Bolt – Complaint Upheld (Estonia, 2024)

A data subject was a user of the Bolt app. They tried to change the phone number used, but the app didn’t provide for such a functionality. The data subject contacted the provider of the Bolt app (the controller) by sending emails asking for correction of their phone number in accordance with Article 16 GDPR. The controller didn’t reply. The data subject, represented by noby, lodged a complaint with the Austrian DPA (DSB), who forwarded the case to the Estonian DPA (AKI). During the proceedings, the controller stated that the user’s phone number served as a unique ID within the app’s system. Consequently, it was impossible to change the phone number used when first registering. The only available option was to delete the account and create a new one. In response, the DPA suggested to the controller it might update its system to allow for users changing their phone number in the app. Moreover, the DPA suggested the controller might answer the data subject’s request. As advised by the DPA, the controller updated the software and notified the DPA in August 2023. Also, the controller answered the requests of the data subject. The DPA upheld the complaint. The controller failed to reply to rectification request without undue delay, according to Article 12(3) GDPR. Eventually, the request was answerer but only after the DPA’s suggestion. However, as pointed out by the DPA, also during the proceedings the controller delayed to respond to the data subject. Furthermore, the controller didn’t implement appropriate organisational and technical measures under Article 32(1) GDPR in conjunction with Article 24(1) GDPR to ensure the confidentiality of personal data. In particular, the controller didn’t envisage measures to prevent third-parties from unauthorised access to personal data of other users. That was possible when the owner of the phone number assigned to the account changed in the meantime since the new owner could then access the account created by the previous