DPC - C-19-X-XXX Ryanair DAC - November 2020

From GDPRhub
DPC - C-19-X-XXX Ryanair DAC - November 2020
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4(22) GDPR
Article 12(3) GDPR
Article 15 GDPR
Article 24(1) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
Article 58(2)(b) GDPR
Article 60 GDPR
Article 60(3) GDPR
Article 60(4) GDPR
109(2) of the Data Protection Act
113 of the Data Protection Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.11.2020
Published:
Fine: None
Parties: Ryanair DAC
National Case Number/Name: C-19-X-XXX Ryanair DAC - November 2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Cellular

The Irish DPA (DPC) found that Ryanair infringed Article 15 of the GDPR by failing to provide the complainant with a copy their personal data. The DPC was acting in its capacity as lead supervisory authority, to examine the complaint originally received by the UK Data Protection Authority.

English Summary

Facts

The Irish Data protection Commission (DPC), acting in its capacity as lead supervisory authority, commenced an examination of a complaint originally received by the U.K. Data Protection Authority. The complaint concerned cross-border processing in which the DPC was competent to act as lead supervisory authority.

The complaint concerned a subject access request made by the complainant to Ryanair. Ryanair provided the complainant with certain personal data on foot of the request. However, it failed to provide the complainant with a copy of a recording of a call that the complainant had made. Due to the delay on Ryanair’s part in processing the request, Ryanair had since deleted the call recording in accordance with company policy and they had been unable to retrieve it.

Holding

The decision found that Ryanair infringed Article 15 of the GDPR by failing to provide the complainant with a copy their personal data that was undergoing processing at the time of the request. The decision also found that Ryanair infringed Article 12(3) of the General Data Protection Regulation by failing to provide the complainant information on action taken on their request under Article 15 within the statutory timeframe of one month. The decision also reprimanded Ryanair in respect of the infringements.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DPC Ref: C-19-X-XXX


ICO Ref: XXXXXXXXX


Date: 10 November 2020

Complainant: XX


Data Controller: Ryanair DAC


RE: XX V Ryanair DAC


This document is a decision of the Data Protection Commission of Ireland (“DPC”) in relation

to   DPC    complaint   reference,   C-19-X-XXX     (hereinafter  referred   to  as   the
(“Complaint”), submitted by XX (“Complainant”) against Ryanair DAC (“Data Controller”),
which was referred to the Data Protection Commission of Ireland (“DPC”), in its

capacity as lead supervisory authority, by the Information Commissioners Office of the
United Kingdom (“ICO”), as the concerned supervisory authority with which the complaint
was lodged.

This decision is made pursuant to the powers conferred on the DPC by section 113(2)(a) of

the Data Protection Act 2018 (“the Act”) and Article 60 of the General Data
Protection Regulation (“GDPR”).
       Preliminary Assessment of complaint

    1. The complainant initially submitted a complaint to the  ICO, which was thereafter

       received by the DPC on 02 March 2019. In their request, the complainant alleged that
       the data controller had failed to comply with a subject access request, submitted to it
       by the complainant on 26 September 2018. In transmitting the complaint to the DPC,

       the ICO advised that thecomplaint related to the data controller’s failure to respond to
       the complainant’s access request. The ICO provided the DPC with a copy of      the
       complaint form submitted to th    e ICO    by the complainant, a copy of the

       acknowledgement, dated 26 September 2018,that the complainant had received from
       the data controller  when submitting the    access request, and a copy of      the
       complainant’s follow up email to the data controller requesting an update in relation to
       their request.


    2. Prior to commencing an investigation into   the complaint, the DPC reviewed the
       information provided by the ICO and established that Ryanair AC, which has its place

       of main establishment in Ireland, was identified as the relevant data controller under
       the GDPR in relation to thecomplaint, as it determined the purposes and means of the

                                                                                        1    processing of the complainant’s personal data for the purposes of      managing their

    customer service query and responding to their access request.

3. The data i  n question was personal data relating to   the complainant (consisting of,

    amongst other things, customer service complaints and an access request they had
    submitted to Ryanair DAC) as it related to them as an identifiable natural person. The
    DPC was therefore satisfied that the complaint, as received by the DPC on 02 March

    2019, should be investigated to determine if a breach of   the Act and/or GDPR had
    occurred.

    Examination of complaint


4. Acting in its capacity as lead supervisory authority, t     he DPC     commenced an
    examination of the complaint by contacting the data controller via email on 19 March

    2019. In our correspondence, the DPC outlined the details ofthe complaint as set out
    by the ICO.


5. In our communication, the DPC advised the data controller that the scope of the
    complaint related toan allegation made by the complainant thatthe data controller had
    failed to respond to a subject access request, dated 26 September 2018, submitted to

    it by the complainant. The DPC also provided the data controller with details of the
    online portal reference number that the complainant received from the data controller
    following their request.


6. In order to progress the matterthe DPCinstructed the data controllerto respond tothe
    access request in full and to providethis officewith a copy of the cover letterthat issued
    to the complainant.


7. In its response to the DPC dated 02 April 2019, the data controller provided the DPC
    with a copy of a cover letter dated 02 April 2019, that issued to  the complainant in

    relation to their access request. In its correspondence to the complainant, the data
    controller advised that had it received the access request dated 26 September 2018,
    in which the complainant had requested access to all data and specifically all data,

    including call recordings, relating to a specific booking reference.

8. Withit s letter of 02 April 2019,the data controllerprovided the complainantwith access

    to copies of   their personal data relating to   the specific booking   reference the
    complainant had provided to the ICO and data relating to a separate complaint. The
    data controller advised that it could not provide the complainantwith a copy of the call

    recording they had requested as, due to the delay     on the data control ler’s part in
    processing the request, the call recording had been deleted       in accordance with

                                                                                         2    company policy and they had been unable to retrieve it. The data controller advised

    the DPCthat it had informedthe complainantof this via its online portalon 22 February
    2019. The data controller stated that the delay in processing the access request was
    caused by human error as the agentwho had opened and was processingthe access

    request, had ceased working on the data controller’s online portal prior to completing
    the request and hadfailed to reassign the requestto another agent. The data controller
    advised the DPC that it has reviewed its process to ensure that this error would not

    occur again and that the assignment of a request is no longer dependant on agent
    (human) action.


9. This  office reverted to the data controller with further queries relating to its procedure
    regarding access requests for call recordings.

10. The data controller responded to the DPC’s queries stating that it had acknowledged

    the request on 27 September 2018 and requested that the complainant          verify their
    email address. The data controller stated that at the time the request was submitted,
    due to the volume of data subjects who did not verify their email address, access

    requests were not assigned to the relevant department until the email was verified by
    the data subject. The data controlleradvised this office thatthe complainantresponded
    to the request, verifying their email address, but the agent who was working on     the

    request had ceased working on the online portal and therefore the request had not
    been assigned to the relevant department. The data controller asserted that this error
    was not discovered until December 2018, when the request was then assigned to the

    Customer Services department to provide the necessary data         , including the call
    recording, at which point the call record had been deleted in accordance with the data
    controller’s retention policy.


11. The data controller provided the DPC with a copy of its retention policy, in which it
    states that call recordings are retained for a period of 90 days from the date of the call.
    The data controller advised that, as the complainant’s call had been made on 05

    September 2018, it would have been automatically deleted on 04 December 2018. he
    data controller further stated that it does not have the functionality to retrieve deleted
    call recordings.


12. The data  controller advised this office that it would now include wording in its “Contact
    Us FAQ’s” on its website, which is the central location for the data controller’s contact

    numbers, including the phone numbers for the main C         ustomer Support for each
    market, advising customers that call recordings will be deleted from the system after
    90 days. The data controller stated that customers looking to contact its call centres

    need to access this page in order to obtain the appropriate number and the notification
    would be prominent and visible at that point.

                                                                                           313. Throughout the handling of the complaint, the DPC kept t   he complainant informed of
    the progress of the complaint via updates transmitted to the ICO.


14. The DPC provided the data controller with a copy of the draft decision in relation to the
    complaint by way of email on 03 April 2020, inviting it to provide final submissions in
    relation to theatter by close of business 17 April 2020.


15. The data controller provided its final submission by way of email dated 21 April 2020.

16. In its submission, the data controller stated that the complainant’s access request,

    submitted through the data controller’s online portal on 26 September 2018, stated “I
    would like ALL data included recorded calls relating to booking CR8E6F”. The data
    controller advised the DPC that the request was not limited to recordings of phone calls

    made by the complainant.


17. The data controller also submitted that the draft decision did not reflect the chronology

    of events and asserted that, in response to the complainant’s access request, prior to
    receipt of the DPC’s initial correspondence, the data controller had previously provided
    various records to the complainant via its online portal on both 10 January 2019 and

    18 February 2019. The data controller asserted that the records provided contained
    the complainant’s personal data and included letters, a written complaint and web chat
    transcripts relating to a specific booking reference. The data controller stated that, in

    the course of these communications with the complainant, and in a further
    communications on 22 February 2019 and 04 March 2019 via the data controller’s
    online portal, the data controller had also made it clear to the complainant that it was

    no longer in a position to provide call recordings, as they had been deleted and
    explained the reasons for this (i.e. that the data controller had not located the
    recordings prior to the 90 day deletion period elapsing). The data controller advised
    that in its communication to the complainant on 04 March 2019 it had also apologised

    to the complainant for any inconvenience caused. In addition, the data controller also
    stated that it liaised with the complainant in September and October 2019, in parallel
    to their access request, in an attempt to resolve their underlying customer service

    complaint.



18. The data controller highlighted the steps that it had taken in response to the
    complainant’s access request and suggested that they be considered as mitigating
    factors by the DPC when making its decision. These steps were:


        a) providing various written records containing the complainant’s personal data
            to them in January and February 2019;                                         4        b) explaining to the complainant on more than one occasion the reasons for its

            inability to provide the call recordings to them;
        c) providing an apology to the complainant for any inconvenience caused;
        d) making various alterations to its data processing systems to avoid any repeat

            of the human error that caused the failures highlighted in the complaint;
        e) adopting measures to ensure enhanced transparency concerning its retention
            of call recordings; and

        f)  that it had co-operated with the DPC in respect of our investigation into this
            matter.


    Complaint handling process

19. In accordance with section 109(2) of the Act, the DPC is mandated to attempt to

    amicably resolve complaints where there is a reasonable likelihood of amicable
    resolution being reached within a reasonable time. If the complaint is not amicably
    resolved the DPC will take such action(s) as the Commission considers appropriate as

    set out in section 113 of the Act. Whilst the DPC engaged in such efforts, in this case
    the complainant not ified the ICO they were unsatisfied with the apology put forward by

    the data controller in an attempt to amicably resolve the subject matter of the
    complaint.


    Communication of draft decision to “supervisory authorities concerned”

20. In accordance with Article 60(3) of the GDPR, the DPC is obliged to communicate the
    relevant information and submit a draft decision, in relation to a complaint regarding
    cross border processing, to the supervisory authorities concerned for their opinion and

    to take due ac count of their views.

21. In accordance with its obligation, the DPC transmitted a draft decision in relation to the

    matter to the “supervisory authorities concerned” on 25 May 2020. As Ryanair DAC
    offers goods and services across    the EU, and therefore the processing is likely to
    substantially affect data subjects in every EU member state, the DPC in its role as LSA

    identified that each supervisory authority was a supervisory authority concerned as
    defined in Article 4(22) of te GDPR. On this basis, the draft decision of the DPC in
    relation to this complaint was transmitted to each supervisory authority in the EU and

    EEA for their opinion.

22. Subsequently, the DPC received a number of “relevant and reasoned objections” from
    different supervisory authorities concerned within the statutory timeframe of four weeks

    pursuant to Article 60(4). Further, the DPC also received a number of opinions from
    other supervisory authorities concerned in relation to the draft decision.

                                                                                           5    Summary of opinions received from “supervisory authorities concerned”



23. The DP  C received formal relevant and reasoned objections in relation to the draft
    decision, pursuant to Article 60(4) of the GDPR, from three supervisory authorities
    concerned;

       •   Berliner Beaftragte für Datenschutz und Informationsfreiheit (Berlin DPA);
       •   Comissão Nacional de Protecção de Dados (Portuguese DPA); and
       •   the Office of Personal Data Protection (UODO) of Poland.


24. The D PC also received a number of opinions, which were not expressed as formal
    objections, in relation to the draft decision from five other supervisory authorities

    concerned;
       •   Garante Per La Protezione Dei Dati Personali (the Italian DPA);
       •   Nemzeti Adatvédelmi és Információszabadság Hatóság (the Hungarian DPA);

       •   Datatilsynet (Danish DPA);
       •   Autorité de Protection de Données (Belgian DPA); and

       •   Autoriteit Persoonsgegevens (Dutch DPA).

25. In its relevant and reasoned objection the Berlin DPA opined that the DPC’s draft

    decision failed to make asubstantive assessment ofwhat it considered to beadditional
    infringements by Ryanair DAC of Article 32(1) and A rticle 32(4) of the GDPR. The
    Berlin DPA stated that, due to Ryanair DAC’s insufficient technical, organisational and
    human resource measures to ensure the security of data processing, the information

    provided to the complainant was incomplete.

26. In itspinion, the Italian DPAstated that the human error that led to the failure to reply

    to the subject access request within    the statutory timeframe clearly shows that
    organisational and technical issues existed internally, such as to give rise to an
    accountability issue under Article 24(1).


27. Further, in the relevant and reasoned objections raised by the supervisory authorities
    concerned, the Berlin DPA, the Portuguese DPA and UODO all noted that the DPC
    had found that an     infringement of the GDPR occurred. On this basis          , the

    aforementioned supervisory authorities concerned advocated for the exercise of a
    corrective power by the DPC, especially in circumstances where the inf    ringements
    related to the exercise of data subject rights. This opinion was also expressed by the

    Italian DPA , the Hungarian DPA, the Danish DPA and the Belgian DPA in the


                                                                                        6    comments submitted by the se supervisory authorities in relation to the DPC’s draft

    decision.

28. Finally, in its opinion on the DPC’s draft decision, the Dutch DPA submitted the view

    that supervisory authorities are free to structure their complaint handling as they wish
    and that finding a breach of the GDPR does not automatically mean that a corrective
    measure needs be imposed. The DPC notes this view, and considers that no further

    analysis of the Dutch DPA’s opinion is required in this regard.

    Analysis of opinions received from “supervisory authorities concerned”


29. Having carefully considered the opinions of the supervisory authorities concerned, the
    DPC has completed a careful in-depth analysis of the opinions and concerns raised,
    both in the context of formal relevant and reasoned objections pursuant to Article 60(4)

    and in opinions submitted in relation to the DPC’s draft decision.

30. The DPC has given careful consideration to the opinions of both the Berlin DPA and

    the Italian DPAin relation to their assertions that Ryanair DAChad further contravened
    the GDPR and has completed the following analysis.

31. In its submission the Berlin DPA stated that “Due to Ryanair's insufficient technical,

    organisational and human resource measures to ensure the security of data
    processing, the information provided to the complainant was late and incomplete.
    According to points 8, 10 and 26 of the DPC's Draft Decision, Ryanair was late in

    informing the complainant of his data held by Ryanair within the meaning of Art. 15(1)
    GDPR due to 'human error'. The agent who had initially handled the access request
    until the end of his work on the online portal forgot to assign the access request to

    another agent after his departure. The answer to the re -quest was hence only made
    by letter of 2 April 2019. Additionally, due to the delay in providing the information, the
    complainant could not be provided with the recording of his or her call of 5 September

    2018, as calls are irrevocably deleted 90 days after their recording due to Ryanair's
    internal deletion deadlines. Within the one- month period resulting from Art. 12(3)
    GDPR, Ryanair would therefore have been able to make the call           available to the
    complainant. Hence, this additionally constitutes an infringement by Ryanair of Art.

    32(1) and (4) GDPR.”

32. Article 32 of the GDPR relates to the security of processing of personal data. More

    specifically, Article 32(1) of the GDPR states   that a data controller shall implement
    appropriate technical and organisational measures to ensure a level of security
    appropriate to the risk. Further, Article 32(4) states that the controller shall take steps

    to ensure that any natural person acting under the authority of the controller who has

                                                                                           7    access to personal data does not process      the data except on instructions from the

    controller, unless he or she is required to do so by Union or Member State law.

33. The DPC notes that in this instance the data controller failed to respond to an access

    request submitted by the data subject within the statutory timeframe and that this
    failure to respond was caused by an employee failing to follow internal organisational
    procedures. The DPC also notes that the failure to respond to the data subject’s access
    request within the statutory timeframe resulted in an irrevocable deletion of the data
    subject’s personal data, as it was deleted in line with the data controller’s 90 day

    retention period for call recordings. While the DPC notes that the employee’s failure to
    follow the organisational measures in place resulted in the deletion of the data subje’ t
    personal data, the DPC does not consider that there is any evidence to suggest that
    the employee’s failure to follow the organisational measures in place resulted in any

    risk to the security of the personal data being processed, as the data was destroyed in
    line with the data controller’s retention period. The DPC also considers that there is no
    evidence to suggest that the    employee of the data controller processed the data
    subject’s personal data outside of the instructions of the data controller, in

    circumstances where the employee failed to process the data subject’s access
    request. As such, the DPC finds no basis to agree with the opinion of the Berlin DPA
    that Ryanair DAC contravened Article 32(1) and Article 32(4) of the GDPR.Further, in
    the course of the DPC’s examination of this complaint, an alleged infringement of
    Article 32(1) and Article 32(4) of the GDPR was not raised as a ground of complaint

    and did not form part of the DPC’s complaint         -handling process; as such, an
    examination of Ryanair DAC’s compliance with Article 32(1) and Article 32(4) of the
    GDPR falls outside the scope of the complaint and of this decision. On this basis, the
    DPC does not propose to follow this objection.


34. In its opinion, the Italian DPA expressed the opinion that the human error that caused
    the failure to reply to the data subject’s access request in due time clearly shows that

    issues existed in relation to the data controller’s technical and organisational
    measures. The Italian DPA also stated that the risk at issue, namely the fact that an
    operator leaving the company and in charge of complaints handling would not be
    immediately replaced to ensure the seamless handling of such complaints, had not

    been tackled by the data controller beforehand, and that the issue was only resolved
    following the intervention of the DPC in relation to this complaint. The Italian DPA
    expressed the opinion that such an internal issue would give rise to an accountability

    issue under Article 24(1) GDPR.

35. The DPC notes that, in the course of the DPC’s examination of this complaint, an

    alleged infringement of Article 24 was not raised as a ground of complaint and did not
    form part of the DPC’s complain-handling process; as such, an examination of Ryanair
    DAC’s compliance with Article 24 falls outside the scope of the complaint and of this

    decision. On this basis, the DPC does not propose to follow the Italian DPA’s opinion.
                                                                                           836. The DP  C also notes that, in their opinions the Berlin DPA, the Portuguese DPA and
    the UODO all advocated for the exercise of a corrective power by the DPC, especially
    in circumstances where the infringements related to the exercis of data subject rights.

    Further, the DPC notes that this opinion was also expressed by the Italian DPA, the
    Hungarian DPA, the Danish DPA and the Belgian DPA in the comments submitted by
    the supervisory authorities in relation to the DPC’s draft decision.


37. Artile 58 of the GDPR provides supervisory authorities with certain powers in relation
    to the investigation and enforcement of the GDPR. Specifically, Article 58(2)(b)
    provides that supervisory authorities shall have the power to issue reprimands to a

    controller or processor where processing operations have infringed provisions of the
    GDPR. Further, Recital 129 of the GDPR states that measures, such as corrective
    powers, “should be appropriate, necessary and proportionate in view of ensuring

    compliance with this Regulation”.

38. In assessing whether the application of a corrective power is appropriate, necessary
    and proportionate in this case, I have had regard to the specific circumstances of this

    complaint. I note that the failure to comply with the complainant’s access request was
    the result of a human error and that the data controller has reviewed it’s technical and
    organisational measure s and has put in place further measures to ensure an

    infringement of t is nature does not occur again. However, it is important to note that,
    due to this human error, the data controller was irrevocably unable to comply in full
    with the data subject’s access request. I consider that the irreversible deletion of the

    data subject’s personal data, contained in a call recording, presented a risk to the
    fundamental rights and freedoms of the data subject as it prevented the data subject
    from ever being able to exercise full control over their personal data.On this basis the

    DPC considers it appropriate, necessary andproportionate to issue a reprimand to the
    data controller in this instance, taking into account the mitigating measures put in place
    by the data controller and the risk to the fundamental rights and freedoms of the data

    subject.

    Communication of revised draft decision to the data controller


39. In light of the opinions received from the supervisory authorities concerned, the DPC
    revised its draft decision to includea summary and analysis ofthe opinions expressed
    by the supervisory authorities concerned, as detailed in paragraphs 23 to 38 above.


40. The DP  C provided the data controller with a copy of both the revised draft decision
    and the opinions of the supervisory authorities concerned by way of email on 01

    October 2020. The DPC invited the data controller to provide any final submissions in
    relation to the matter by close of business 15 October 2020.
                                                                                           941. The data controller responded to the DPC by way of email dated 14 October 2020.

42. In it response, the data controller noted that the DPC had found that it had infringed

    the GDPR, as set out at paragraph 52 below, and that the DPC had exercised its
    powers in this case in line with Recital 129 and the due process requirements in Article
    58 of the GDPR. The data controller advised the DPC that it accepted the findings and

    the associated reprimand.

43. In liht of the above the data controller advised the DPC that it did not wish to make
    any final submissions in relation to the revised draft decision.


    Applicable Law


44. Article 15 of the GDPR provides for an individual’s right of access. Article 15(3) states
    that “The controller shall provide a copy of the personal data undergoing processing”

45. Artile 4(2) of the GDPR defines processing as “any operation or set of operations

    which is performed on personal data or on sets of personal data, whether or not by
    automated means, such as collection, recording, organisation, structuring, storage,
    adaptation or alteration, retrieval, consultation, use, disclosure by transmis      sion,

    dissemination or otherwise making available, alignment of combination, restriction,
    erasure or destruction”.


46. Further, Article 12(3) of the GDPR states that“The controller shall provide information
    on action taken on a request under Articles 15 to 22 to the data subject without undue
    delay and in any event within one month of receipt.”


47. Artile 12(3) further states that “That period may be extended by two further months
    where necessary, taking into account the complexity and number of the requests. The

    controller shall inform the data subject of any such extension within one month of
    receipt of the request, together with the reasons for the delay. “. However, I note that
    the data controller  never notified the complainant of any such extension in this
    instance.


    Findings of Investigation


48. During  the investigation of the complaint, the DPC established that the complainant
    had submitted an access request to the data controller via its online portal       on 26
    September 2018. The complainant received an acknowledgment of rece ipt of their

    access request from the data controller on 27 September 2018.

                                                                                           1049. The data controller provided the complainant with its initial response containing the

    complainant’s personal data on 10 January 2019.

50. Further, in relation to the call recordings requested by the complainant,    the data

    controller advised the DPC that call recordings are retained for a 90 day period from
    the date of the call. As the complainant made a call to the data controller    on 05
    September 2018 and submitted an access request to the data controller          on 26

    September 2018, some 21 days later, the complainant’s personal data, containedin a
    call recording would have been undergoing processing by the data controller    as the
    data controller was storing it. Therefore, this data should have been provided to t he

    data subject in response to their access request.

51. The investigation found that the data controller failed to provide the complainant’s
    personal data within one month of their request. Further, the data controller failed to

    notify the complainant of any extension to the statutory timeframe allowed for under
    Article 12(3) of the GDPR.

    Decision on infringements of the GDPR

52. Following the investigation of the complaint against Ryanair DAC, I am of the opinion
    that it infringedthe General Data Protection Regulation as follows:


    •  Article 15 of the General Data Protection Regulation when it failed to provide
       the complainant with a copy their personal data that was undergoing

       processing at the time of the request.
    •  Article 12(3) of the General Data Protection Regulation in that it fai      led to
       provide the complainant information on action taken on their request under

       Article 15 within the statutory timeframe of one month.


    Remedial measures undertaken by Ryanair DAC

53. In respect of these infringements, it is noted that Ryanair DAC has taken certain

    remedial measures. With regards toRyanair DAC’s 90 day retention period for call
    recordings, the DPC notes that Ryanair DAC has placed a notice on its website page
    where its contact numbers are located notifying users of this 90 day retention period.


54. Regarding the infringement of Article 15, Ryanair DAC has informed the DPC that it
    has put in place measures to ensure that an access request assignment no longer
    requires human action and therefore, an access request will not be overlooked due to

    human error.



                                                                                       11       Exercise of corrective power by the DPC


    55. In light of the extent of the infringements identified above,the DPC hereby
       issues a reprimand to Ryanair DAC, pursuant to Article 58(2)(b) of the GDPR



Yours sincerely,






John O’Dwyer

Deputy Commissioner

On behalf of the Data Protection Commission



































                                                                                      12