The complaint concerned the individual’s dissatisfaction with Pinterest Europe’s (data controller) response to his access and erasure requests pursuant to Article 15 GDPR and Article 17 GDPR, respectively. The individual submitted his requests following the suspension of his account, in order to obtain a copy of all of his personal data and to have it deleted from the data controller’s systems. The individual’s account was suspended due to a violation of the data controller’s policies regarding spam.

The data controller responded to the requests via automated response which stated that it had reviewed the account and decided not to reactivate it because it noticed activity that violated its spam policy. As a result, the individual was no longer able to access his personal data stored on their account. The individual maintained that this information could not be correct as they seldom used their account and sought a more substantial response to their access and erasure requests.

The DPC took up the complaint with Pinterest. The DPC outlined the individual’s concerns in relation to his access and erasure requests and requesting that the data controller address those concerns more substantively.

The DPC also requested that the data controller indicate whether the individual was provided with an opportunity to appeal his account suspension and, if so, describe the procedure for such appeals . The data controller responded to the DPC stating that it had investigated then matter and explained that once an account is suspended on the basis of a spam violation, all correspondence is automatically directed to its Spam Operations team. The data controller further explained the appeal process and noted that the individual corresponded with the Spam Operations team in relation to the appeal of their suspension . The Spam Operations team failed to identify that the correspondence also included the individual’s access and erasure requests and therefore this was not addressed in its response . The data controller’s response also noted that, although the Spam Operations tea had rejected the individual’s appeal of their account suspension, it had since carried out another review in light of its updated spam policies . Following this review, the data controller re-activated the individual’s account.

The data controller also acknowledged the delay in responding to the individual and confirmed that it had since taken steps to ensure that such delays would not occur in responding to future requests . The data controller confirmed that it had actioned the individual’s access and erasure requests. It also confirmed that it had reached out to the individual to inform him of the steps it had taken in response to the DPC’s correspondence and provided the individual with the explanations set out above . The actions taken and explanations given by the data controller were also outlined to the individual by the DPC . The individual informed the DPC that they were satisfied with the actions taken by the data controller in response to the DPC’s correspondence as it allowed him to download his data and delete his account . This case study illustrates how often simple matters — such as a complaint being forwarded to the wrong unit in an organisation — can become data protection complaints if the matter is not identified appropriately.