The DPC as Lead Supervisory Authority received a complaint via the One- Stop-Shop (OSS) mechanism created by the GDPR from an individual in Germany regarding an erasure request, pursuant to Article 17 of the GDPR to an online financial company based in Ireland. 

Having submitted the erasure request to the company for the deletion of their personal data from the company’s database, the individual received a refusal from the company to their request. The company informed the individual concerned that it had a legal obligation that required it to retain the data. In the complaint, the individual stated that the company did not provide further information for the basis of its refusal of their request, or information on how long it would retain their data. 

The individual then lodged their complaint via the North Rhine-Westphalia Data Protection Authority, who then transferred the complaint to the DPC as the Lead Supervisory Authority. 

The complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018. 

As part of the amicable resolution process, it was established that the company was a financial regulated entity obliged by law to keep the personal data related to closed accounts for a period of seven years, and, upon the expiry of this period, it deletes the personal data associated with a closed account. The company confirmed the date the individual’s data would be deleted, and confirmed that until such a time as it could comply with the erasure request, the individual’s personal data would be safeguarded. 

The DPC communicated this information to the individual via the North Rhine-Westphalia Data Protection Authority. The individual responded, confirming the information provided by the DPC had led to the amicable resolution of their complaint.