Microsoft Operations Ireland Limited – Complaint Upheld (Ireland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Microsoft Operations Ireland Limited faced a complaint after it refused to delete a user's personal data from its search engine. The case matters because it shows that companies must handle data deletion requests properly.
What happened
A user requested Microsoft to delete personal data from Bing, but Microsoft initially refused, claiming public interest.
Who was affected
The user who requested the deletion of their personal data was affected by Microsoft's actions.
What the authority found
The data protection authority found that Microsoft did not fully inform the user about their rights regarding data deletion.
Why this matters
This case highlights the need for companies to clearly communicate user rights and handle deletion requests promptly. It sets a precedent for how companies should manage such requests.
GDPR Articles Cited
A data subject submitted an erasure request under Article 17 GDPR to Microsoft, the controller, to delete his website and other content from Microsoft's search engine (Bing). However, Microsoft refused to do so by claiming public interest. The data subject thus filed a complaint with the Bavarian DPA, which transferred it to the Irish DPC as Lead Supervisory Authority under Article 56 GDPR and initiated a cooperation mechanism according to Article 60 GDPR. Subsequently, the data subject again wrote to Microsoft seeking the deletion of all his personal data from Microsoft search engine. Thereafter, Microsoft replied to the data subject that it would remove two URLs but not the others because it claimed that public interest ouweighed his interest in privacy. Again, the data subject contacted Microsoft to have his personal data deleted, and this time, Microsoft shared instructions to close a Microsoft account. Through a series of communications with the DPC, Microsoft finally proceeded to delist the remaining URLs of the data subject, upon which the DPC, via the Bavarian DPA, informed the data subject of deletion. Still, the data subject rejected the amicable settlement proposed thereafter by the Bavarian DPA as Microsoft took a lot of time deleting his personal data, and he feared its possible disclosure to third parties. After another series of exchanges, the DPC continued its investigation in order to issue a draft decision on "Whether Microsoft's handling of the Complainant's erasure requests was compliant with Articles 12 and 17 of the GDPR". The DPC initiated its inquiry on the matter on 29 June 2023. First, the DPC held that based on the documentation on record, it was clear that Microsoft did inform the data subject that he had the option of approaching a supervisory authority when Microsoft denied his erasure request. However, Microsoft did not inform the data subject about his right to a judicial remedy at any stage of its communications, thereby
Outcome
Complaint Upheld
A data subject complaint that was upheld by the DPA.
Related Enforcement Actions (0)
No other enforcement actions found for Microsoft Operations Ireland Limited in IE
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Microsoft Operations Ireland Limited - Ireland (2023). Retrieved from cookiefines.eu
Last updated: