Freedom Finance Europe Ltd – Complaint Upheld (Cyprus, 2023)

A data subject made a request for the deletion of her data with Freedom Finance Germany TT GmbH, a subsidiary of Freedom Finance Europe Ltd (the controller). Since the data subject never got a reply, she requested again the erasure of her data. Having not received a reply again; the data subject filed a complaint with the German DPA against the controller regarding the non-fulfilment of her right to erasure. However, given that the controller has its main establishment in Cyprus, under Article 60 GDPR, the complaint was transmitted to the Cypriot DPA as the lead supervisory authority in line with Article 56 GDPR. The Cypriot DPA requested the controller its views on the matter and proof that the complainant's personal data had been deleted, which the controller confirmed to have done after it was notified of the complaint. Additionally, the controller explained that it was not aware of the data subject’s erasure request since the data subject contacted the email used for initial customer communication and not the appropriate email address of the DPO. The DPA held that the controller should have informed the data subject, under Article 12(3) GDPR, in a clear and concise manner and without undue delay that her erasure request was satisfied. Moreover, considering that at the time of the data subject's first erasure request, the GDPR had been enforced for more than two years, the controller should have had in place appropriate measures to comply with data subject rights set out in Articles 15 to 22 of the GDPR. Pursuant to Article 24(1) GDPR, the controller should have implemented appropriate technical and organisational measures to ensure that all emails received relating to data subject rights would be acknowledged without further delay. On the basis of the infringements found and considering that the controller satisfied the erasure request after being notified of the complaint, the DPA issued a reprimand to the controller under Article 58(2)(b) GDPR.