The DPC received a complaint from an individual who had submitted an access request under Article 15 of the GDPR to a property management company. The individual was seeking access to any personal data processed by the organisation in relation to them. The organisation responded to the access request explicitly stating to the individual that it did not process any personal data in relation to the individual at the time the access request was made or any time before that. 

During the assessment stage, the DPC raised queries with the individual regarding their relationship with the organisation in order to establish if they were “data processor” or “a data controller” in this instance. Upon a review of the individual’s response and the supporting documentation they provided, the DPC established that the property management company was the appropriate “data  controller” in relation to this complaint.

The DPC requested the organisation to provide further details in relation to the searches it carried out to identify any personal data belonging to the individual. In its initial response, the organisation advised that it had conducted a search of its ‘system’ and that the only personal data that could be identified was the initial request made by the individual. The DPC queried the searches completed and requested documentary evidence of the efforts made to locate the individual’s personal data including those conducted in other sections of the organisation.

The organisation responded with a comprehensive outline of the searches undertaken and provided the relevant supporting documentation. The DPC reviewed this correspondence and it subsequently identified three records containing the individual’s personal data (two (2) invoices & one (1) data entry  on a software system) which had not been provided to the individual.

Following further engagement between the DPC and the organisation, the three outstanding documents containing the individual’s personal data were provided
to the individual.