The DPC received a complaint in September 2020, via its complaint webform, against Google Ireland Limited (YouTube). The complaint was made by a parent acting on behalf of their child and concerned a YouTube channel/account. The YouTube channel/account had been set up when the child was ten years old and at a time when they did not appreciate the consequences of posting videos online.

Although the complaint was made directly to the DPC by an Irish resident, upon assessment it was deemed to constitute a cross-border complaint because it related to YouTube’s general operational policies and, as YouTube is available throughout the EU, the processing complained of was therefore deemed to be of a kind “which substan- tially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross-border processing under Article 4(23) of the GDPR) .

According to the complainant, the child no longer had control over the account as they had lost their passwords and the account was no longer in use . However, classmates of the child had discovered the videos, previously posted by the child which were now the subject of embarrassment to the child . The parent of the child had engaged in extensive correspondence with Google, seeking inter alia the erasure of the account from the YouTube platform . The parent had provided the URL for a specific video on the account and for the account itself . The parent was informed by Google, on a number of occasions, that it had taken action and removed the content from the platform . However, the parent repeatedly followed up to note that the content had not in fact been removed and was still available online . As she considered that the complaint had not been appropriately addressed she raised the matter with the DPC .

This complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018, with both the individual and Data Controller agreeing to work with the DPC to try to amicably resolve the matter . The DPC investigated the background to the complaint and noted that it appeared that Google had removed a specific video from the account, for which the URL had been provided, but it had not removed the account in its entirety, with the result that further videos remained online .

The DPC communicated with Google on the matter and informed Google of the particular background of the complaint . Google immediately took action and removed the YouTube account in its entirety. Google confirmed that a misunderstanding had arisen as its support team had incorrectly assessed the URL for a specific video provided by the complainant, rather than the entire account .

The DPC informed the parent of the outcome and it proposed an amicable resolution to the complaint . The parent thereafter informed the DPC that she had recently become aware of another YouTube channel that her child had created, which again was no longer in use, and the child wanted deleted . The DPC corresponded further with Google and Google confirmed it had taken immediate action to remove the account and informed the parent of the actions it had taken .

The DPC received a complaint in September 2020 relating to a request for access (under Article 15 of the GDPR), that the complainant had made to Airbnb Ireland UC (“Airbnb”). The complaint was made directly to the DPC, from an individual based in Malta. Upon assessment by the DPC, the complaint was deemed to be a cross border one because it related to Airbnb’s general operational policies and, as Airbnb is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross-border processing under Article 4(23) of the GDPR). The complainant submitted an access request to Airbnb . Airbnb facilitated this access request by providing the complainant with a link to an access file containing his personal data . However, when the complainant tried to use the link, it was not operational . In addition, the complainant was frustrated with the difficulty they faced in contacting Airbnb in relation to this matter . The complainant submitted their complaint to the DPC on this basis .

The DPC contacted Airbnb and asked that it facilitate the complainant’s request. The DPC specified that Airbnb should ensure any links it sends to complainants are fully tested and operational .

In reply, Airbnb explained that once it was informed that the initial link it sent to the complainant was not operational, it sent a renewed link to the complainant and was unaware that the complainant had had any difficulty in accessing this second link. Nonetheless, in the interests of amicably resolving the complaint, Airbnb agreed to provide an additional link to an access file to the complainant and for an encrypted file to be sent to the complainant via secure email .

As a result, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (“the Act”), and under section 109(3) of the Act the complaint was deemed to have been withdrawn . This case study demon- strates the benefits — to individual complainants — of the DPC’s intervention by way of the amicable resolution process .

In this case, the DPC’s involvement led to the complainant being able to access his data.

In this case, the complainant initially submitted their complaint to the Information Commissioner’s Office (ICO) of the UK, which was thereafter received by the DPC, on 2 March 2019. The complaint related to the alleged failure by the Ryanair DAC (Ryanair) to comply with a subject access request submitted to it by the complainant on 26 September 2018 in accordance with Article 15 of the GDPR. The ICO provided the DPC with a copy of the complaint form submitted to the ICO by the complainant, a copy of the acknowledgement, dated 26 September 2018, that the complainant had received from the data controller when submitting the access request, and a copy of the complainant’s follow up email to the data controller requesting an update in relation to their request.

Acting in its capacity as Lead Supervisory Authority, the DPC commenced an examination of the complaint by contacting the data controller, outlining the details of the complaint and instructing the data controller to respond to the access request in full and to provide the DPC with a copy of the cover letter that issued to the complainant . Ryanair provided the complainant with access to copies of their personal data relating to the specific booking reference that the complainant had provided to the ICO and data relating to a separate complaint . Ryanair advised that it could not provide the complainant with a copy of the call recording they had requested as, due to the delay on Ryanair’s part in processing the request, the call recording had been deleted in accordance with company policy and they had been unable to retrieve it . Ryanair advised the DPC that it had previously informed the complainant of this via its online portal . Ryanair stated that at the time the request was submitted, due to the volume of data subjects who did not verify their email address, access requests were not assigned to the relevant department until the email was verified by the data subject . Ryanair advised the DPC that the complainant responded to the request, verifying their email address, but the agent who was working on the request had ceased working on the online portal and therefore the request had not been assigned to the relevant department .

Ryanair asserted that this error was not discovered until sometime later, when the request was then assigned to the customer services department to provide the necessary data, including the call recording, at which point the call record had been deleted in accordance with Ryanair’s retention policy . Ryanair provided the DPC with a copy of its retention policy, in which it states that call recordings are retained for a period of 90 days from the date of the call . Ryanair advised that, as the com- plainant’s call had been made on 5 September 2018, it would have been automatically deleted on 4 December 2018 . Ryanair further stated that it does not have the functionality to retrieve deleted call recordings . Pursuant to Section 109(2) of the Data Protection Act 2018, the DPC attempted to facilitate the amicable resolution of the complaint . However, the complainant was unwilling to accept Ryanair’s proposals in respect of same . As such, the matter fell to be decided by way of a decision under Article 60 of the GDPR .

1. Initial Draft Decision

As the complaint related to cross-border processing, the DPC was obliged, in accordance with the Article 60 process, to make a draft decision in respect of the complaint . In its initial version of the draft decision, the DPC made a finding of infringement of Article 15 of the GDPR in that Ryanair failed to provide the complainant with a copy their personal data that was undergoing processing at the time of the request . The DPC also found an infringement of Article 12(3) of the GDPR in that Ryanair failed to provide the complainant information on action taken on their request under Article 15 within the statutory timeframe of one month . The DPC provided the draft decision to Ryanair to allow it to make submissions . Ryanair subsequently provided a number of submissions, which (along with the DPC’s analysis thereof) were taken into account in the draft decision .

2. Provision of Draft Decision to Concerned Supervisory Authorities

In accordance with the Article 60 process, the DPC proceeded to submit its draft decision to the IMI to be circulated amongst the Concerned Supervisory Authorities (CSAs), pursuant to Article 60(3) of the GDPR . The DPC’s draft decision was uploaded to the IMI on 25 May 2020 and, pursuant to Article 60(4) of the GDPR, the CSAs were thereafter entitled to four weeks in which to submit any relevant and reasoned objections to the decision.

The DPC subsequently received a number of relevant and reasoned objections and comments in relation to its draft decision from the CSAs . In particular, certain CSAs argued that additional infringements of the GDPR ought to have been found, and in addition that a reprimand ought to have been imposed .

3. Revised Draft Decision

In accordance with Article 60(3) of the GDPR, the DPC is obliged to take due account of the CSAs’ views . In light of the objections and comments received from the CSAs, the DPC carefully considered each relevant and reasoned objection and comment received in respect of its draft decision . The DPC revised its draft decision to include a summary and analysis of the objections and comments expressed by the CSAs . In revising its initial draft, the DPC followed certain relevant and reasoned objections received, and declined to follow others . In the its revised draft decision, the DPC proposed to issue a reprimand to Ryanair, pursuant to Article 58(2) (b) of the GDPR . The DPC provided its revised draft decision to Ryanair to allow it to make final submissions. Ryanair noted that the DPC had found that it had infringed the GDPR, and that the DPC had exercised its powers in this case in line with Recital 129 and the due process requirements in Article 58 of the GDPR . Ryanair advised the DPC that it accepted the findings and the associated reprimand and did not wish to make any further submissions .

4. Provision of Revised Draft Decision to Concerned Supervisory Authorities

In accordance with Article 60(5) of the GDPR, once the DPC submitted its revised draft decision to the CSAs for their views, the CSAs were entitled to two further weeks in which to submit any further objections to the decision . Pursuant to Article 60(5) of the GDPR, the DPC submitted its revised draft decision to the CSAs for their opinion on 20 October 2020 . As the DPC received no further objections or comments in relation to the revised draft decision from the CSAs within the statutory period, the CSAs were deemed to be in agreement with the revised draft decision of the DPC and bound by it in accordance with Article 60(6) of the GDPR .

5. Adoption of Final Decision

Upon the passing of the deadline for receipt of any further objections, the DPC proceeded to adopt the final decision, in accordance with Article 60(7) of the GDPR . The DPC then uploaded its final decision to the IMI and communi- cated it to Ryanair. The final decision was uploaded on 11 November 2020 . Pursuant to Article 60(7), the ICO, with whom the complaint was initially lodged, was responsible for informing the complainant of the decision .

In summary, the DPC found infringements of Articles 12(3) and Article 15 of the GDPR in respect of this complaint ..

The DPC received a multi-faceted complaint in April 2019 relating to requests for access (under Article 15 of the GDPR), rectification (under Article 16 of the GDPR) and erasure (under Article 17 of the GDPR) that the complainant had made to Facebook Ireland Limited (“Facebook”). The complaint was made directly to the DPC, from a data subject based in the UK. Upon assessment in the DPC, the complaint was deemed to be cross border because it related to Facebook’s general operational policies and, as Facebook is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross border processing under Article 4(23) of the GDPR).

The complainant initially made his requests to Facebook because his Facebook account had been locked for over a year, without reason in the view of the complainant, and he believed Facebook held inaccurate personal data relating to him . Wishing to ultimately erase all the personal data that Facebook held in relation to him, the complainant was of the view that this inaccurate information was preventing him from being successfully able to log into his Facebook account to begin the erasure process . He had therefore made an access request to Facebook, but had been unable to verify his identity to Facebook’s satisfaction . The complainant subsequently made his complaint to the DPC .

After a considerable amount of engagement by the DPC with both Facebook and the complainant with a view to amicably resolving the complaint, in the course of which the complainant was able to verify his identity to Facebook’s satisfaction, Facebook agreed to provide the complainant with a link containing the personal data that it held in relation to him . The complainant accessed the material at the link, but remained dissatisfied because he claimed that the material provided was insufficient. In particular, the complainant indicated that he wished to be advised of any personal data held in relation to him by Facebook beyond that which was processed in order to operate his Facebook profile. Facebook responded to the DPC indicating that the material provided to the complainant via the link was the totality of the account data that it held in relation to him . The complainant remained dissatisfied with this response, indicating that he wished to obtain information regarding any personal data that Facebook held in relation to him that was not related to his Facebook account . He also reiterated his belief that some of this personal data, allegedly held by Facebook but not related to his Facebook account, may be inaccurate, in which case he wished to have it rectified.

In response, Facebook advised the DPC that, since the commencement of the complaint, it had made certain enhancements to its ‘Download Your Information’ tool . Following this update to its access tools, it had determined that a very small amount of additional personal data existed in relation to the complainant’s Facebook account, and provided the complainant with a new link containing all of the personal data it held in relation to the complainant, including this additional data . The complainant accessed this additional material and, with a view to resolving his complaint, sought confirmation that, once the deletion of his account was effected, Facebook would no longer hold any personal data in relation to him . Facebook reverted to indicate that the material it had provided to the complainant was the totality of the data it held in relation to him that fell within the scope of Article 15, and indicated that it would proceed with the erasure of the complainant’s personal data once he had indicated that he was now satisfied for it to do so.

The complainant was content to conclude the matter on this basis and, as such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and under section 109(3) of the Act the complaint was deemed to have been withdrawn .

This case study demonstrates the benefits — to individual complainants — of the DPC’s intervention by way of the amicable resolution process . In this case, the DPC’s involvement led to the complainant being able to verify his identity to Facebook’s satisfaction, and to Facebook providing him with links containing his personal data on two occasions . The DPC’s engagement with the controller also resulted in it confirming, to the complainant’s satis- faction, that all the personal data that fell to be released in response to an Article 15 request had been provided to him . This resulted in a fair outcome that was satisfac- tory to both parties to the complaint . This case study also illustrates the intense resource- investment necessary on the part of Data Protection Authorities (DPA) to resolve issues of this nature . The complainant in this case raises an issue of concern to themselves and is entitled to have that addressed . The question the case raises is whether the controller in this case should have been capable of resolving this matter without the requirement for extensive DPA-resources to mediate the outcome .

The DPC received a complaint in June 2020, via its complaint webforms, against MTCH Technology Services Limited (Tinder). Although the complaint was made directly to the DPC, from an Irish resident, upon assessment it was deemed to constitute a cross-border complaint because it related to Tinder’s general operational policies and, as Tinder is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross border processing under Article 4(23) of the GDPR).

The complaint related to the banning of the complainant from the Tinder platform, subsequent to which the complainant had made a request to Tinder for the erasure of his personal data under Article 17 of the GDPR . In response to his request for erasure, the complainant was referred by Tinder to its privacy policy for information in relation to its retention policies in respect of personal data . In particular, Tinder informed the complainant that “after an account is closed, whatever the reason (deletion by the user, account banned etc .), the user’s data is not visible on the service anymore (subject to allowing for a reasonable delay) and the data is disposed on in accordance with [Tinder’s] privacy policy” . The complainant was dissatisfied with this response and followed up with Tinder again requesting the erasure of his personal data . Tinder responded by reiterating that “…personal data is generally deleted “upon deletion of the corresponding account”, further noting that deletion of such personal data is “only subject to legitimate and lawful grounds to retain it, including to comply with our statutory data retention obligations and for the establishment, exercise or defence of legal claims, as permitted under Art . 17(3) of GDPR .” The complainant subsequently made his complaint to the DPC.

Upon the DPC’s engagement with Tinder in respect of this complaint, Tinder informed the DPC that the complainant had been banned from the platform as his login information was tied to another banned profile. Also, Tinder identified eleven other accounts associated with the complainant’s device ID. All these accounts had been banned from the Tinder platform as it appeared that an unofficial client was being used to access Tinder (a violation of Tinder’s terms of service). The DPC reverted to the complainant with this information, and the complainant advised that he had used the official Tinder client for Android and the official Tinder web site on Firefox . However, it transpired that he had been using a custom Android build on his phone with various security and privacy add-ons. As a result, his phone had a different device ID after each update/ reboot . In the complainant’s view, this was the likely cause of the issue that resulted in his being banned from Tinder. In light of such a ban, as per Tinder’s policy on data retention, his personal data would have been retained for an extended period of time. However, in the circumstances, by way of a proposed amicable resolution, Tinder offered to immediately delete the complainant’s personal data so that he could open a new account.

The complainant had certain residual concerns regarding the manner in which Tinder responds to erasure requests . Upon being informed that such matters were being examined by the DPC by way of a separate statutory inquiry, the complainant agreed to accept Tinder’s proposal for the amicable resolution of the complaint .

As such, the matter was amicably resolved pursuant to section 109(3) of the Data Protection Act 2018 (the Act), and under section 109(3) of the Act the complaint was deemed to have been withdrawn.

The DPC received a complaint in July 2018 from the Polish data protection authority on behalf of a Polish complainant against Groupon International Limited (“Groupon”). The complaint related to the requirements that Groupon had in place at that time to verify the identity of individuals who made data protection rights requests to it. In this case, the complainant alleged that Groupon’s practice of requiring them to verify their identity by way of electronic submission of a copy of a national identity card, in the context of a request they had made for erasure of personal data pursuant to Article 17 of the GDPR, constituted an infringement of the principle of data minimisation as set out in Article 5(1) (c) of the GDPR, in circumstances where there was no requirement to provide an identity document when a Groupon account was created. In addition, the complainant alleged that Groupon’s subsequent failure to act on the erasure request (in circumstances where the individual objected to providing a copy of their national identity card) constituted an infringement of their right to erasure under Article 17.

The DPC commenced an examination of the complaint upon receipt of same . In the course of its correspon- dence with Groupon on the matter, it became clear that Groupon’s policy of requiring a requester to provide a copy of a national identity card, which had been in place since before the GDPR came into force (and which was in place at the time of the complainant’s erasure request), had been discontinued since October 2018 . In its place, Groupon had implemented an email authen- tication system which allowed Groupon users to verify their account ownership . The DPC attempted to amicably resolve the complaint (pursuant to section 109(2) of the Data Protection Act 2018), but the complainant was unwilling to accept Groupon’s proposals in respect of same . As such, the matter fell to be decided by way of a decision under Article 60 of the GDPR .

1. Initial Draft Decision

The first step in the Article 60 process entailed the DPC preparing a draft decision in respect of the complaint . In its initial draft decision, the DPC made findings of in- fringements of Articles 5(1)(c) and 12(2) of the GDPR by Groupon . The DPC provided the draft decision to Groupon to allow it to make submissions . Groupon subsequently provided a number of submissions, which (along with the DPC’s analysis thereof) were taken into account in a further version of the draft decision .

2. Provision of Initial Draft Decision to Concerned Supervisory Authorities

The second stage in the Article 60 process involved the DPC’s initial draft decision being uploaded to the IMI to be circulated amongst the Concerned Supervisory Authorities (CSAs), pursuant to Article 60(3) of the GDPR . The DPC’s draft decision was uploaded to the IMI on 25 May 2020 and, pursuant to Article 60(4) of the GDPR, CSAs were thereafter entitled to four weeks in which to submit any relevant and reasoned objections to the decision . The DPC subsequently received a number of relevant and reasoned objections and comments on its decision from CSAs . In particular, certain CSAs argued that additional infringe- ments of the GDPR ought to have been found, and in addition that a reprimand and/or administrative fine ought to have been imposed .

3. Revised Draft Decision

The next stage of the Article 60 process required the DPC to carefully consider each relevant and reasoned objection and comment received in respect of its draft decision, and incorporate its analysis of same into a revised draft decision . In revising its draft decision, the DPC followed certain relevant and reasoned objections received, and declined to follow certain relevant and reasoned objections . The DPC’s revised draft decision, taking into account its analysis of the relevant and reasoned objections and comments in respect of its draft decision, found additional infringements of Articles 17(1)(a) and 6(1) of the GDPR by Groupon . In addition, the DPC proposed in its revised draft decision to issue a reprimand to Groupon, pursuant to Article 58(2)(b) of the GDPR . The DPC provided its revised draft decision to Groupon to allow it to make final submissions. A number of final submissions were received from Groupon, which (along with the DPC’s analysis thereof) were taken into account in the DPC’s revised draft decision .

4. Provision of Revised Draft Decision to Concerned Supervisory Authorities

The next stage of the Article 60 process entailed the DPC uploading its revised draft decision to the IMI, for circulation among the CSAs . Under Article 60(5) of the GDPR, CSAs were entitled to two further weeks in which to indicate if they planned to maintain their objections .

This raised the prospect that the Dispute Resolution procedure under Article 65 of the GDPR would have to be engaged, which would have involved the European Data Protection Board (EDPB) adjudicating on the point(s) of disagreement, and which would have extended further the time in which the decision in respect of the case could be completed . However, the additional query was subse- quently withdrawn .

5. Adoption of Final Decision

Upon the withdrawal of the final relevant and reasoned objection, and the passing of the deadline for receipt of any further objections, the last stage of the Article 60 process entailed the DPC adopting the final decision, which was uploaded to the IMI and communicated to Groupon. The final decision was uploaded on 16 December 2020 . As per Article 60(6) of the GDPR, the CSAs were deemed at this point to be in agreement with the decision and to be bound by it . Pursuant to Article 60(7), the Polish data protection authority with which the complaint was initially lodged was responsible for informing the complainant of the decision .

In summary, the DPC found infringements of the following Articles of the GDPR in respect of this case: Articles 5(1) (c), 12(2), 17(1)(a) and 6(1)

In this case, following the completion of the investigation of the complaint, the initial draft of the DPC’s decision was uploaded to the IMI on 25 May 2020, and the final decision — incorporating submissions from Groupon, relevant and reasoned objections and comments from CSAs, and the DPC’s analysis thereof — was adopted on 16 December 2020, some seven months later .

The Data Protection Commission (DPC) received a complaint from an Irish individual against Cardmarket, a German e-commerce and trading platform. The individual received an email from Cardmarket, notifying them that it had been hacked and that some of its users’ personal information may have been leaked. The individual alerted the DPC and submitted a complaint in relation to the breach.

Under the One Stop Shop (OSS) mechanism created by the General Data Protection Regulation (GDPR), the location of a company’s main European establishment dictates which European authority will act as the lead supervisory authority in relation to any complaints received. Once the lead supervisory authority (LSA) is established, the authority that received the complaint acts as a concerned supervisory authority (CSA). The CSA is the intermediary between the LSA and the individual . Among other things, the reason for this separation is so that supervisory authorities can communicate with individual complainants in their native language . In this case, the Berlin Data Protection Authority (DPA) acted as the LSA, as the company had its main establishment in the Berlin territorial area. The DPC acted as a CSA, communication with the Berlin DPA and transmitting updates in relation to the investigation (once they were translated from German to English) to the individual complainant in Ireland.

The Berlin DPA concluded its investigation into the breach and the individual’s complaint . It uploaded two draft decisions, one in relation to the overall breach which impacted many other users of the platform throughout Europe, and another in relation to the specific complaint which had been lodged by the Irish individual with the DPC and communicated to the Berlin DPA .

An important aspect of the OSS mechanism is that a CSA may comment on a draft decision issued by a lead supervisory authority . This is to ensure that European supervisory authorities are applying the GDPR consistently i.e. that a final decision reached by the Berlin DPA would have the same conclusion as a decision of the DPC if the company had been located in Ireland and the DPC had investigated the complaint as the lead supervisory authority. The DPC were satisfied with the Berlin DPA draft decisions and did not consider it necessary to raise any points of clarification or requests for amendment on this occasion.

The draft decision in relation to the overall breach described a number of measures taken by the platform to address the breach and mitigate its adverse effects. The measures included taking its servers off of their network and deleting all the data on them, as well as resetting all user passwords and ensuring new passwords were encrypted with the latest hashing methods. The draft decision considered that a repetition of the incident was unlikely, and that the mass disclosure of passwords had been rendered practically impossible in light of the measures taken.

The DPC informed the individual of the outcome of the Berlin DPA’s investigation, providing them with a copy of the overall decision investigating the breach and the decision dealing with their specific complaint.

The complainant in this case had made a complaint to a professional regulatory body about the conduct of a regulated person. That complaint was not upheld by the professional regulatory body. In his complaint to the DPC, the complainant alleged that the professional regulatory body had inaccurately recorded personal data relating to them in the minutes of its meeting. The complainant also alleged that the professional regulatory body had inaccurately recorded the same personal data relating to the complainant in a letter from it to a third party.

Before commencing an investigation into this complaint, the DPC reviewed the information provided and established that the professional regulatory body was identified as the relevant data controller in relation to the complaint, as it controlled the contents and use of the complainant’s personal data for the purposes of investi- gating the complaint . The data in question was personal data relating to the complainant, the complainant could be identified from it and the data related to the complainant as an individual. The DPC was therefore satisfied that the complaint should be investigated to determine if a contra- vention of data protection legislation had occurred .

During the course of the investigation of this complaint, the professional regulatory body accepted that the personal data in question had been recorded inaccurate- ly and, in relation to the data recorded in the minutes, corrected the data by way of the insertion of a clarification. On this basis, this office considered that the personal data recorded in the meeting minutes and the letter to the third party had been recorded inaccurately, in contraven- tion of data protection legislation .

This office also examined whether the profession- al regulatory body had processed the complainant’s personal data fairly, as required by data protection legislation . In order to comply with the requirement to process personal data fairly, data controllers must ensure that data subjects are provided with or have made readily available to them certain information. This office reviewed the information that the professional regulatory body stated was available to individuals about making a complaint, in the form of the information booklet . This booklet did not contain, in particular, any details about individuals’ right of access to personal data relating to them and individuals’ rights to rectify inaccurate data concerning them . Since the information booklet did not contain all of the information that was required to be provided to data subjects under data protection legislation and since the professional regulatory body did not provide any other details regarding other measures that it had in place at the relevant time to address its fair processing obligations, the DPC was not satisfied that the profession- al regulatory body had complied with its fair processing obligations .

Under the GDPR, data controllers must ensure that personal data are accurate and, where necessary, kept up to date, and every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Under Article 16 of the GDPR, a data subject has the right (subject to certain exceptions) to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her .

The GDPR also requires that personal data be processed fairly and in a transparent manner . A data controller should provide a data subject with any information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the data are processed . In particular, where personal data are collected from a data subject, Article 13 of the GDPR requires that the data controller provide the data subject with, amongst other things, information as to the identify and contact details of the controller and its data protection officer (where applicable), the purpose of the processing, the recipients or categories of recipients of the data and information as to the rights to rectification and erasure of personal data .

The DPC received a complaint, via the Berlin Data Protection Authority, from an individual regarding a request they made to a data controller to have the email address associated with their customer account changed. The complainant had made the request via the data controller’s online chat function and was subsequently informed that a copy of an ID document to authenticate account ownership would be required in order to proceed with the request. The complainant refused to provide this information and their request was therefore not progressed by the data controller at that time.

Following receipt of the complaint, the DPC engaged with the data controller during which it was established that the data controller does not require individuals to provide an ID document in order to change the email address associated with an account. Furthermore, the customer service agent had used an incorrect operating procedure when responding to the request of the complainant . The data controller’s standard procedure directs customer service agents to advise customers that they can change their email address by signing into their own account and making the change directly within their ‘Account’ settings page . The data controller also advised that if a customer does not wish, or is not able, to change their email address on their own, its procedure directs customer

In light of the complaint, the data controller agreed to provide clear instructions on how the complainant could change their email address associated with their account information without providing any additional personal data. The data controller also conducted a thorough review of its customer service systems and provided further refresher training to all of its customer service agents on the correct standard operating procedures to follow in such instances.

The DPC then engaged with the complainant, via the Berlin Data Protection Authority, to provide the information it had received from the data controller in an attempt to facilitate an amicable resolution to the complaint. The complainant subsequently confirmed to the DPC that they had successfully changed the email address on their account with the data controller.

The complainant in this instance held a mortgage over a property with another individual. The complainant and the other individual left the original property and each moved to separate addresses. Despite being aware of this, the complainant’s bank sent correspondence relating to the complainant’s mortgage to the complainant’s old address, where it was opened by the tenants in situ.

In response, the complainant’s bank noted that its mortgage system was built on the premise that there would be one correspondence address and, in situations where joint parties to the mortgage no longer had an agreed single correspondence address, this had to be managed manually outside the system, which sometimes led to errors.

It was apparent that the data controller for the purposes of the complaint was the complainant’s bank, as it controlled the complainant’s personal data for the purposes of managing the complainant’s mortgage. The data in question consisted of (amongst other things) financial information relating to the complainant’s mortgage with the data controller. The data was personal data because it related to the complainant as an individual and the complainant could be identified from it.

Data protection legislation, including the GDPR sets out clear principles that data controllers must comply with when processing a person’s personal data. Of particular relevance to this claim was the obligation to ensure that the data is accurate and kept up to date where necessary, and the obligation to have appropriate security measures in place to safeguard personal data.

In applying these principles to the facts of this complaint, by maintaining an out-of-date address for the complainant and sending correspondence for the complainant to that address, the data controller failed to keep the complainant’s personal data up to date (Article 5(1)(d)). In addition, given the multiple pieces of correspondence that were sent to the wrong address, the data controller’s security measures failed to appropriately safeguard the complainant’s data (Article 5(1)(f). The obligation to implement appropriate security measures under Article 5(1)(f) is to be interpreted in accordance with Article 32 of the GDPR, which sets out considerations that must be taken into account by a data controller when determining whether appropriate security measures are in place.