Ryanair infringed Article 15 of the GDPR by failing to provide the complainant with a copy their personal data that was undergoing processing at the time of the request. The decision also found that Ryanair infringed Article 12(3) of the General Data Protection Regulation by failing to provide the complainant information on action taken on their request under Article 15 within the statutory timeframe of one month. The decision also reprimanded Ryanair in respect of the infringements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DPC Ref: C-19-X-XXX
ICO Ref: XXXXXXXXX
Date: 10 November 2020
Complainant: XX
Data Controller: Ryanair DAC
RE: XX V Ryanair DAC
This document is a decision of the Data Protection Commission of Ireland (“DPC”) in relation
to DPC complaint reference, C-19-X-XXX (hereinafter referred to as the
(“Complaint”), submitted by XX (“Complainant”) against Ryanair DAC (“Data Controller”),
which was referred to the Data Protection Commission of Ireland (“DPC”), in its
capacity as lead supervisory authority, by the Information Commissioners Office of the
United Kingdom (“ICO”), as the concerned supervisory authority with which the complaint
was lodged.
This decision is made pursuant to the powers conferred on the DPC by section 113(2)(a) of
the Data Protection Act 2018 (“the Act”) and Article 60 of the General Data
Protection Regulation (“GDPR”).
Preliminary Assessment of complaint
1. The complainant initially submitted a complaint to the ICO, which was thereafter
received by the DPC on 02 March 2019. In their request, the complainant alleged that
the data controller had failed to comply with a subject access request, submitted to it
by the complainant on 26 September 2018. In transmitting the complaint to the DPC,
the ICO advised that thecomplaint related to the data controller’s failure to respond to
the complainant’s access request. The ICO provided the DPC with a copy of the
complaint form submitted to th e ICO by the complainant, a copy of the
acknowledgement, dated 26 September 2018,that the complainant had received from
the data controller when submitting the access request, and a copy of the
complainant’s follow up email to the data controller requesting an update in relation to
their request.
2. Prior to commencing an investigation into the complaint, the DPC reviewed the
information provided by the ICO and established that Ryanair AC, which has its place
of main establishment in Ireland, was identified as the relevant data controller under
the GDPR in relation to thecomplaint, as it determined the purposes and means of the
1 processing of the complainant’s personal data for the purposes of managing their
customer service query and responding to their access request.
3. The data i n question was personal data relating to the complainant (consisting of,
amongst other things, customer service complaints and an access request they had
submitted to Ryanair DAC) as it related to them as an identifiable natural person. The
DPC was therefore satisfied that the complaint, as received by the DPC on 02 March
2019, should be investigated to determine if a breach of the Act and/or GDPR had
occurred.
Examination of complaint
4. Acting in its capacity as lead supervisory authority, t he DPC commenced an
examination of the complaint by contacting the data controller via email on 19 March
2019. In our correspondence, the DPC outlined the details ofthe complaint as set out
by the ICO.
5. In our communication, the DPC advised the data controller that the scope of the
complaint related toan allegation made by the complainant thatthe data controller had
failed to respond to a subject access request, dated 26 September 2018, submitted to
it by the complainant. The DPC also provided the data controller with details of the
online portal reference number that the complainant received from the data controller
following their request.
6. In order to progress the matterthe DPCinstructed the data controllerto respond tothe
access request in full and to providethis officewith a copy of the cover letterthat issued
to the complainant.
7. In its response to the DPC dated 02 April 2019, the data controller provided the DPC
with a copy of a cover letter dated 02 April 2019, that issued to the complainant in
relation to their access request. In its correspondence to the complainant, the data
controller advised that had it received the access request dated 26 September 2018,
in which the complainant had requested access to all data and specifically all data,
including call recordings, relating to a specific booking reference.
8. Withit s letter of 02 April 2019,the data controllerprovided the complainantwith access
to copies of their personal data relating to the specific booking reference the
complainant had provided to the ICO and data relating to a separate complaint. The
data controller advised that it could not provide the complainantwith a copy of the call
recording they had requested as, due to the delay on the data control ler’s part in
processing the request, the call recording had been deleted in accordance with
2 company policy and they had been unable to retrieve it. The data controller advised
the DPCthat it had informedthe complainantof this via its online portalon 22 February
2019. The data controller stated that the delay in processing the access request was
caused by human error as the agentwho had opened and was processingthe access
request, had ceased working on the data controller’s online portal prior to completing
the request and hadfailed to reassign the requestto another agent. The data controller
advised the DPC that it has reviewed its process to ensure that this error would not
occur again and that the assignment of a request is no longer dependant on agent
(human) action.
9. This office reverted to the data controller with further queries relating to its procedure
regarding access requests for call recordings.
10. The data controller responded to the DPC’s queries stating that it had acknowledged
the request on 27 September 2018 and requested that the complainant verify their
email address. The data controller stated that at the time the request was submitted,
due to the volume of data subjects who did not verify their email address, access
requests were not assigned to the relevant department until the email was verified by
the data subject. The data controlleradvised this office thatthe complainantresponded
to the request, verifying their email address, but the agent who was working on the
request had ceased working on the online portal and therefore the request had not
been assigned to the relevant department. The data controller asserted that this error
was not discovered until December 2018, when the request was then assigned to the
Customer Services department to provide the necessary data , including the call
recording, at which point the call record had been deleted in accordance with the data
controller’s retention policy.
11. The data controller provided the DPC with a copy of its retention policy, in which it
states that call recordings are retained for a period of 90 days from the date of the call.
The data controller advised that, as the complainant’s call had been made on 05
September 2018, it would have been automatically deleted on 04 December 2018. he
data controller further stated that it does not have the functionality to retrieve deleted
call recordings.
12. The data controller advised this office that it would now include wording in its “Contact
Us FAQ’s” on its website, which is the central location for the data controller’s contact
numbers, including the phone numbers for the main C ustomer Support for each
market, advising customers that call recordings will be deleted from the system after
90 days. The data controller stated that customers looking to contact its call centres
need to access this page in order to obtain the appropriate number and the notification
would be prominent and visible at that point.
313. Throughout the handling of the complaint, the DPC kept t he complainant informed of
the progress of the complaint via updates transmitted to the ICO.
14. The DPC provided the data controller with a copy of the draft decision in relation to the
complaint by way of email on 03 April 2020, inviting it to provide final submissions in
relation to theatter by close of business 17 April 2020.
15. The data controller provided its final submission by way of email dated 21 April 2020.
16. In its submission, the data controller stated that the complainant’s access request,
submitted through the data controller’s online portal on 26 September 2018, stated “I
would like ALL data included recorded calls relating to booking CR8E6F”. The data
controller advised the DPC that the request was not limited to recordings of phone calls
made by the complainant.
17. The data controller also submitted that the draft decision did not reflect the chronology
of events and asserted that, in response to the complainant’s access request, prior to
receipt of the DPC’s initial correspondence, the data controller had previously provided
various records to the complainant via its online portal on both 10 January 2019 and
18 February 2019. The data controller asserted that the records provided contained
the complainant’s personal data and included letters, a written complaint and web chat
transcripts relating to a specific booking reference. The data controller stated that, in
the course of these communications with the complainant, and in a further
communications on 22 February 2019 and 04 March 2019 via the data controller’s
online portal, the data controller had also made it clear to the complainant that it was
no longer in a position to provide call recordings, as they had been deleted and
explained the reasons for this (i.e. that the data controller had not located the
recordings prior to the 90 day deletion period elapsing). The data controller advised
that in its communication to the complainant on 04 March 2019 it had also apologised
to the complainant for any inconvenience caused. In addition, the data controller also
stated that it liaised with the complainant in September and October 2019, in parallel
to their access request, in an attempt to resolve their underlying customer service
complaint.
18. The data controller highlighted the steps that it had taken in response to the
complainant’s access request and suggested that they be considered as mitigating
factors by the DPC when making its decision. These steps were:
a) providing various written records containing the complainant’s personal data
to them in January and February 2019; 4 b) explaining to the complainant on more than one occasion the reasons for its
inability to provide the call recordings to them;
c) providing an apology to the complainant for any inconvenience caused;
d) making various alterations to its data processing systems to avoid any repeat
of the human error that caused the failures highlighted in the complaint;
e) adopting measures to ensure enhanced transparency concerning its retention
of call recordings; and
f) that it had co-operated with the DPC in respect of our investigation into this
matter.
Complaint handling process
19. In accordance with section 109(2) of the Act, the DPC is mandated to attempt to
amicably resolve complaints where there is a reasonable likelihood of amicable
resolution being reached within a reasonable time. If the complaint is not amicably
resolved the DPC will take such action(s) as the Commission considers appropriate as
set out in section 113 of the Act. Whilst the DPC engaged in such efforts, in this case
the complainant not ified the ICO they were unsatisfied with the apology put forward by
the data controller in an attempt to amicably resolve the subject matter of the
complaint.
Communication of draft decision to “supervisory authorities concerned”
20. In accordance with Article 60(3) of the GDPR, the DPC is obliged to communicate the
relevant information and submit a draft decision, in relation to a complaint regarding
cross border processing, to the supervisory authorities concerned for their opinion and
to take due ac count of their views.
21. In accordance with its obligation, the DPC transmitted a draft decision in relation to the
matter to the “supervisory authorities concerned” on 25 May 2020. As Ryanair DAC
offers goods and services across the EU, and therefore the processing is likely to
substantially affect data subjects in every EU member state, the DPC in its role as LSA
identified that each supervisory authority was a supervisory authority concerned as
defined in Article 4(22) of te GDPR. On this basis, the draft decision of the DPC in
relation to this complaint was transmitted to each supervisory authority in the EU and
EEA for their opinion.
22. Subsequently, the DPC received a number of “relevant and reasoned objections” from
different supervisory authorities concerned within the statutory timeframe of four weeks
pursuant to Article 60(4). Further, the DPC also received a number of opinions from
other supervisory authorities concerned in relation to the draft decision.
5 Summary of opinions received from “supervisory authorities concerned”
23. The DP C received formal relevant and reasoned objections in relation to the draft
decision, pursuant to Article 60(4) of the GDPR, from three supervisory authorities
concerned;
• Berliner Beaftragte für Datenschutz und Informationsfreiheit (Berlin DPA);
• Comissão Nacional de Protecção de Dados (Portuguese DPA); and
• the Office of Personal Data Protection (UODO) of Poland.
24. The D PC also received a number of opinions, which were not expressed as formal
objections, in relation to the draft decision from five other supervisory authorities
concerned;
• Garante Per La Protezione Dei Dati Personali (the Italian DPA);
• Nemzeti Adatvédelmi és Információszabadság Hatóság (the Hungarian DPA);
• Datatilsynet (Danish DPA);
• Autorité de Protection de Données (Belgian DPA); and
• Autoriteit Persoonsgegevens (Dutch DPA).
25. In its relevant and reasoned objection the Berlin DPA opined that the DPC’s draft
decision failed to make asubstantive assessment ofwhat it considered to beadditional
infringements by Ryanair DAC of Article 32(1) and A rticle 32(4) of the GDPR. The
Berlin DPA stated that, due to Ryanair DAC’s insufficient technical, organisational and
human resource measures to ensure the security of data processing, the information
provided to the complainant was incomplete.
26. In itspinion, the Italian DPAstated that the human error that led to the failure to reply
to the subject access request within the statutory timeframe clearly shows that
organisational and technical issues existed internally, such as to give rise to an
accountability issue under Article 24(1).
27. Further, in the relevant and reasoned objections raised by the supervisory authorities
concerned, the Berlin DPA, the Portuguese DPA and UODO all noted that the DPC
had found that an infringement of the GDPR occurred. On this basis , the
aforementioned supervisory authorities concerned advocated for the exercise of a
corrective power by the DPC, especially in circumstances where the inf ringements
related to the exercise of data subject rights. This opinion was also expressed by the
Italian DPA , the Hungarian DPA, the Danish DPA and the Belgian DPA in the
6 comments submitted by the se supervisory authorities in relation to the DPC’s draft
decision.
28. Finally, in its opinion on the DPC’s draft decision, the Dutch DPA submitted the view
that supervisory authorities are free to structure their complaint handling as they wish
and that finding a breach of the GDPR does not automatically mean that a corrective
measure needs be imposed. The DPC notes this view, and considers that no further
analysis of the Dutch DPA’s opinion is required in this regard.
Analysis of opinions received from “supervisory authorities concerned”
29. Having carefully considered the opinions of the supervisory authorities concerned, the
DPC has completed a careful in-depth analysis of the opinions and concerns raised,
both in the context of formal relevant and reasoned objections pursuant to Article 60(4)
and in opinions submitted in relation to the DPC’s draft decision.
30. The DPC has given careful consideration to the opinions of both the Berlin DPA and
the Italian DPAin relation to their assertions that Ryanair DAChad further contravened
the GDPR and has completed the following analysis.
31. In its submission the Berlin DPA stated that “Due to Ryanair's insufficient technical,
organisational and human resource measures to ensure the security of data
processing, the information provided to the complainant was late and incomplete.
According to points 8, 10 and 26 of the DPC's Draft Decision, Ryanair was late in
informing the complainant of his data held by Ryanair within the meaning of Art. 15(1)
GDPR due to 'human error'. The agent who had initially handled the access request
until the end of his work on the online portal forgot to assign the access request to
another agent after his departure. The answer to the re -quest was hence only made
by letter of 2 April 2019. Additionally, due to the delay in providing the information, the
complainant could not be provided with the recording of his or her call of 5 September
2018, as calls are irrevocably deleted 90 days after their recording due to Ryanair's
internal deletion deadlines. Within the one- month period resulting from Art. 12(3)
GDPR, Ryanair would therefore have been able to make the call available to the
complainant. Hence, this additionally constitutes an infringement by Ryanair of Art.
32(1) and (4) GDPR.”
32. Article 32 of the GDPR relates to the security of processing of personal data. More
specifically, Article 32(1) of the GDPR states that a data controller shall implement
appropriate technical and organisational measures to ensure a level of security
appropriate to the risk. Further, Article 32(4) states that the controller shall take steps
to ensure that any natural person acting under the authority of the controller who has
7 access to personal data does not process the data except on instructions from the
controller, unless he or she is required to do so by Union or Member State law.
33. The DPC notes that in this instance the data controller failed to respond to an access
request submitted by the data subject within the statutory timeframe and that this
failure to respond was caused by an employee failing to follow internal organisational
procedures. The DPC also notes that the failure to respond to the data subject’s access
request within the statutory timeframe resulted in an irrevocable deletion of the data
subject’s personal data, as it was deleted in line with the data controller’s 90 day
retention period for call recordings. While the DPC notes that the employee’s failure to
follow the organisational measures in place resulted in the deletion of the data subje’ t
personal data, the DPC does not consider that there is any evidence to suggest that
the employee’s failure to follow the organisational measures in place resulted in any
risk to the security of the personal data being processed, as the data was destroyed in
line with the data controller’s retention period. The DPC also considers that there is no
evidence to suggest that the employee of the data controller processed the data
subject’s personal data outside of the instructions of the data controller, in
circumstances where the employee failed to process the data subject’s access
request. As such, the DPC finds no basis to agree with the opinion of the Berlin DPA
that Ryanair DAC contravened Article 32(1) and Article 32(4) of the GDPR.Further, in
the course of the DPC’s examination of this complaint, an alleged infringement of
Article 32(1) and Article 32(4) of the GDPR was not raised as a ground of complaint
and did not form part of the DPC’s complaint -handling process; as such, an
examination of Ryanair DAC’s compliance with Article 32(1) and Article 32(4) of the
GDPR falls outside the scope of the complaint and of this decision. On this basis, the
DPC does not propose to follow this objection.
34. In its opinion, the Italian DPA expressed the opinion that the human error that caused
the failure to reply to the data subject’s access request in due time clearly shows that
issues existed in relation to the data controller’s technical and organisational
measures. The Italian DPA also stated that the risk at issue, namely the fact that an
operator leaving the company and in charge of complaints handling would not be
immediately replaced to ensure the seamless handling of such complaints, had not
been tackled by the data controller beforehand, and that the issue was only resolved
following the intervention of the DPC in relation to this complaint. The Italian DPA
expressed the opinion that such an internal issue would give rise to an accountability
issue under Article 24(1) GDPR.
35. The DPC notes that, in the course of the DPC’s examination of this complaint, an
alleged infringement of Article 24 was not raised as a ground of complaint and did not
form part of the DPC’s complain-handling process; as such, an examination of Ryanair
DAC’s compliance with Article 24 falls outside the scope of the complaint and of this
decision. On this basis, the DPC does not propose to follow the Italian DPA’s opinion.
836. The DP C also notes that, in their opinions the Berlin DPA, the Portuguese DPA and
the UODO all advocated for the exercise of a corrective power by the DPC, especially
in circumstances where the infringements related to the exercis of data subject rights.
Further, the DPC notes that this opinion was also expressed by the Italian DPA, the
Hungarian DPA, the Danish DPA and the Belgian DPA in the comments submitted by
the supervisory authorities in relation to the DPC’s draft decision.
37. Artile 58 of the GDPR provides supervisory authorities with certain powers in relation
to the investigation and enforcement of the GDPR. Specifically, Article 58(2)(b)
provides that supervisory authorities shall have the power to issue reprimands to a
controller or processor where processing operations have infringed provisions of the
GDPR. Further, Recital 129 of the GDPR states that measures, such as corrective
powers, “should be appropriate, necessary and proportionate in view of ensuring
compliance with this Regulation”.
38. In assessing whether the application of a corrective power is appropriate, necessary
and proportionate in this case, I have had regard to the specific circumstances of this
complaint. I note that the failure to comply with the complainant’s access request was
the result of a human error and that the data controller has reviewed it’s technical and
organisational measure s and has put in place further measures to ensure an
infringement of t is nature does not occur again. However, it is important to note that,
due to this human error, the data controller was irrevocably unable to comply in full
with the data subject’s access request. I consider that the irreversible deletion of the
data subject’s personal data, contained in a call recording, presented a risk to the
fundamental rights and freedoms of the data subject as it prevented the data subject
from ever being able to exercise full control over their personal data.On this basis the
DPC considers it appropriate, necessary andproportionate to issue a reprimand to the
data controller in this instance, taking into account the mitigating measures put in place
by the data controller and the risk to the fundamental rights and freedoms of the data
subject.
Communication of revised draft decision to the data controller
39. In light of the opinions received from the supervisory authorities concerned, the DPC
revised its draft decision to includea summary and analysis ofthe opinions expressed
by the supervisory authorities concerned, as detailed in paragraphs 23 to 38 above.
40. The DP C provided the data controller with a copy of both the revised draft decision
and the opinions of the supervisory authorities concerned by way of email on 01
October 2020. The DPC invited the data controller to provide any final submissions in
relation to the matter by close of business 15 October 2020.
941. The data controller responded to the DPC by way of email dated 14 October 2020.
42. In it response, the data controller noted that the DPC had found that it had infringed
the GDPR, as set out at paragraph 52 below, and that the DPC had exercised its
powers in this case in line with Recital 129 and the due process requirements in Article
58 of the GDPR. The data controller advised the DPC that it accepted the findings and
the associated reprimand.
43. In liht of the above the data controller advised the DPC that it did not wish to make
any final submissions in relation to the revised draft decision.
Applicable Law
44. Article 15 of the GDPR provides for an individual’s right of access. Article 15(3) states
that “The controller shall provide a copy of the personal data undergoing processing”
45. Artile 4(2) of the GDPR defines processing as “any operation or set of operations
which is performed on personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmis sion,
dissemination or otherwise making available, alignment of combination, restriction,
erasure or destruction”.
46. Further, Article 12(3) of the GDPR states that“The controller shall provide information
on action taken on a request under Articles 15 to 22 to the data subject without undue
delay and in any event within one month of receipt.”
47. Artile 12(3) further states that “That period may be extended by two further months
where necessary, taking into account the complexity and number of the requests. The
controller shall inform the data subject of any such extension within one month of
receipt of the request, together with the reasons for the delay. “. However, I note that
the data controller never notified the complainant of any such extension in this
instance.
Findings of Investigation
48. During the investigation of the complaint, the DPC established that the complainant
had submitted an access request to the data controller via its online portal on 26
September 2018. The complainant received an acknowledgment of rece ipt of their
access request from the data controller on 27 September 2018.
1049. The data controller provided the complainant with its initial response containing the
complainant’s personal data on 10 January 2019.
50. Further, in relation to the call recordings requested by the complainant, the data
controller advised the DPC that call recordings are retained for a 90 day period from
the date of the call. As the complainant made a call to the data controller on 05
September 2018 and submitted an access request to the data controller on 26
September 2018, some 21 days later, the complainant’s personal data, containedin a
call recording would have been undergoing processing by the data controller as the
data controller was storing it. Therefore, this data should have been provided to t he
data subject in response to their access request.
51. The investigation found that the data controller failed to provide the complainant’s
personal data within one month of their request. Further, the data controller failed to
notify the complainant of any extension to the statutory timeframe allowed for under
Article 12(3) of the GDPR.
Decision on infringements of the GDPR
52. Following the investigation of the complaint against Ryanair DAC, I am of the opinion
that it infringedthe General Data Protection Regulation as follows:
• Article 15 of the General Data Protection Regulation when it failed to provide
the complainant with a copy their personal data that was undergoing
processing at the time of the request.
• Article 12(3) of the General Data Protection Regulation in that it fai led to
provide the complainant information on action taken on their request under
Article 15 within the statutory timeframe of one month.
Remedial measures undertaken by Ryanair DAC
53. In respect of these infringements, it is noted that Ryanair DAC has taken certain
remedial measures. With regards toRyanair DAC’s 90 day retention period for call
recordings, the DPC notes that Ryanair DAC has placed a notice on its website page
where its contact numbers are located notifying users of this 90 day retention period.
54. Regarding the infringement of Article 15, Ryanair DAC has informed the DPC that it
has put in place measures to ensure that an access request assignment no longer
requires human action and therefore, an access request will not be overlooked due to
human error.
11 Exercise of corrective power by the DPC
55. In light of the extent of the infringements identified above,the DPC hereby
issues a reprimand to Ryanair DAC, pursuant to Article 58(2)(b) of the GDPR
Yours sincerely,
John O’Dwyer
Deputy Commissioner
On behalf of the Data Protection Commission
12
