VDAI (Lithuania) - 3R-728: Difference between revisions

Following an ex officio investigation, the DPA ordered a medical services provider to set storage periods for documents related to the processing of access requests, and to inform requestors about the time frame for response.

English Summary

Facts

The DPA carried out an ex officio investigation on how medical tests provider UAB Diagnostikos laboratorija (the controller) handled access requests. The controller processed personal data for about 1 million individuals.

Holding

The DPA carried out an ex officio investigation on UAB Diagnostikos laboratorija (the controller). The controller provided medical tests and processes the personal data of about 1 million individuals. The investigation focused on the handling of access requests.

Comment

The DPA found that the controller did not have a specific storage period for the documents related to the processing of an access request. For this reason, the DPA held that the controller violated Article 24(1) GDPR.

Additionally, the DPA found that after receiving a request, the controller did not inform the data subject about the timeframe for processing the request. The DPA considered this a violation of Article 12(3) GDPR.

The DPA ordered the data subject to address these shortcomings.

The DPA found no other issues with the processing of access requests. In particular, the content of the response was complete and appropriate, and the controller implemented correct criteria for assessing whether a request was manifestly unfounded or excessive.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Lithuanian original. Please refer to the Lithuanian original for more details.