Cross-Border Complaint Concerning a Delisting Request

The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to a “right to be forgotten” delisting request made to a large multinational technology company (Data Controller) pursuant to Article 17 GDPR. 

Cross-Border Complaint Concerning an Access Request to a Large Social Media Platform

The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to an access request made to a large social media platform (Data Controller) pursuant to Article 15 GDPR. The individual noticed that their account with the Data Controller appeared to have been hacked and subsequently disabled by the Data Controller. The individual made an access request to the Data Controller in order to obtain a copy of their data. The Data Controller directed them to a set of self-service tools outlining how to access and download their data. 

Amicable Resolution of a Cross Border Complaint regarding a Right to Erasure Request

The DPC received a complaint via the One-Stop-Shop (OSS) mechanism from an individual regarding the handling of an Article 17 GDPR erasure request made by them. 

Cross-Border Complaint Concerning Right to Erasure Request to an Online Financial Company Amicably Resolved

The DPC as Lead Supervisory Authority received a complaint via the One- Stop-Shop (OSS) mechanism created by the GDPR from an individual in Germany regarding an erasure request, pursuant to Article 17 of the GDPR to an online financial company based in Ireland. 

Cross-Border Complaint: Delisting Request pursuant to Article 17 GDPR

Via the One-Stop-Shop (OSS) mechanism, the DPC received a complaint related to a ‘Right to be Forgotten’ request made to a large multinational technology company pursuant to Article 17 GDPR. The individual requested the delisting of three URLs that were being returned in a search against the individual’s name on the controller’s search engine. The URLs in question related to their now-deregistered business. The individual’s personal telephone number and residential address were visible through the URLs in question (the individual having operated their previous business at that same address). 

Amicable resolution in cross-border complaints — Yahoo EMEA Limited

The DPC received a complaint in March 2021 from the Bavarian data protection authority on behalf of a Bavarian complainant against Yahoo EMEA Limited. Under the One Stop Shop (OSS) mechanism created by the GDPR, the location of a company’s main EU establishment dictates

which EU authority will act as the lead supervisory authority (LSA) in relation to any complaints received. Once the lead authority is established, the authority that received the complaint acts

as a concerned supervisory authority (CSA). The CSA is the intermediary between the LSA and the individual. In this case, the DPC is the LSA, as the company complained of has its main establishment in Ireland.

Amicable Resolution in Cross-Border Complaints: Facebook Ireland

The DPC received a multi-faceted complaint in April 2019 relating to requests for access (under Article 15 of the GDPR), rectification (under Article 16 of the GDPR) and erasure (under Article 17 of the GDPR) that the complainant had made to Facebook Ireland Limited (“Facebook”). The complaint was made directly to the DPC, from a data subject based in the UK. Upon assessment in the DPC, the complaint was deemed to be cross border because it related to Facebook’s general operational policies and, as Facebook is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross border processing under Article 4(23) of the GDPR).

Amicable Resolution in Cross-Border Complaints: MTCH

The DPC received a complaint in June 2020, via its complaint webforms, against MTCH Technology Services Limited (Tinder). Although the complaint was made directly to the DPC, from an Irish resident, upon assessment it was deemed to constitute a cross-border complaint because it related to Tinder’s general operational policies and, as Tinder is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross border processing under Article 4(23) of the GDPR).

Article 60 Non-response to an Access Request by Ryanair

In this case, the complainant initially submitted their complaint to the Information Commissioner’s Office (ICO) of the UK, which was thereafter received by the DPC, on 2 March 2019. The complaint related to the alleged failure by the Ryanair DAC (Ryanair) to comply with a subject access request submitted to it by the complainant on 26 September 2018 in accordance with Article 15 of the GDPR. The ICO provided the DPC with a copy of the complaint form submitted to the ICO by the complainant, a copy of the acknowledgement, dated 26 September 2018, that the complainant had received from the data controller when submitting the access request, and a copy of the complainant’s follow up email. 

Cross-border complaint resolved through EU cooperation procedure

In February 2021, a data subject lodged a complaint pursuant to Article 77 GDPR with the Data Protection Commission concerning an Irish-based data controller. The DPC was deemed to be the competent authority for the purpose of Article 56(1) GDPR.

Erasure request to Tinder by Greek data subject, handled by the DPC as Lead Supervisory Authority

This case study concerns a complaint the DPC received via the One Stop Shop (OSS) mechanism created by the GDPR from an individual regarding an erasure request made by them to MTCH Technology Services Limited (Tinder). As way of background, the individual’s account was the subject of a suspension by Tinder. Following this suspension, the individual submitted a request to Tinder, under Article 17 of the GDPR, seeking the erasure of all personal data held in relation to them. When contacting Tinder, the individual also raised an issue with the lack of a direct channel for contacting Tinder’s DPO. As the individual was not satisfied with the response they received from Tinder, they made a complaint to the Greek Supervisory Authority.

Handling an Irish data subject’s complaint against German- based Cardmarket using the GDPR One Stop Shop mechanism

The Data Protection Commission (DPC) received a complaint from an Irish individual against Cardmarket, a German e-commerce and trading platform. The individual received an email from Cardmarket, notifying them that it had been hacked and that some of its users’ personal information may have been leaked. The individual alerted the DPC and submitted a complaint in relation to the breach.

The Operation of the Article 60 Procedure in Cross-Border Complaints: Groupon

The DPC received a complaint in July 2018 from the Polish data protection authority on behalf of a Polish complainant against Groupon International Limited (“Groupon”). The complaint related to the requirements that Groupon had in place at that time to verify the identity of individuals who made data protection rights requests to it. In this case, the complainant alleged that Groupon’s practice of requiring them to verify their identity by way of electronic submission of a copy of a national identity card, in the context of a request they had made for erasure of personal data pursuant to Article 17 of the GDPR, constituted an infringement of the principle of data minimisation as set out in Article 5(1) (c) of the GDPR, in circumstances where there was no requirement to provide an identity document when a Groupon account was created. In addition, the complainant alleged that Groupon’s subsequent failure to act on the erasure request (in circumstances where the individual objected to providing a copy of their national identity card) constituted an infringement of their right to erasure under Article 17.

Amicable resolution in cross-border complaints: Google (YouTube)

The DPC received a complaint in September 2020, via its complaint webform, against Google Ireland Limited (YouTube). The complaint was made by a parent acting on behalf of their child and concerned a YouTube channel/account. The YouTube channel/account had been set up when the child was ten years old and at a time when they did not appreciate the consequences of posting videos online.

TikTok and cooperation with other EU data protection authorities

During 2021, GDPR Article 61 mutual assistance requests were received by the DPC from the Dutch and the French data protection authorities. Each of these requests sought the DPC to further investigate a number of concerns relating to TikTok’s processing of its users’ personal data, particularly child users.

Amicable resolution in cross-border complaints — access request to Airbnb

The DPC received a complaint in September 2020 relating to a request for access (under Article 15 of the GDPR), that the complainant had made to Airbnb Ireland UC (“Airbnb”). The complaint was made directly to the DPC, from an individual based in Malta. Upon assessment by the DPC, the complaint was deemed to be a cross border one because it related to Airbnb’s general operational policies and, as Airbnb is available throughout the EU, the processing complained of was therefore deemed to be of a kind “….which substantially affects or is likely to substantially affect data subjects in more than one Member State” (as per the definition of cross-border processing under Article 4(23) of the GDPR).