IDPC (Malta) - CDP/IMI/LSA/22/2021
From GDPRhub
| IDPC - CDP/IMI/LSA/22/2021 | |
|---|---|
 | |
| Authority: | IDPC (Malta) |
| Jurisdiction: | Malta |
| Relevant Law: | Article 12(3) GDPR Article 15(1) GDPR Article 15(2) GDPR Article 15(3) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 27.12.2022 |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | CDP/IMI/LSA/22/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | IDPC (Malta) (in EN) |
| Initial Contributor: | n/a |
The Maltese DPA found that a controller failed to react to an access request within one month as the GDPR foresees, and failed to provide the data subject with a copy of their personal data.
English Summary
Facts
The data subject had made an access request to a controller pursuant to Article 15 GDPR. The controller failed to provide information to the data subject on the action taken on the access request within one month as the GDPR foresees due to the large amount of access requests that the company had received.
The data subject initially filed the complaint with the Austrian DPA, which informed the Maltese DPA about the complaint pursuant to Article 56(3) GDPR. The Maltese DPA confirmed it was the lead supervisory authority, as the controller had its main establishment in Malta.
The controller sent an e-mail to the data subject's lawyer after one month and two weeks of the date of the access request. In the e-mail the controller informed the lawyer acting on behalf of the data subject that the request has been processed and asked for confirmation to send the relevant information via Wetransfer. As a result of not receiving a reply to the e-mail, the controller did not provide a copy of the processed ersonal data.
Holding
The DPA stated that when a controller chooses the means of how to transmit the electronic file to the data subject, the controller shall ensure that the data subject is able to download the information in a commonly used electronic format. When a controller makes personal data available to the data subject, it is a processing operation, and therefore, the controller is must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing pursuant to Article 32(1) GDPR.
The DPA held that the controller infringed Article 12(3) GDPR, when it failed to reply to an access request within one (1) month from the date of receipt of the request, and Articles 15(1), 15(2), 15(3) GDPR, when the controller failed to provide the data subject with a copy of their personal data and information about the processing.
Eventually, the DPA issued a reprimand. Furthermore, the controller was ordered to comply with the request and provide the data subject with the information as required under Article 15(1) from letter (a) to (h) GDPR and Article 15(2) GDPR, and to provide the data subject with a copy of their personal data that was undergoing processing at the time of submitting the request pursuant to Article 15(3) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Information andData Protection Commissioner
CDP/IMI/LSA/22/2021
vs
COMPLAINT
1. On the 24 th June 2021, (the “complainant”) lodged a complaint with
Österreichische Datenschutzbehörde, the Austrian Supervisory Authority, against
1(the“controller”) pursuant to article77(1) of the General DataProtection
2
Regulation (the“Regulation”).
2. Thecomplainant contended that, on the5 May 2021, shehad exercised theright to access her
personal datain accordancewith article 15 of theRegulation. However, thecontroller failed to
provide the complainant with information about the action taken within the time-frame
stipulated by law. The complainant further argued that shewas not informed if the controller
needed an extension to reply to her request.
3. On the22 September 2021, theAustrian Supervisory Authority informed theInformation and
Data Protection Commissioner (the “Commissioner”) about thecomplaint pursuant to article
56(3) of the Regulation. Following an assessment carried out by the Commissioner, it was
established that the controller has its main establishment in Malta. Thus, the Commissioner
proceeded to handlethecaseas thelead supervisory authority.
1 is a private limited company registered under thelaws of Malta with number ,
havingits registeredaddressat .
2Regulation (EU) 2016/679 of the European Parliamentandof the Councilof 27April2016on theprotectionof
natural persons with regardtothe processingof personal data and on the free movement of such data, and repealing
Directive95/46/EC (GeneralDataProtectionRegulation).
Page1 of 6INVESTIGATION
4. Pursuant to article 58(1)(a) of the Regulation, the Commissioner requested the controller to
provide any information which it deemed necessary and relevant to defend itself against the
allegation raised by thecomplainant. In terms of this Office’s internal investigation procedure,
the controller was provided with a copy of the complaint, together with all the supporting
documentation, provided by thecomplainant.
5. On the2 December 2021, thecontroller submitted thefollowing principal legalarguments for
theCommissioner, to consider during thelegal analysis of this case:
a. that, on the5 May 2021, thecontroller “received an emailfrom thelawfirm
”,where“[t]helawfirm requested accessto personal datafortheplayer
”;
b. that the controller failed to comply with the subject access request submitted by the
complainant within the stipulated time-frame “due to the massive inundation of data
subject access requests that the relevant company has received as of late, thereby not
allowing for the company to be able to reply within the stipulated period in this
particularcase”;
th 3
c. that, bymeans of an emaildated the19 June2021 , thecontroller informed thelawyer
acting on behalf of thecomplainant, that her request has been processed and requested
confirmation to send therequested dataviaWetransfer;
th
d. that thecontroller did not receive areply to the email dated the19 June2021, and, as
a result, the controller did not provide a copy of the personal data undergoing
processing to thecomplainant.
3
The controller provided a copy of the email dated the 19th June 2021 in German (original text) and English
(translation). The English translation read “May we send you the requested data via the service provider
"WeTransfer"?
Page2 of 6LEGAL ANALYSIS AND DECISION
TheTiming of theReply
6. The protection of natural persons in relation to the processing of their personal data is a
fundamental right recognised by article 8(1) of the Charter of Fundamental Rights of the
European Union. Within this context, therights of thedatasubjects as set forth in articles 12 to
22 of theRegulation are thefulcrum of the law, and their roleis absolutely crucial to ensurethe
utmost protection of personal data processed by controllers. In this regard, the Commissioner
emphasises the importance attributed to the right of access as laid down in article 15 of the
Regulation, in particular, its special feature, which is derived from the fact that it is often a
means, prerequisite or condition to enable data subjects to oversee and control their personal
4
data,andconsequently,exerciseotherdatasubjects,suchastherighttoerasureorrectification .
7. Theright of access as enshrined in article15 of theRegulation contains three(3) components:
(i) confirmation of the processing of personal data; (ii) information about theprocessing itself;
and (iii) access to a copy of personal data undergoing processing. Article 15(1) of the
Regulation enables the datasubject to “obtain from the controller confirmation as to whether
or not personal data concerning him or her are being processed and, where that is the case,
access to the personal data”, as well as other supplementary information pursuant to article
15(1)(a) to (h) and article 15(2) of the Regulation. Further to this, article 15(3) of the
Regulation, which is more prescriptive, states that “the controller shall provide a copy of the
personal data undergoing processing”.
8. In this connection, article 12 of the Regulation ensures that substantive rights of data subjects
are safeguarded by establishing clear, proportionate and effective conditions as to how and
when data subjects shall exercise their rights. For this reason, article 12 of the Regulation
provides themodalities for theexerciseof thedatasubjects’rights and establishes an obligation
upon thecontroller to facilitate the exerciseof theserights.
9. In particular, article 12(3) of the Regulation aims at ensuring the efficient exercise of
information and access rights, and obliges the controller to “provide information on action
4CJEU, C-434/16, Nowak,para.56
Page3 of 6 taken on a request under Articles 15 to 22 to thedata subject without undue delay and in any
event within onemonth of receipt of therequest”. Within this set timeframe, thecontroller shall
either (i) comply with therequest; (ii) extend thedeadlineto two(2) furthermonths andprovide
the reasons for such extension; or (iii) refuse to act on therequest in terms of article 12(5)(b)
of theRegulation and inform thedatasubject accordingly.
10. On this aspect, with particular reference to the handling of data protection requests, the
5
European DataProtection Board emphasisesthat “[t]hecontrollershall react and, asa general
rule, provide the information under Art. 15 without undue delay, which in other words means
that the information should be given as soon as possible. This means that, if it is possible to
provide the requested information in a shorter amount of time than one month, the controller
should do so”.
11. After assessing the circumstances of the case, the Commissioner determined that, on the 5 th
May 2021, thecomplainant exercised her right to access her personal data pursuant to article
nd
15 of theRegulation. In thesubmissions provided to this Office on the 2 December 2021, the
controller declared that it had contacted the lawyer of thecomplainant on the 19 June 2021
and that “due to the massive inundation of data subject access requests that the relevant
companyhasreceived asof late,therebynot allowingforthecompanytobeabletoreplywithin
the stipulated period in this particular case”. Thus, the Commissioner established that the
controller failed to provide information to thecomplainant on the action taken on the request
to access her personaldatawithin one (1) month of receipt of therequest.
Making theinformation available
12. In theemail dated the 19 June2021, thecontroller informed thecomplainant that her request
has been processed and requested thecomplainant to confirm whether the response could be
sent by means of theserviceprovided by Wetransfer.
13. For this purpose, the Commissioner analysed article 12(1) of theRegulation, which establishes
that the information shall be provided, where appropriate, by electronic means, in conjunction
withtheprinciple ofintegrity and confidentiality assetforthin article5(1)(f)oftheRegulation.
5EDPB Guidelines 01/2022 ondatasubjectrights -Rightofaccess-Version1.0- Adoptedon18January2022
–Paragraph156
Page4 of 6 14. In this regard, the Commissioner noted that when thecontroller makes personal data available
to the datasubject, this is deemed to bea processing operation, and therefore, thecontroller is
obliged to implement appropriate technical and organisational measures to ensure a level of
security appropriateto therisk of theprocessing in terms of article32(1) of theRegulation.
In addition, the Commissioner considered article 15(3) of the Regulation, which states that
where the datasubject makes therequest by electronic means, and unless otherwise requested
by thedatasubject, theinformation shall beprovided in a commonly used electronic form.
15. The Regulation does not specify what is acommonly used electronic form, and thus, there are
several conceivable formats that could be used by thecontroller. However, it is important to
ensure that the format must enable the information to be presented in a way that is both
intelligible and easily accessible. This naturally means that when the controller chooses the
means of how to transmit the electronic file to the data subject, thecontroller shall ensure that
thedatasubject is able to download theinformation in a commonly used electronic form.
16. Furthermore, recital 63 of the Regulation establishes that “[w]here possible, the controller
should be able to provide remote access to a secure system which would provide the data
subject with direct access to his orher personal data”.
17. It therefore follows that it is theresponsibility of thecontroller to decide about the appropriate
form in which the personal datashall be provided to thedatasubject and this is also in light of
theaccountability principle as held in article5(2) of theRegulation.
Onthebasisoftheforegoingconsiderations,theCommissionerherebydecidesthatthecontroller
infringed:
i. article 12(3) ofthe Regulation, when it failedto provide the complainant with information
on the action taken on hersubject access request within one (1) month from the date of
receipt of request; and
ii. article 15(1), article 15(2) and article 15(3) of the Regulation, when it failed to provide the
complainant with a copy of herpersonal data undergoing processing andthe information
concerning theprocessing.
Page5 of 6By virtue of article 58(2)(b) of the Regulation, the controller is hereby being served with a
reprimand. Furthermore, in terms of article 58(2)(c) of the Regulation, the controller is hereby
being ordered to comply with the request and provide the complainant with the information
prescribedunderarticle 15(1)(a) to (h) and article 15(2) of the Regulation and also with a copy of
herpersonal dataundergoing processing atthe time of submittingthe request pursuant to article
15(3) thereof.
The controller shall comply with this order within ten (10) days from the date of receipt of this
legally binding decision. Non-compliance with the order of the Commissioner within the
stipulated timeframe shall result in the imposition of an administrative fine in terms of article
83(6) of the Regulation.
In terms of article 26(1) of the DataProtection Act (Cap. 586 of the Laws of Malta), any party to this
decision shall have the right to an effective judicial remedy by filing an appeal in writing before the
Information and Data Protection Appeal Tribunal within twenty (20) days from the service of this
6
decision .
Digitallysigned
(Signature)ate:
2022.12.27
(Signature) 12:45:50 +01'00'
Information andData Protection Commissioner
6MoreinformationabouttheTribunalandtheappeals procedureis accessibleonhttps://idpc.org.mt/appeals-
tribunal/
Page6 of 6
