June 29, 2022

Volume XII, Number 180

Advertisement
Advertisement

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

June 27, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

The Importance of Managing DSARs

Individuals having difficulties in obtaining responses to their personal data subject access requests (DSAR) from French telephone operator Free Mobile filed several complaints before the French data protection authority (CNIL). These requests related to accessing their personal data and objecting to receiving direct marketing messages by electronic means. After its investigations, the CNIL imposed a fine of €300,000 against Free Mobile on 28 December 2021. 

The CNIL charged Free Mobile with four grounds of breach of the General Data Protection Regulation (EU) 2016/679 (GDPR):

  • Failure to comply with the right of access of data subjects regarding their personal data (Articles 12 and 15 GDPR), since Free Mobile did not respond to the requests made by the claimants within the 30-day time limit.

  • Failure to comply with the right to object of the data subjects (Articles 12 and 21 GDPR), since Free Mobile did not take into account the requests of the claimants to cease sending them direct marketing communications.

  • Breach of the obligation to protect data by design (Article 25 GDPR), as Free Mobile kept invoicing claimants for telephone services despite their subscription being cancelled.

  • Breach of the obligation to ensure the security of personal data (Article 32 GDPR), since Free Mobile communicated by unsecured emails the users’ passwords in clear text when they subscribed to Free Mobile’s services (these passwords being nontemporary and Free Mobile not requiring them to be changed).

The CNIL also decided to make the sanction public. Free Mobile argued that such publicity would be disproportionate considering the severity of the breaches, the low number of complaints (seven), and that it would irreversibly damage its reputation. 
Nevertheless, the CNIL chose to publish the sanction, justifying its actions by the need to reiterate the importance of responding to data subjects’ access requests within the relevant timeline (usually 30 days) with all the relevant and required information (Article 13 and 14 GDPR) and ensuring the security of users’ personal data. 

In January 2020, the Dutch Supervisory Authority set the precedent on the importance of the GDPR principle of data minimization, especially when data subjects exercise their right through DSAR. According to such principle, controllers must not collect data that is unnecessary for the purpose of the processing. 

Under this obligation, the Dutch Supervisory Authority fined media company Sanoma Media Netherlands B.V. on the ground that it conditioned DSAR to first upload a full copy of an identity document. However, this supervisory authority considered that such practice made it overly complicated for customers to access their data or have their data deleted and that the media company collected unnecessary personal data in view of the request submitted by the data subject.

As GDPR approaches its fourth anniversary, it is becoming clear that, on the one hand, data subjects have acquired the awareness necessary to exercise their rights, and, on the other hand, data controllers must implement effective channels and internal process to handle DSAR properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of GDPR. 

Copyright 2022 K & L GatesNational Law Review, Volume XII, Number 172
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney
Partner

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...

33-0-1-58-44-15-16
Advertisement
Advertisement
Advertisement