The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to an access request made to a large social media platform (Data Controller) pursuant to Article 15 GDPR. 

The individual noticed that their account with the Data Controller appeared to have been hacked and subsequently disabled by the Data Controller. The individual made an access request to the Data Controller in order to obtain a copy of their data. The Data Controller directed them to a set of self-service tools outlining how to access and download their data. 

However, the individual was unable to avail of the self-service tools due to the restriction placed on their account. Having raised this issue with the Data  Controller, the individual received further correspondence from the Data  Controller explaining that for security reasons it was unable to reinstate the account or provide a copy of the data and considered the case closed. Upon receipt of the complaint, the DPC commenced an examination of the complaint with the Data Controller pursuant to section 109 of the Data Protection Act. In response to the DPC’s examination, the Data Controller referred the account to its internal team for further investigation, which confirmed that the account showed signs of compromise and that the account had been disabled as a result of activity which occurred on the account during the period it was compromised. The Data Controller therefore agreed to reverse the disablement of the individual’s account and facilitate them in regaining access. Once they had regained full access to their account, the Data Controller advised how the individual could access the self-service tools to access and download a copy of their data if they still wished to do so.

In light of the above actions, the Data Subject subsequently confirmed to the 
DPC that they considered their complaint resolved.