Background information
- Date of final decision: 14 October 2020
- Cross-border case
- LSA: HU SA
- and CSAs: DE SAs: Baden-Wurttemberg, Berlin, PT SA, DE SA and NO SA
- Controller: airline company
- Legal Reference (s): Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 17 (Right to erasure (‘right to be forgotten’)), Article 25 (Data protection by design and by default)
- Decision: reprimand
- Key words: Right to erasure, Direct marketing, Data protection by design and by default
Summary of the Decision
Origin of the case
The Complainant lodged a complaint in which he requested the Company to erase his personal data and his e-mail address processed for the direct marketing purpose and also requested not to be sent any newsletters.
The customer service informed the Complainant of having received his erasure request but requested an additional eight weeks to take measures on the basis of the request in view of the fact that they received a large number of similar requests. The Complainant informed the Company that he did not accept the extension of the due date for erasure by eight weeks and repeated his erasure request.
On 28 September 2018, the Company informed the Complainant that it erased his e-mail address from the newsletter database. In spite of this information, the Complainant continued to receive the Company’s newsletter of 8 October 2018.
Key Findings
The Complainant was aimed in fact only at the erasure of a single e-mail address, it cannot be regarded either as complex or of a large number, i.e. the conditions on the basis of which the deadline for performance could have been lawfully extended did not exist with respect to the Complainant’s request, hence the Company breached Article 12(3) of GDPR when they failed to meet the Complainant’s erasure request without undue delay.
The Company met its erasure obligation only with a delay thereby infringing the Complainant’s right to erasure according to Article 17(1)(b) of GDPR.
The Company also failed to meet the requirements of data protection by design when the Complainant still received a newsletter eleven days after his e-mail address was deleted from the Company’s newsletter database, so the Company breached Article 25(1) of GDPR.
Decision
The Authority established that the Company breached Article 12(3), Article 17(1)(b) and 25(1) of GDPR.
The Authority – based on the Article 58(2)(b) of GDPR – issued a reprimand to the Company for the abovementioned infringements of GDPR.
For further information: national decision
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.