DPC - C-19-X-XXX Ryanair DAC - November 2020
|DPC - C-19-X-XXX Ryanair DAC - November 2020|
|Relevant Law:||Article 4(22) GDPR|
Article 12(3) GDPR
Article 15 GDPR
Article 24(1) GDPR
Article 32(1) GDPR
Article 32(4) GDPR
Article 58(2)(b) GDPR
Article 60 GDPR
Article 60(3) GDPR
Article 60(4) GDPR
109(2) of the Data Protection Act
113 of the Data Protection Act
|National Case Number/Name:||C-19-X-XXX Ryanair DAC - November 2020|
|European Case Law Identifier:||n/a|
|Original Source:||Data Protection Commission (in EN)|
The Irish DPA (DPC) found that Ryanair infringed Article 15 of the GDPR by failing to provide the complainant with a copy their personal data. The DPC was acting in its capacity as lead supervisory authority, to examine the complaint originally received by the UK Data Protection Authority.
English Summary[edit | edit source]
Facts[edit | edit source]
The Irish Data protection Commission (DPC), acting in its capacity as lead supervisory authority, commenced an examination of a complaint originally received by the U.K. Data Protection Authority. The complaint concerned cross-border processing in which the DPC was competent to act as lead supervisory authority.
The complaint concerned a subject access request made by the complainant to Ryanair. Ryanair provided the complainant with certain personal data on foot of the request. However, it failed to provide the complainant with a copy of a recording of a call that the complainant had made. Due to the delay on Ryanair’s part in processing the request, Ryanair had since deleted the call recording in accordance with company policy and they had been unable to retrieve it.
Holding[edit | edit source]
The decision found that Ryanair infringed Article 15 of the GDPR by failing to provide the complainant with a copy their personal data that was undergoing processing at the time of the request. The decision also found that Ryanair infringed Article 12(3) of the General Data Protection Regulation by failing to provide the complainant information on action taken on their request under Article 15 within the statutory timeframe of one month. The decision also reprimanded Ryanair in respect of the infringements.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DPC Ref: C-19-X-XXX ICO Ref: XXXXXXXXX Date: 10 November 2020 Complainant: XX Data Controller: Ryanair DAC RE: XX V Ryanair DAC This document is a decision of the Data Protection Commission of Ireland (“DPC”) in relation to DPC complaint reference, C-19-X-XXX (hereinafter referred to as the (“Complaint”), submitted by XX (“Complainant”) against Ryanair DAC (“Data Controller”), which was referred to the Data Protection Commission of Ireland (“DPC”), in its capacity as lead supervisory authority, by the Information Commissioners Office of the United Kingdom (“ICO”), as the concerned supervisory authority with which the complaint was lodged. This decision is made pursuant to the powers conferred on the DPC by section 113(2)(a) of the Data Protection Act 2018 (“the Act”) and Article 60 of the General Data Protection Regulation (“GDPR”). Preliminary Assessment of complaint 1. The complainant initially submitted a complaint to the ICO, which was thereafter received by the DPC on 02 March 2019. In their request, the complainant alleged that the data controller had failed to comply with a subject access request, submitted to it by the complainant on 26 September 2018. In transmitting the complaint to the DPC, the ICO advised that thecomplaint related to the data controller’s failure to respond to the complainant’s access request. The ICO provided the DPC with a copy of the complaint form submitted to th e ICO by the complainant, a copy of the acknowledgement, dated 26 September 2018,that the complainant had received from the data controller when submitting the access request, and a copy of the complainant’s follow up email to the data controller requesting an update in relation to their request. 2. Prior to commencing an investigation into the complaint, the DPC reviewed the information provided by the ICO and established that Ryanair AC, which has its place of main establishment in Ireland, was identified as the relevant data controller under the GDPR in relation to thecomplaint, as it determined the purposes and means of the 1 processing of the complainant’s personal data for the purposes of managing their customer service query and responding to their access request. 3. The data i n question was personal data relating to the complainant (consisting of, amongst other things, customer service complaints and an access request they had submitted to Ryanair DAC) as it related to them as an identifiable natural person. The DPC was therefore satisfied that the complaint, as received by the DPC on 02 March 2019, should be investigated to determine if a breach of the Act and/or GDPR had occurred. Examination of complaint 4. Acting in its capacity as lead supervisory authority, t he DPC commenced an examination of the complaint by contacting the data controller via email on 19 March 2019. In our correspondence, the DPC outlined the details ofthe complaint as set out by the ICO. 5. In our communication, the DPC advised the data controller that the scope of the complaint related toan allegation made by the complainant thatthe data controller had failed to respond to a subject access request, dated 26 September 2018, submitted to it by the complainant. The DPC also provided the data controller with details of the online portal reference number that the complainant received from the data controller following their request. 6. In order to progress the matterthe DPCinstructed the data controllerto respond tothe access request in full and to providethis officewith a copy of the cover letterthat issued to the complainant. 7. In its response to the DPC dated 02 April 2019, the data controller provided the DPC with a copy of a cover letter dated 02 April 2019, that issued to the complainant in relation to their access request. In its correspondence to the complainant, the data controller advised that had it received the access request dated 26 September 2018, in which the complainant had requested access to all data and specifically all data, including call recordings, relating to a specific booking reference. 8. Withit s letter of 02 April 2019,the data controllerprovided the complainantwith access to copies of their personal data relating to the specific booking reference the complainant had provided to the ICO and data relating to a separate complaint. The data controller advised that it could not provide the complainantwith a copy of the call recording they had requested as, due to the delay on the data control ler’s part in processing the request, the call recording had been deleted in accordance with 2 company policy and they had been unable to retrieve it. The data controller advised the DPCthat it had informedthe complainantof this via its online portalon 22 February 2019. The data controller stated that the delay in processing the access request was caused by human error as the agentwho had opened and was processingthe access request, had ceased working on the data controller’s online portal prior to completing the request and hadfailed to reassign the requestto another agent. The data controller advised the DPC that it has reviewed its process to ensure that this error would not occur again and that the assignment of a request is no longer dependant on agent (human) action. 9. This office reverted to the data controller with further queries relating to its procedure regarding access requests for call recordings. 10. The data controller responded to the DPC’s queries stating that it had acknowledged the request on 27 September 2018 and requested that the complainant verify their email address. The data controller stated that at the time the request was submitted, due to the volume of data subjects who did not verify their email address, access requests were not assigned to the relevant department until the email was verified by the data subject. The data controlleradvised this office thatthe complainantresponded to the request, verifying their email address, but the agent who was working on the request had ceased working on the online portal and therefore the request had not been assigned to the relevant department. The data controller asserted that this error was not discovered until December 2018, when the request was then assigned to the Customer Services department to provide the necessary data , including the call recording, at which point the call record had been deleted in accordance with the data controller’s retention policy. 11. The data controller provided the DPC with a copy of its retention policy, in which it states that call recordings are retained for a period of 90 days from the date of the call. The data controller advised that, as the complainant’s call had been made on 05 September 2018, it would have been automatically deleted on 04 December 2018. he data controller further stated that it does not have the functionality to retrieve deleted call recordings. 12. The data controller advised this office that it would now include wording in its “Contact Us FAQ’s” on its website, which is the central location for the data controller’s contact numbers, including the phone numbers for the main C ustomer Support for each market, advising customers that call recordings will be deleted from the system after 90 days. The data controller stated that customers looking to contact its call centres need to access this page in order to obtain the appropriate number and the notification would be prominent and visible at that point. 313. Throughout the handling of the complaint, the DPC kept t he complainant informed of the progress of the complaint via updates transmitted to the ICO. 14. The DPC provided the data controller with a copy of the draft decision in relation to the complaint by way of email on 03 April 2020, inviting it to provide final submissions in relation to theatter by close of business 17 April 2020. 15. The data controller provided its final submission by way of email dated 21 April 2020. 16. In its submission, the data controller stated that the complainant’s access request, submitted through the data controller’s online portal on 26 September 2018, stated “I would like ALL data included recorded calls relating to booking CR8E6F”. The data controller advised the DPC that the request was not limited to recordings of phone calls made by the complainant. 17. The data controller also submitted that the draft decision did not reflect the chronology of events and asserted that, in response to the complainant’s access request, prior to receipt of the DPC’s initial correspondence, the data controller had previously provided various records to the complainant via its online portal on both 10 January 2019 and 18 February 2019. The data controller asserted that the records provided contained the complainant’s personal data and included letters, a written complaint and web chat transcripts relating to a specific booking reference. The data controller stated that, in the course of these communications with the complainant, and in a further communications on 22 February 2019 and 04 March 2019 via the data controller’s online portal, the data controller had also made it clear to the complainant that it was no longer in a position to provide call recordings, as they had been deleted and explained the reasons for this (i.e. that the data controller had not located the recordings prior to the 90 day deletion period elapsing). The data controller advised that in its communication to the complainant on 04 March 2019 it had also apologised to the complainant for any inconvenience caused. In addition, the data controller also stated that it liaised with the complainant in September and October 2019, in parallel to their access request, in an attempt to resolve their underlying customer service complaint. 18. The data controller highlighted the steps that it had taken in response to the complainant’s access request and suggested that they be considered as mitigating factors by the DPC when making its decision. These steps were: a) providing various written records containing the complainant’s personal data to them in January and February 2019; 4 b) explaining to the complainant on more than one occasion the reasons for its inability to provide the call recordings to them; c) providing an apology to the complainant for any inconvenience caused; d) making various alterations to its data processing systems to avoid any repeat of the human error that caused the failures highlighted in the complaint; e) adopting measures to ensure enhanced transparency concerning its retention of call recordings; and f) that it had co-operated with the DPC in respect of our investigation into this matter. Complaint handling process 19. In accordance with section 109(2) of the Act, the DPC is mandated to attempt to amicably resolve complaints where there is a reasonable likelihood of amicable resolution being reached within a reasonable time. If the complaint is not amicably resolved the DPC will take such action(s) as the Commission considers appropriate as set out in section 113 of the Act. Whilst the DPC engaged in such efforts, in this case the complainant not ified the ICO they were unsatisfied with the apology put forward by the data controller in an attempt to amicably resolve the subject matter of the complaint. Communication of draft decision to “supervisory authorities concerned” 20. In accordance with Article 60(3) of the GDPR, the DPC is obliged to communicate the relevant information and submit a draft decision, in relation to a complaint regarding cross border processing, to the supervisory authorities concerned for their opinion and to take due ac count of their views. 21. In accordance with its obligation, the DPC transmitted a draft decision in relation to the matter to the “supervisory authorities concerned” on 25 May 2020. As Ryanair DAC offers goods and services across the EU, and therefore the processing is likely to substantially affect data subjects in every EU member state, the DPC in its role as LSA identified that each supervisory authority was a supervisory authority concerned as defined in Article 4(22) of te GDPR. On this basis, the draft decision of the DPC in relation to this complaint was transmitted to each supervisory authority in the EU and EEA for their opinion. 22. Subsequently, the DPC received a number of “relevant and reasoned objections” from different supervisory authorities concerned within the statutory timeframe of four weeks pursuant to Article 60(4). Further, the DPC also received a number of opinions from other supervisory authorities concerned in relation to the draft decision. 5 Summary of opinions received from “supervisory authorities concerned” 23. The DP C received formal relevant and reasoned objections in relation to the draft decision, pursuant to Article 60(4) of the GDPR, from three supervisory authorities concerned; • Berliner Beaftragte für Datenschutz und Informationsfreiheit (Berlin DPA); • Comissão Nacional de Protecção de Dados (Portuguese DPA); and • the Office of Personal Data Protection (UODO) of Poland. 24. The D PC also received a number of opinions, which were not expressed as formal objections, in relation to the draft decision from five other supervisory authorities concerned; • Garante Per La Protezione Dei Dati Personali (the Italian DPA); • Nemzeti Adatvédelmi és Információszabadság Hatóság (the Hungarian DPA); • Datatilsynet (Danish DPA); • Autorité de Protection de Données (Belgian DPA); and • Autoriteit Persoonsgegevens (Dutch DPA). 25. In its relevant and reasoned objection the Berlin DPA opined that the DPC’s draft decision failed to make asubstantive assessment ofwhat it considered to beadditional infringements by Ryanair DAC of Article 32(1) and A rticle 32(4) of the GDPR. The Berlin DPA stated that, due to Ryanair DAC’s insufficient technical, organisational and human resource measures to ensure the security of data processing, the information provided to the complainant was incomplete. 26. In itspinion, the Italian DPAstated that the human error that led to the failure to reply to the subject access request within the statutory timeframe clearly shows that organisational and technical issues existed internally, such as to give rise to an accountability issue under Article 24(1). 27. Further, in the relevant and reasoned objections raised by the supervisory authorities concerned, the Berlin DPA, the Portuguese DPA and UODO all noted that the DPC had found that an infringement of the GDPR occurred. On this basis , the aforementioned supervisory authorities concerned advocated for the exercise of a corrective power by the DPC, especially in circumstances where the inf ringements related to the exercise of data subject rights. This opinion was also expressed by the Italian DPA , the Hungarian DPA, the Danish DPA and the Belgian DPA in the 6 comments submitted by the se supervisory authorities in relation to the DPC’s draft decision. 28. Finally, in its opinion on the DPC’s draft decision, the Dutch DPA submitted the view that supervisory authorities are free to structure their complaint handling as they wish and that finding a breach of the GDPR does not automatically mean that a corrective measure needs be imposed. The DPC notes this view, and considers that no further analysis of the Dutch DPA’s opinion is required in this regard. Analysis of opinions received from “supervisory authorities concerned” 29. Having carefully considered the opinions of the supervisory authorities concerned, the DPC has completed a careful in-depth analysis of the opinions and concerns raised, both in the context of formal relevant and reasoned objections pursuant to Article 60(4) and in opinions submitted in relation to the DPC’s draft decision. 30. The DPC has given careful consideration to the opinions of both the Berlin DPA and the Italian DPAin relation to their assertions that Ryanair DAChad further contravened the GDPR and has completed the following analysis. 31. In its submission the Berlin DPA stated that “Due to Ryanair's insufficient technical, organisational and human resource measures to ensure the security of data processing, the information provided to the complainant was late and incomplete. According to points 8, 10 and 26 of the DPC's Draft Decision, Ryanair was late in informing the complainant of his data held by Ryanair within the meaning of Art. 15(1) GDPR due to 'human error'. The agent who had initially handled the access request until the end of his work on the online portal forgot to assign the access request to another agent after his departure. The answer to the re -quest was hence only made by letter of 2 April 2019. Additionally, due to the delay in providing the information, the complainant could not be provided with the recording of his or her call of 5 September 2018, as calls are irrevocably deleted 90 days after their recording due to Ryanair's internal deletion deadlines. Within the one- month period resulting from Art. 12(3) GDPR, Ryanair would therefore have been able to make the call available to the complainant. Hence, this additionally constitutes an infringement by Ryanair of Art. 32(1) and (4) GDPR.” 32. Article 32 of the GDPR relates to the security of processing of personal data. More specifically, Article 32(1) of the GDPR states that a data controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Further, Article 32(4) states that the controller shall take steps to ensure that any natural person acting under the authority of the controller who has 7 access to personal data does not process the data except on instructions from the controller, unless he or she is required to do so by Union or Member State law. 33. The DPC notes that in this instance the data controller failed to respond to an access request submitted by the data subject within the statutory timeframe and that this failure to respond was caused by an employee failing to follow internal organisational procedures. The DPC also notes that the failure to respond to the data subject’s access request within the statutory timeframe resulted in an irrevocable deletion of the data subject’s personal data, as it was deleted in line with the data controller’s 90 day retention period for call recordings. While the DPC notes that the employee’s failure to follow the organisational measures in place resulted in the deletion of the data subje’ t personal data, the DPC does not consider that there is any evidence to suggest that the employee’s failure to follow the organisational measures in place resulted in any risk to the security of the personal data being processed, as the data was destroyed in line with the data controller’s retention period. The DPC also considers that there is no evidence to suggest that the employee of the data controller processed the data subject’s personal data outside of the instructions of the data controller, in circumstances where the employee failed to process the data subject’s access request. As such, the DPC finds no basis to agree with the opinion of the Berlin DPA that Ryanair DAC contravened Article 32(1) and Article 32(4) of the GDPR.Further, in the course of the DPC’s examination of this complaint, an alleged infringement of Article 32(1) and Article 32(4) of the GDPR was not raised as a ground of complaint and did not form part of the DPC’s complaint -handling process; as such, an examination of Ryanair DAC’s compliance with Article 32(1) and Article 32(4) of the GDPR falls outside the scope of the complaint and of this decision. On this basis, the DPC does not propose to follow this objection. 34. In its opinion, the Italian DPA expressed the opinion that the human error that caused the failure to reply to the data subject’s access request in due time clearly shows that issues existed in relation to the data controller’s technical and organisational measures. The Italian DPA also stated that the risk at issue, namely the fact that an operator leaving the company and in charge of complaints handling would not be immediately replaced to ensure the seamless handling of such complaints, had not been tackled by the data controller beforehand, and that the issue was only resolved following the intervention of the DPC in relation to this complaint. The Italian DPA expressed the opinion that such an internal issue would give rise to an accountability issue under Article 24(1) GDPR. 35. The DPC notes that, in the course of the DPC’s examination of this complaint, an alleged infringement of Article 24 was not raised as a ground of complaint and did not form part of the DPC’s complain-handling process; as such, an examination of Ryanair DAC’s compliance with Article 24 falls outside the scope of the complaint and of this decision. On this basis, the DPC does not propose to follow the Italian DPA’s opinion. 836. The DP C also notes that, in their opinions the Berlin DPA, the Portuguese DPA and the UODO all advocated for the exercise of a corrective power by the DPC, especially in circumstances where the infringements related to the exercis of data subject rights. Further, the DPC notes that this opinion was also expressed by the Italian DPA, the Hungarian DPA, the Danish DPA and the Belgian DPA in the comments submitted by the supervisory authorities in relation to the DPC’s draft decision. 37. Artile 58 of the GDPR provides supervisory authorities with certain powers in relation to the investigation and enforcement of the GDPR. Specifically, Article 58(2)(b) provides that supervisory authorities shall have the power to issue reprimands to a controller or processor where processing operations have infringed provisions of the GDPR. Further, Recital 129 of the GDPR states that measures, such as corrective powers, “should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation”. 38. In assessing whether the application of a corrective power is appropriate, necessary and proportionate in this case, I have had regard to the specific circumstances of this complaint. I note that the failure to comply with the complainant’s access request was the result of a human error and that the data controller has reviewed it’s technical and organisational measure s and has put in place further measures to ensure an infringement of t is nature does not occur again. However, it is important to note that, due to this human error, the data controller was irrevocably unable to comply in full with the data subject’s access request. I consider that the irreversible deletion of the data subject’s personal data, contained in a call recording, presented a risk to the fundamental rights and freedoms of the data subject as it prevented the data subject from ever being able to exercise full control over their personal data.On this basis the DPC considers it appropriate, necessary andproportionate to issue a reprimand to the data controller in this instance, taking into account the mitigating measures put in place by the data controller and the risk to the fundamental rights and freedoms of the data subject. Communication of revised draft decision to the data controller 39. In light of the opinions received from the supervisory authorities concerned, the DPC revised its draft decision to includea summary and analysis ofthe opinions expressed by the supervisory authorities concerned, as detailed in paragraphs 23 to 38 above. 40. The DP C provided the data controller with a copy of both the revised draft decision and the opinions of the supervisory authorities concerned by way of email on 01 October 2020. The DPC invited the data controller to provide any final submissions in relation to the matter by close of business 15 October 2020. 941. The data controller responded to the DPC by way of email dated 14 October 2020. 42. In it response, the data controller noted that the DPC had found that it had infringed the GDPR, as set out at paragraph 52 below, and that the DPC had exercised its powers in this case in line with Recital 129 and the due process requirements in Article 58 of the GDPR. The data controller advised the DPC that it accepted the findings and the associated reprimand. 43. In liht of the above the data controller advised the DPC that it did not wish to make any final submissions in relation to the revised draft decision. Applicable Law 44. Article 15 of the GDPR provides for an individual’s right of access. Article 15(3) states that “The controller shall provide a copy of the personal data undergoing processing” 45. Artile 4(2) of the GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmis sion, dissemination or otherwise making available, alignment of combination, restriction, erasure or destruction”. 46. Further, Article 12(3) of the GDPR states that“The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt.” 47. Artile 12(3) further states that “That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. “. However, I note that the data controller never notified the complainant of any such extension in this instance. Findings of Investigation 48. During the investigation of the complaint, the DPC established that the complainant had submitted an access request to the data controller via its online portal on 26 September 2018. The complainant received an acknowledgment of rece ipt of their access request from the data controller on 27 September 2018. 1049. The data controller provided the complainant with its initial response containing the complainant’s personal data on 10 January 2019. 50. Further, in relation to the call recordings requested by the complainant, the data controller advised the DPC that call recordings are retained for a 90 day period from the date of the call. As the complainant made a call to the data controller on 05 September 2018 and submitted an access request to the data controller on 26 September 2018, some 21 days later, the complainant’s personal data, containedin a call recording would have been undergoing processing by the data controller as the data controller was storing it. Therefore, this data should have been provided to t he data subject in response to their access request. 51. The investigation found that the data controller failed to provide the complainant’s personal data within one month of their request. Further, the data controller failed to notify the complainant of any extension to the statutory timeframe allowed for under Article 12(3) of the GDPR. Decision on infringements of the GDPR 52. Following the investigation of the complaint against Ryanair DAC, I am of the opinion that it infringedthe General Data Protection Regulation as follows: • Article 15 of the General Data Protection Regulation when it failed to provide the complainant with a copy their personal data that was undergoing processing at the time of the request. • Article 12(3) of the General Data Protection Regulation in that it fai led to provide the complainant information on action taken on their request under Article 15 within the statutory timeframe of one month. Remedial measures undertaken by Ryanair DAC 53. In respect of these infringements, it is noted that Ryanair DAC has taken certain remedial measures. With regards toRyanair DAC’s 90 day retention period for call recordings, the DPC notes that Ryanair DAC has placed a notice on its website page where its contact numbers are located notifying users of this 90 day retention period. 54. Regarding the infringement of Article 15, Ryanair DAC has informed the DPC that it has put in place measures to ensure that an access request assignment no longer requires human action and therefore, an access request will not be overlooked due to human error. 11 Exercise of corrective power by the DPC 55. In light of the extent of the infringements identified above,the DPC hereby issues a reprimand to Ryanair DAC, pursuant to Article 58(2)(b) of the GDPR Yours sincerely, John O’Dwyer Deputy Commissioner On behalf of the Data Protection Commission 12