Fines on Data Subject Access Request increase
By
The Romanian Data Protection Authority (ANSPDCP) has fined Untold SRL approximately €15,000 (74,611.50 RON) for GDPR violations. The fine was issued due to Untold SRL’s failure to comply with data subject rights, specifically:
- Article 12(3) GDPR: Failure to respond to data subject requests within the required timeframe.
Article 12(3) GDPR: This article mandates that organizations must respond to data subject requests within a specified timeframe. Untold SRL failed to meet this requirement, thereby neglecting the obligation to provide timely responses to individuals seeking access to their personal data or other related actions.
- Article 12(4) GDPR: Failure to provide information on actions taken in response to data subject requests.
Article 12(4) GDPR: According to this provision, organizations are required to inform data subjects about the actions taken in response to their requests. Untold SRL did not fulfill this obligation, leaving data subjects uninformed about the status or outcome of their requests, which is a clear breach of transparency principles.
- Article 17(1) GDPR: Failure to erase personal data upon request.
Article 17(1) GDPR: This article grants data subjects the right to have their personal data erased upon request, often referred to as the "right to be forgotten." Untold SRL failed to comply with this request, thereby infringing upon the data subject's right to have their personal information removed from the company's records.
This case underscores the critical importance of adhering to GDPR requirements, particularly in handling data subject requests promptly and transparently. Organizations must ensure robust processes are in place to manage these requests effectively to avoid substantial penalties.
Facts
The data subject filed an access request with the controller.
Moreover, they also requested the controller to delete their personal data pursuant to Article 17(1)(b) GDPR.
However, the controller never replied to these requests.
Therefore, the data subject filed a complaint with the DPA, noting that they had previously provided the controller with their e-mail address, telephone number, full name and postal address.
Holding
First, the DPA noted that the controller has never replied to the data subject's access request. Therefore, it found a violation of Article 15 GDPR in combination with Article 12(3) and 12(4) GDPR.
Moreover, the DPA held that the controller violated Article 17(1) GDPR in combination with Article 12(3) and 12(4) GDPR since the controller did not act on the erasure request filed by the data subject.
On these grounds, the DPA issued a fine of RON 74,611.50 (€15,000) and ordered the controller to:
- provide the data subject with a written reply, therefore acting on their access request;
- adopt the necessary measures to ensure it is able to promptly act on data subjects' access requests.
Find more information about this fine on GDPR hub.
Stay on top of Data Subject Access Request
In order for your company can void unnecessary fines for violating Subject Access Request, make sure that:
- Build trust with clients and customers and make sure they are well informed in your use and management of their data
- Provide users with a customer facing dashboard to easily view and manage their data
- Have a secure service to verify data subjects identity and send request that also allows your company to simply manage and securely respond to any requests submitted.
Need help? Check out our Data Subject Access Request Solution for more information about how our service may support your business or send us a request to talk: hello@eyd.tech
