IDPC (Malta) - CDP/IMI/LSA/17/2022

From GDPRhub
IDPC - CDP/IMI/LSA/17/2022
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 12(1) GDPR
Article 12(3) GDPR
Article 17(1) GDPR
Article 17(3) GDPR
Article 56 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started: 28.05.2020
Decided: 28.02.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: CDP/IMI/LSA/17/2022
European Case Law Identifier: EDPBI:MT:OSS:D:2022:340
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 GDPR procedure, the DPA of Malta reprimanded a controller (Article 58(2)(b) GDPR) for requesting the data subject to sign an agreement in order to process his erasure request. The controller also had to reply to the request (Article 58(2)(d) GDPR).

English Summary

Facts

The data subject requested an investment services provider (controller) to close his account and unsubscribe him from e-mail notifications. In subsequent e-mails, the controller asked the data subject to sign and return the subscription agreement, which had not been signed at the start of the subscription. The controller would close the account after the data subject signed the agreement.

The data subject rejected this option and filed a complaint at the Spanish DPA which, in turn, transferred the case to the information and data protection commissioner of Malta (DPA) pursuant of Article 56 GDPR. Therefore, the LSA handled the complaint under of Article 60 GDPR and started an investigation.

During the proceedings, the controller stated that it was subject to a yearly audit by an independent third party. Its processing of personal data was necessary to comply with this legal obligation. Therefore, it did not delete all the data. The controller also relied on Article 6(1)(c) GDPR for its processing. The controller also provided screenshots to prove that it closed the account of the data subject on 26 May 2020.

Holding

Document containing personal data of third parties

The DPA held that data subjects could only lodge complaints with a supervisory authority if the possible infringing processing concerned the data subject (Article 77(1) GDPR). This part of the complaint was dismissed since it only concerned personal data of third parties disclosed in the document. The data subject was not affected by this. However, the DPA reserved the right to start a separate investigation on this alleged data breach.

The DPA proceeded to examine the erasure request and the timing of the request, pursuant of Article 57(1)(f) GDPR.

Erasure request

The DPA held that the controller must delete personal data without undue delay when a request is made pursuant of Article 17 GDPR. However, this is different when Article 17(3) GDPR applies, which describes that Article 17(1) and 17(2) do not apply when processing is necessary for certain, specific purposes or compelling requirements described in these provisions. The DPA emphasised Article 17(3)(b) GDPR, stating that the right of erasure does not apply when the controller has a legal obligation to process data.

The DPA agreed with the controller that it had to keep the personal data to comply with national law, specifically Subsidiary Legislation 373.01. Article 13(2) of this national regulation states that under certain conditions, specific data must be retained for 5 years. The DPA determined that the controller was subject to this provision.

Because the data subjects account had been closed on 26 May 2020, the 5 year period had not elapsed at the time that the data subject filed his complaint at the DPA. Therefore, the DPA concluded that Article 17(1) GDPR did not apply did not apply because the processing was necessary to comply with the legal obligation in Article 13(2) of S.L. 373.01.

Timing of the request

The DPA determined that the controller violated Article 12(3) GDPR, because it failed to provide the data subject with information on action taken regarding the erasure request within one month of the receipt of the request. Instead, it had requested the data subject to sign the subscription agreement. The DPA stated that any failure on the controller’s part to fulfil its own procedural obligation, in this case the signing of the subscription agreement, shall be independent and shall have not effect on the exercise of data subject’s data protection rights.

The DPA also determined that the controller did not follow its own guidelines (described in the 'Operations department manual') on how to handle erasure requests, which was an indicator that the controller had acted negligently in the context of in Article 12(3) GDPR. The DPA also referred to the WP29 Guidelines 17/EN WP 253 (p. 12) to support its argument.

The DPA reprimanded the controller pursuant of Article 58(2)(b) GDPR and held that in case of a similar infringement in the future, the DPA would impose a fine. The DPA also ordered the controller to provide an answer to the erasure request, pursuant of Article 58(2)(d) GDPR. This reply had to be provided in a concise, transparent, intelligible an easily accessible form, using clear and plain language, in particular by including information relating to specific regulation which obligated the controller to store personal data for the specific timeframe (Article 12(1) GDPR).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.