The shortest month of the year did not have a shortage of fines issued for GDPR violations, especially in the field of implementation of data subject rights. One of the examples include a fine issued on the 6th of February 2023 by the Norwegian DPA. A fitness and training services company Sats ASA (“Company”) was fined EUR 900,000 for, amongst other things, improper fulfillment of data subject rights. Norwegian DPA launched an investigation into the Company after several complaints, concerning the Company’s failure to comply with demands for access and deletion, were received.
The investigation revealed, several deficiencies in complying with the rights of data subjects. The Company failed to not only fulfil some of the received requests, but also respond to them. Additionally, the Company also failed in determining the number of data subject rights requests, which indicated a lack of proper record keeping. Link to the Sats ASA fine can be found here.
This was not the only fine issued for GDPR violations related to the improper implementation of data subject right requests. Romanian DPA fined Tensa Art Design SA (“Controller”), a company operating in the electronic shopping and mail-order houses sector for violations related to data subject rights. The Controller was fined following unsolicited commercial messages to a person who had previously unsubscribed from the newsletter. As such, the person’s right to object to the processing of their data has been violated by the Controller. Link to the Tensa Art Design SA fine can be found here.
Why are these fines relevant?
According to the report issued by the European Data Protection Supervisor, data subjects’ right of access and right to erasure have been among the top 2 most common themes of complaints. The GDPR provides data subjects with a wide range of rights that can be exercised when their personal data is processed. Data controllers are responsible for implementation of such rights’ requests, which can sometimes be challenging for various reasons: a time limit for the fulfilment of requests, the data subject identity verification requirements, exhaustive list of cases where data subject right’s requests can be rejected, and many other associated procedural requirements can overwhelm even the most experienced data controllers. This said, with adequate preparation and review of the commonly implemented mistakes, proper implementation of data subject’s rights request might become less manageable and straightforward.
How to achieve this?
ECOVIS ProventusLaw welcomes you to our free monthly review of the most relevant GDPR fines. The review aims to introduce you and your staff to real-life examples of GDPR violations and provide advice on avoiding making similar mistakes. You can access the monthly GDPR fine overviews here.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related with data subjects rights proper implemetation, or any other question related to personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė