IDPC (Malta) - EDPBI:MT:OSS:D:2019:70
From GDPRhub
| IDPC (Malta) - EDPBI:MT:OSS:D:2019:70 | |
|---|---|
 | |
| Authority: | IDPC (Malta) |
| Jurisdiction: | Malta |
| Relevant Law: | Article 15 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 28.10.2019 |
| Published: | |
| Fine: | 8000 EUR |
| Parties: | n/a |
| National Case Number/Name: | EDPBI:MT:OSS:D:2019:70 |
| European Case Law Identifier: | EDPBI:MT:OSS:D:2019:70 |
| Appeal: | Not appealed |
| Original Language(s): | English English |
| Original Source: | EDPB (in EN) EDPB (in EN) |
| Initial Contributor: | n/a |
Maltese supervisory authority impose a fine of EUR8,000,- on a controller for failing to respond to an access request.
English Summary
Facts
The complainant requested access to their personal data, but did not obtain a response from the controller (a bank). Upon investigation by the IDPC the controller initially claimed that a response had been provided to the complainant. However, upon further investigation, the controller admitted that the response had not been sent. According to the controller the response had not been sent due to a mistake made by an individual employee, who had applied restrictive settings to their mailbox. Moreover, it found that when said employee left the company, without a proper transfer of the case to another employee.
Holding
"the Commissioner considers that adequate procedures in place to deal with subject did not have access requests, resulting with the complainant actually deprived of her right to access her data within the timeframe stipulated within the Regulation."
Comment
- Relatively high fine compared to other decisions on failure to comply with the the right of access to personal data. - Also important because this decision was made in a cross-border situation, through the one-stop-shop mechanism, and other authorities did not raise objections to this decision by the IDPC.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Information and Data Protection Commissioner
Vs
COMPLAINT
Reference is made to the complaint (registered internally with file number CDP/IMI/LSA/17/2019)
received from the Polish Office for Personal Data Protection concerning ("the
complainant") who is alleging that ("the controller" or " ")breached her
1
data protection rights, as enshrined under the General Data Protection Regulation ("GDPR" or the
"Regulation"). The complainant contended that the controller did not comply with her right of access
request in terms ofArticle 15 ofthe GDPR within the established thirty (30) days' time frame.
From the information provided by the complainant, it transpires that she filed her right ofaccess request
on the 3'd ofOctober 2018 and on the 5th February 2019, the date when she filed the complaint with the
Polish DPA, the controller did not yet provide her with a reply.
INVESTIGATION
As part of the investigation process, on the 26th of July 2019, through an email, the Commissioner
requested the controller to put forward their submissions on the allegation raised by the complainant.
The submissions, that were received through an email on the 9th ofAugust 2019, contained a letter that
supposedly was sent to the complainant on the 4th of October 2018, the day after the complainant's
request was received by ,together with the file containing the copy of her data. As this letter
was in the Polish language, the Commissioner kindly requested the controller to provide an English
translation.
On the 12th ofAugust 2019, the Commissioner was informed, through an email, that while working on
the English translation, realised that neither the letter nor the file containing the personal data
was ever sent to the complainant, due to (verbatim) "a wrong use ofthe security classification settings
by the 's employee with access to the mailbox ( ) used to
correspond with the said customer [the complainant]". The security classification was set to be
1
Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC(General Data Protection Regulation)
Airways Hause, Second Floor\. 1+3561 23287100
H i g hStreet, Slie1549LM 8 idpc.infa@idpc.org.mt
MALTA. e www.idpc.arg.mt,idf;!C.
PROJ'ECTION COMMISSlDN�olo
"Internal only". This setting does not allow communications to be sent outside the organization's
network domain.
Following an internal investigation on this matter, the controller found out that (verbatim) "after
internal organizational changes the person in charge of this particular customer request left the
company without concluding the case and ensuring that a reply wasproperly sent to the customer. For
this reason, the file containing the list ofpersonal data processed by [ has not reach the
customer, together with the usual letter sent to customer'sfollowing a Data Subject Access Request".
The same day the error on the email setting was discovered, meaning on the 12th August 2019, in order
to immediately address the incident, sent the complainant another email apologising for the
late reply, attaching a letter giving details about the processing of personal data, together with the
requested information in the form ofa PDF file.
On the 13th ofAugust, the Commissioner requested a copy ofthe above-mentioned email and attached
PDF file, as evidence that action has been taken in that regard. The copy was eventually received on
the 14th August 2019.
The controller was further requested, through an email dated 19th August 2019, to put forward further
submissions on the organizational and security measures implemented following this incident, to
prevent such a similar incident from occurring again. From this submission, received on the 23rd August
2019, it transpires that now has extended its backup continuity procedure to ensure that
customers' requests to exercise their rights under the GDPR are addressed promptly, (verbatim) "The
procedure is designed to ensure an adequatefollow-up and mirroring ofthe tasks within the Customer
Service Unit. All the customer requests are nowfollowed-up by twopersons, one been the main contact
(principal) and a second person following the correspondence as a back-up, with the capability to
intervene when the principal is not capable ofdoing so. The principal is a senior Customer Service
Agent while the "back-up" is either a Senior Team Member or a senior customer service officer having
experience and knowledge on the various internalprocedures regarding the types ofrequests received
at by the Customer Services team. In case thefirst contact is away, sick or unavailable, the back-up is
able to take over the tasks ifthese are notfinalizedor achieved, thereby closing ofthe customer requests
without impacting the customer negatively. Controls andchecks have been integratedwithin theprocess
in order to avoid such an incidentfrom occurring again in thefuture".,DECISION
On the basis of the foregoing the Commissioner considers that did not have
adequate procedures in place to deal with subject access requests, resulting with the
complainant actually deprived of her right to access her data within the timeframe stipulated
within the Regulation. Consequently, the data controller is found to be in violation ofArticle:
15 of the GDPR.
After having taken into consideration:
the controller's degree ofcooperation with this Office;
that the controller took immediate action to comply with the complainant's request as soon as
the error in the security settings ofthe mail box used to communicate with the complainant was
discovered;
that the controller has now in place a better procedure introducing measures to improve the
process to deal with the customers' requests to exercise their rights under the GDPR and to
keep within the legal timeframes;
and also giving due regard to the circumstances contemplated under Article 83.2 of the
GDPR and taking into account Article 83.1, is hereby being served with
an administrative fine of eight thousand euros (€ 8,000).
The administrative fine shall be paid to the Commissioner within twenty-five (25) days
from receipt of this decision.
In addition, is hereby being instructed to implement the appropriate technical
measures to further enhance the measures already in place.
A copy ofthis decision is also being sent to the Polish Office for Personal Data Protection.
Information and Data Protection Commissioner
Today, the day ofOctober, 2019
