Sandpiper CI Ltd, whose franchisee brands includes Matalan, Apple, Marks & Spencer, Morrisons, Iceland, Costa Coffee, Hotel Chocolat, Crew Clothing Co, Card Factory and Burger King have been issued a formal reprimand by the Guernsey Data Protection Authority.
Following an investigation by the Data Protection Authority for the Bailiwick of Guernsey (DPA), it was found that Sandpiper CI Ltd breached section 27 ‘Compliance with request to exercise data subject right’ of the Data Protection (Bailiwick of Guernsey) Law, 2017.
Sandpiper (the Controller) received a right of access request on 30th June 2020 from the Complainant. A request of this nature entitles an individual to, amongst other things, a copy of personal data processed by Sandpiper.
Following a complaint made, an investigation was conducted by the DPA. The complaint related to the alleged noncompliance with the request.
In most cases, Controllers are required to comply with requests of this nature within one month from the date the request is received (‘designated period’). In the event that a Controller is unable to fulfil a request within the designated period, the law states that the Controller (Sandpiper) must notify the requestor, within the designated period, of their reasons for not complying, their right to complain to the DPA and their rights of appeal under the Law. If a Controller determines that the request is complex and requires further time to collate the response, the law allows for the application of a two-month extension on the condition that that decision is communicated to the requestor along with the reasons for the extension within the designated period.
It was found during the investigation that Sandpiper had not responded to the request within the designated period, did not notify the Complainant of their reasons for not complying with the request, did not advise the Complainant that there was a right to complain to the DPA and did not advise the Complainant of their right to take civil action. In addition, the DPA considered that Sandpiper, requiring extra time to respond to the request, did not inform the Complainant of this within the designated period.
As a result of this, the DPA determined that Sandpiper CI Ltd had failed to comply with section 27 of the Law in relation to ‘Compliance with request to exercise data subject right’. Sandpiper had the right to appeal this decision but chose not to.
Where organisations process personal data in a manner which breaches operative provisions of the Law, the DPA will consider taking action to address those breaches and the imposition of an appropriate sanction, which can include the issuance of an administrative fine.
In this case, the DPA considered the following factors when determining an appropriate sanction:
Mitigating factors
-
- It was considered that Sandpiper had made efforts to respond to the Complainant’s request, albeit whilst not fulfilling the requirements of section 27.
- The nature of the request required Sandpiper to access archived information, the retrieval of which was not straightforward, and as such an extension could be applied to the response period.
- Sandpiper was diligent in responding to queries from the DPA.
Aggravating factors
-
- The reason for the delay in the request was that Sandpiper had not searched in archived material in its initial response to the request. Upon being notified that the response was incomplete, this became apparent and further searches were required to fulfil that request. This took the response time beyond that of the designated period. Had Sandpiper had a more robust data governance structure in place, allowing it to easily recognise the fact that archived material fell within the scope of the request, it is likely a breach of this nature could have been either avoided or mitigated.
The DPA, in consideration of the aforementioned failures has decided to impose a formal reprimand.
The Bailiwick’s Data Protection Commissioner, Emma Martins, commented: “This case highlights the importance of controllers knowing exactly where the personal data they are legally responsible for are located. Archived data has as much capacity for harm as other forms of data and needs to be part of the overall data governance framework of any organisation.
“We are grateful for the full cooperation of Sandpiper in this case and hope it serves to remind us all to be prepared to respond to rights requests from individuals. The right of access, as exercised in this case, is a very important part of the data protection law and individuals seeking access to information about themselves have the right to expect timely and complete responses.”
