IDPC (Malta) - CDP/IMI/LSA/22/2021

From GDPRhub
IDPC - CDP/IMI/LSA/22/2021
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 12(3) GDPR
Article 15(1) GDPR
Article 15(2) GDPR
Article 15(3) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 27.12.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: CDP/IMI/LSA/22/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IDPC (Malta) (in EN)
Initial Contributor: n/a

The Maltese DPA found that a controller failed to react to an access request within one month as the GDPR foresees, and failed to provide the data subject with a copy of their personal data.

English Summary

Facts

The data subject had made an access request to a controller pursuant to Article 15 GDPR. The controller failed to provide information to the data subject on the action taken on the access request within one month as the GDPR foresees due to the large amount of access requests that the company had received.

The data subject initially filed the complaint with the Austrian DPA, which informed the Maltese DPA about the complaint pursuant to Article 56(3) GDPR. The Maltese DPA confirmed it was the lead supervisory authority, as the controller had its main establishment in Malta.

The controller sent an e-mail to the data subject's lawyer after one month and two weeks of the date of the access request. In the e-mail the controller informed the lawyer acting on behalf of the data subject that the request has been processed and asked for confirmation to send the relevant information via Wetransfer. As a result of not receiving a reply to the e-mail, the controller did not provide a copy of the processed ersonal data.

Holding

The DPA stated that when a controller chooses the means of how to transmit the electronic file to the data subject, the controller shall ensure that the data subject is able to download the information in a commonly used electronic format. When a controller makes personal data available to the data subject, it is a processing operation, and therefore, the controller is must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing pursuant to Article 32(1) GDPR.

The DPA held that the controller infringed Article 12(3) GDPR, when it failed to reply to an access request within one (1) month from the date of receipt of the request, and Articles 15(1), 15(2), 15(3) GDPR, when the controller failed to provide the data subject with a copy of their personal data and information about the processing.

Eventually, the DPA issued a reprimand. Furthermore, the controller was ordered to comply with the request and provide the data subject with the information as required under Article 15(1) from letter (a) to (h) GDPR and Article 15(2) GDPR, and to provide the data subject with a copy of their personal data that was undergoing processing at the time of submitting the request pursuant to Article 15(3) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Information andData Protection Commissioner


                                                                              CDP/IMI/LSA/22/2021







                                                                                                     vs








COMPLAINT



    1. On the 24   th June 2021,                      (the “complainant”) lodged a complaint with

        Österreichische Datenschutzbehörde, the Austrian Supervisory Authority, against

                            1(the“controller”) pursuant to article77(1) of the General DataProtection
                   2
        Regulation   (the“Regulation”).


    2. Thecomplainant contended that, on the5 May 2021, shehad exercised theright to access her

        personal datain accordancewith article 15 of theRegulation. However, thecontroller failed to

        provide the complainant with information about the action taken within the time-frame

        stipulated by law. The complainant further argued that shewas not informed if the controller

        needed an extension to reply to her request.


    3. On the22 September 2021, theAustrian Supervisory Authority informed theInformation and

        Data Protection Commissioner (the “Commissioner”) about thecomplaint pursuant to article

        56(3) of the Regulation. Following an assessment carried out by the Commissioner, it was

        established that the controller has its main establishment in Malta. Thus, the Commissioner
        proceeded to handlethecaseas thelead supervisory authority.





1                         is a private limited company registered under thelaws of Malta with number   ,
havingits registeredaddressat                                                   .
2Regulation (EU) 2016/679 of the European Parliamentandof the Councilof 27April2016on theprotectionof

natural persons with regardtothe processingof personal data and on the free movement of such data, and repealing
Directive95/46/EC (GeneralDataProtectionRegulation).





                                                                                            Page1 of 6INVESTIGATION


    4. Pursuant to article 58(1)(a) of the Regulation, the Commissioner requested the controller to

        provide any information which it deemed necessary and relevant to defend itself against the

        allegation raised by thecomplainant. In terms of this Office’s internal investigation procedure,

        the controller was provided with a copy of the complaint, together with all the supporting

        documentation, provided by thecomplainant.


    5. On the2 December 2021, thecontroller submitted thefollowing principal legalarguments for

        theCommissioner, to consider during thelegal analysis of this case:


            a. that, on the5 May 2021, thecontroller “received an emailfrom thelawfirm

                               ”,where“[t]helawfirm requested accessto personal datafortheplayer

                              ”;



            b. that the controller failed to comply with the subject access request submitted by the

                complainant within the stipulated time-frame “due to the massive inundation of data
                subject access requests that the relevant company has received as of late, thereby not

                allowing for the company to be able to reply within the stipulated period in this

                particularcase”;


                                                       th          3
            c. that, bymeans of an emaildated the19 June2021 , thecontroller informed thelawyer

                acting on behalf of thecomplainant, that her request has been processed and requested
                confirmation to send therequested dataviaWetransfer;


                                                                                   th
            d. that thecontroller did not receive areply to the email dated the19 June2021, and, as
                a result, the controller did not provide a copy of the personal data undergoing

                processing to thecomplainant.







3
 The controller provided a copy of the email dated the 19th June 2021 in German (original text) and English
(translation). The English translation read “May we send you the requested data via the service provider
"WeTransfer"?




                                                                                            Page2 of 6LEGAL ANALYSIS AND DECISION


TheTiming of theReply



    6. The protection of natural persons in relation to the processing of their personal data is a

        fundamental right recognised by article 8(1) of the Charter of Fundamental Rights of the
        European Union. Within this context, therights of thedatasubjects as set forth in articles 12 to

        22 of theRegulation are thefulcrum of the law, and their roleis absolutely crucial to ensurethe

        utmost protection of personal data processed by controllers. In this regard, the Commissioner

        emphasises the importance attributed to the right of access as laid down in article 15 of the
        Regulation, in particular, its special feature, which is derived from the fact that it is often a

        means, prerequisite or condition to enable data subjects to oversee and control their personal
                                                                                                       4
        data,andconsequently,exerciseotherdatasubjects,suchastherighttoerasureorrectification           .


    7. Theright of access as enshrined in article15 of theRegulation contains three(3) components:

        (i) confirmation of the processing of personal data; (ii) information about theprocessing itself;

        and (iii) access to a copy of personal data undergoing processing. Article 15(1) of the
        Regulation enables the datasubject to “obtain from the controller confirmation as to whether

        or not personal data concerning him or her are being processed and, where that is the case,

        access to the personal data”, as well as other supplementary information pursuant to article

        15(1)(a) to (h) and article 15(2) of the Regulation. Further to this, article 15(3) of the
        Regulation, which is more prescriptive, states that “the controller shall provide a copy of the

        personal data undergoing processing”.



    8. In this connection, article 12 of the Regulation ensures that substantive rights of data subjects
        are safeguarded by establishing clear, proportionate and effective conditions as to how and

        when data subjects shall exercise their rights. For this reason, article 12 of the Regulation

        provides themodalities for theexerciseof thedatasubjects’rights and establishes an obligation
        upon thecontroller to facilitate the exerciseof theserights.



    9. In particular, article 12(3) of the Regulation aims at ensuring the efficient exercise of

        information and access rights, and obliges the controller to “provide information on action



4CJEU, C-434/16, Nowak,para.56




                                                                                             Page3 of 6        taken on a request under Articles 15 to 22 to thedata subject without undue delay and in any

        event within onemonth of receipt of therequest”. Within this set timeframe, thecontroller shall

        either (i) comply with therequest; (ii) extend thedeadlineto two(2) furthermonths andprovide

        the reasons for such extension; or (iii) refuse to act on therequest in terms of article 12(5)(b)

        of theRegulation and inform thedatasubject accordingly.


    10. On this aspect, with particular reference to the handling of data protection requests, the
                                         5
        European DataProtection Board emphasisesthat “[t]hecontrollershall react and, asa general
        rule, provide the information under Art. 15 without undue delay, which in other words means

        that the information should be given as soon as possible. This means that, if it is possible to

        provide the requested information in a shorter amount of time than one month, the controller

        should do so”.


    11. After assessing the circumstances of the case, the Commissioner determined that, on the 5       th

        May 2021, thecomplainant exercised her right to access her personal data pursuant to article
                                                                                  nd
        15 of theRegulation. In thesubmissions provided to this Office on the 2 December 2021, the
        controller declared that it had contacted the lawyer of thecomplainant on the 19 June 2021

        and that “due to the massive inundation of data subject access requests that the relevant

        companyhasreceived asof late,therebynot allowingforthecompanytobeabletoreplywithin

        the stipulated period in this particular case”. Thus, the Commissioner established that the

        controller failed to provide information to thecomplainant on the action taken on the request
        to access her personaldatawithin one (1) month of receipt of therequest.



Making theinformation available


    12. In theemail dated the 19 June2021, thecontroller informed thecomplainant that her request

        has been processed and requested thecomplainant to confirm whether the response could be

        sent by means of theserviceprovided by Wetransfer.


    13. For this purpose, the Commissioner analysed article 12(1) of theRegulation, which establishes

        that the information shall be provided, where appropriate, by electronic means, in conjunction

        withtheprinciple ofintegrity and confidentiality assetforthin article5(1)(f)oftheRegulation.




5EDPB Guidelines 01/2022 ondatasubjectrights -Rightofaccess-Version1.0- Adoptedon18January2022
–Paragraph156




                                                                                             Page4 of 6     14. In this regard, the Commissioner noted that when thecontroller makes personal data available
         to the datasubject, this is deemed to bea processing operation, and therefore, thecontroller is

         obliged to implement appropriate technical and organisational measures to ensure a level of

         security appropriateto therisk of theprocessing in terms of article32(1) of theRegulation.


         In addition, the Commissioner considered article 15(3) of the Regulation, which states that
         where the datasubject makes therequest by electronic means, and unless otherwise requested

         by thedatasubject, theinformation shall beprovided in a commonly used electronic form.



     15. The Regulation does not specify what is acommonly used electronic form, and thus, there are
         several conceivable formats that could be used by thecontroller. However, it is important to

         ensure that the format must enable the information to be presented in a way that is both

         intelligible and easily accessible. This naturally means that when the controller chooses the
         means of how to transmit the electronic file to the data subject, thecontroller shall ensure that

         thedatasubject is able to download theinformation in a commonly used electronic form.


     16. Furthermore, recital 63 of the Regulation establishes that “[w]here possible, the controller

         should be able to provide remote access to a secure system which would provide the data

         subject with direct access to his orher personal data”.


     17. It therefore follows that it is theresponsibility of thecontroller to decide about the appropriate
         form in which the personal datashall be provided to thedatasubject and this is also in light of

         theaccountability principle as held in article5(2) of theRegulation.



Onthebasisoftheforegoingconsiderations,theCommissionerherebydecidesthatthecontroller

infringed:


 i.     article 12(3) ofthe Regulation, when it failedto provide the complainant with information

        on the action taken on hersubject access request within one (1) month from the date of
        receipt of request; and



ii.     article 15(1), article 15(2) and article 15(3) of the Regulation, when it failed to provide the

        complainant with a copy of herpersonal data undergoing processing andthe information
        concerning theprocessing.





                                                                                            Page5 of 6By virtue of article 58(2)(b) of the Regulation, the controller is hereby being served with a

reprimand. Furthermore, in terms of article 58(2)(c) of the Regulation, the controller is hereby

being ordered to comply with the request and provide the complainant with the information
prescribedunderarticle 15(1)(a) to (h) and article 15(2) of the Regulation and also with a copy of

herpersonal dataundergoing processing atthe time of submittingthe request pursuant to article

15(3) thereof.


The controller shall comply with this order within ten (10) days from the date of receipt of this

legally binding decision. Non-compliance with the order of the Commissioner within the

stipulated timeframe shall result in the imposition of an administrative fine in terms of article

83(6) of the Regulation.


In terms of article 26(1) of the DataProtection Act (Cap. 586 of the Laws of Malta), any party to this

decision shall have the right to an effective judicial remedy by filing an appeal in writing before the

Information and Data Protection Appeal Tribunal within twenty (20) days from the service of this
        6
decision .




                Digitallysigned

                (Signature)ate:
                2022.12.27
(Signature)     12:45:50 +01'00'




Information andData Protection Commissioner















6MoreinformationabouttheTribunalandtheappeals procedureis accessibleonhttps://idpc.org.mt/appeals-
tribunal/




                                                                                          Page6 of 6