Complaint about the right to erasure
The Danish Data Protection Agency hereby returns to the case where, on 30th of November 2018, (hereinafter: the complainant) complained to the Hellenic Data Protection Authority about eMarketing Institute’s handling of her request for erasure of personal data. In line with Article 56 of the General Data Protection Regulation, the Danish Data
Protection Agency has been designated as the leading supervisory authority of the case.
1. Decision
Following a review of the case, the Danish Data Protection Agency finds that there are grounds to criticize that the processing of personal data done by eMarketing Institute was not done in accordance with the rules of Article 12(2) and 12(3) of the General Data Protection Regulation.
The details of the case and the reasons for the decision of the Danish Data Protection Agency are set out below.
2. Statement of facts
It appears from the case that the complainant by e-mails of 25th of October and 8th of November 2018 requested that eMarketing Institute delete personal data about her on eMarketing Institutes website and in a number of links. When the complainant did not receive a response, she contacted the Hellenic Data Protection Authority. In light of the complaint’s notification, the Hellenic Data Protection Authority sent an e-mail to eMarketing Institute on 30th of November 2018 to inquire as to whether eMarketing Institute had received the complainant’s request for erasure.
By e-mail of 2nd of December 2018, eMarketing Institute responded that the company now had deleted the complainant’s account including all links.
2.1. eMarketing Institute’s remarks
eMarketing Institute has stated that the complainant’s request was answered three days after the company became aware of the request and for this reason eMarketing Institute is of the opinion that the request was answered in accordance with Article 12(3) of the General Data Protection Regulation.
eMarketing Institute has stated that because the support function at eMarketing Institute for a considerable amount of time had received an increasing number of unwanted e-mails, there was implemented a new function on the website in September 2018, which allowed the user to semi automatically get their profile deleted. If you followed the instruction on the website, the e-mail would be caught and sent to the owner of the website. The owner of the website would thus only receive e-mails sent to the support address, if the following text was included: DELETE999MYACCOUNT. The reason the system was made this way was to ensure that it was a person, and not a robot, who had made the request for erasure.
eMarketing Institute has stated that the complainant did not follow the instruction, since her email to support@emarketinginstitute.org did not include the necessary text, and for this reason the owner of the website did not become aware of the request for erasure. eMarketing Institute has finally stated that the function for deletion on the website has been further developed in the beginning of 2020. The delete function is now fully automatic so the users themselves can delete their profiles without delay.
2.2. The complainant’s remarks
The complainant has generally stated that eMarketing Institute did not answer her request for erasure.
3. Justification for the Danish Data Protection Agency’s decision
It follows from Article 12(2) of the General Data Protection Regulation that the controller shall facilitate the exercise of data subject rights under amongst others Article 17 regarding erasure.
It follows from Article 12(3) of the General Data Protection Regulation that the controller shall provide information on action taken on a request under amongst others Article 17 regarding erasure to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the
reasons for the delay. The Danish Data Protection Agency finds that eMarketing Institute has not handled the complainant’s request for deletion in accordance with Article 12(2) and 12(3).
The Danish Data Protection Agency has attached importance to the fact that eMarkting Institute – by demanding that the data subject use a specific code in order to receive an answer to their request for erasure – has not facilitated the exercise of the rights of the data subject in accordance with Article 12(2), and that eMarketing Institute has not answered the request of the complainant in due time, cf. Article 12(3), since eMarketing Institute only on the 2nd of December 2018 answered the complainant’s request of 25th of October 2018.
On the basis of the above, the Danish Data Protection Agency criticizes that the processing of personal data done by eMarketing Institute was not been done in accordance with the rules of Article 12(2) and 12(3) of the General Data Protection Regulation.
The Danish Data Protection Agency notices that eMarketing Institute has changed their pro-cedure for erasure, so the data subjects can delete their profiles themselves.
4. Final remarks
The decisions of the Danish Data Protection Agency can be brought before the Danish courts, cf. the Danish constitution section 63. The Danish Data Protection Agency has informed the Hellenic Data Protection Authority of this decision in order for the Hellenic Data Protection Authority to pass on the decision to the complainant.
The Danish Data Protection Agency considers the case closed and will not take further action in the case.