Failure of an airline company to inform the data subject of completion of erasure request

Failure of an airline company to inform the data subject of completion of erasure request and failure of transparency obligations resulted in the imposition of a fine equal to EUR 13,244.

The Data Subject lodged her complaint with the Polish SA stating that she requested the data controller to erase all her personal data in the online interface provided by the data controller on 23 October 2018. In previous cases it has already been identified that the Hungarian SA is the LSA for the data controller, therefore case has been transferred. 

Based on the data controller’s statement and the screenshot made by it on the relevant part of the IT system used to administer erasure requests, the data controller erased the Data Subject’s account on 23 November 2018, but failed to inform the Data Subject thereof prior to 6 March 2019. 

The Hungarian SA founded that the data controller infringed Article 12(3) GDPR because it failed to inform the Data Subject of the action taken based on the request within the time limit and it also infringed the principle of transparent data processing according to Article 5(1)(a) GDPR as the Data Subject could not see what additional data, for what purpose and on what legal basis and for how long were processed by the data controller in relation to her following the erasure of her account and the related personal data. 

The Hungarian SA has also found that Article 5(2) GDPR cannot be regarded as a provision requiring mandatory processing. The Hungarian SA found that that the processing pursued by the data controller in the course of legal procedures related to data subjects cannot be based on the data controller’s legitimate interest, because the balancing test wasn’t appropriate.

The Hungarian SA founded that the data controller has infringed the principle of transparency under Article 5(1)(a) and Article 12(3) GDPR. Further, the Hungarian SA established that the data controller has infringed Article 6(1) and Article 17(1)(a) GDPR. Further, the Hungarian SA ordered the data controller pursuant to Article 58(2)(g) GDPR, to erase the personal data processed for the purpose of recording the Data Subject's activities in relation to the exercise of her data protection rights.

For the infringement described above, based on Article 83(2)(i) GDPR the Hungarian SA ordered the data controller to pay a fine of HUF 5,000,000, which is approximately equal to EUR 13,244. (source: edpb.europa.eu/ photo freepik.com)

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

The name Pablo Escobar may not be registered as an EU trade mark

Rule of Law: EU law does not require that professional associations of judges are granted the right to challenge decisions relating to the appointment of prosecutors

Gigantic fine for unfair practices imposed on Booking.com by the Competition Authority of Hungary

First judgment of the ECHR: Lawless v. Ireland

The rules of UEFA on ‘homegrown players’ could be contrary to EU law (ECJ)

Nepotism and favouritism in the legal profession