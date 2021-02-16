However, the trustee ordered the controller to delete data that is not necessary for its retention due to its statutory task.

Data Protection Supervisor according to the optician’s shop has had a reason under the data protection regulation to process the customer’s personal data, which is also necessary for the customer’s identification.

The processing of the customer’s personal data has been based on the agreement and the legitimate interest of the controller. The EDPS notes that consent is only one possible ground for the processing of personal data.

However, the controller had not sufficiently informed the data subject what action it had taken following the request for deletion or why the data could not be deleted.

HS said last Sunday from a years-long data protection dispute in which a customer took action against the collection and storage of his or her personal information. The optician’s shop again said awaiting a decision on the matter.

The controller was also ordered to delete information that is not necessary for its retention due to its statutory function.

The Data Protection Commissioner announced on Tuesday that it has issued a decision on the processing of personal data by an optician in a case where a customer had requested the deletion of the data.

The EDPS ‘decision on the complaint had already been completed in January, but the decision had not previously been communicated to the parties due to missing address details.

Data Protection Supervisor the office had received a complaint from a customer who had asked an optician to delete his information but had not received a response to his request.

After purchasing glasses from an optician, the customer had noticed that information about him was stored in the company’s system.

The applicant contacted an optician and stated that he had not consented to the storage of his data. The customer asked the data controller to delete all data concerning him but did not receive a response to his inquiry.

Information in connection with a removal request, the controller has requested information from customers in order to verify their identity. It has been possible to request the deletion of data using an online form. The registrar has stated that he is requesting identification information on the online form, which he compares with the information in his customer register.

The information collected by the registrar on the online form for identification purposes is the same information that the registrar normally processes from registrants in its customer register. For this reason, the EDPS considers that personal data have not been processed in breach of the principle of data minimization set out in the General Data Protection Regulation.

According to the explanation received by the Data Protection Commissioner from the controller, the basis for the processing of the customer’s personal data has been the agreement and the legitimate interest of the controller.

Provided the applicant has used the services of an optician or ophthalmologist, the processing of personal data may also have been based on a statutory obligation of the controller, the EDPS notes.

According to the Healthcare Professional Act, an optician is a healthcare professional. Therefore, according to the Act on the Status and Rights of Patients, an optician must enter in patient records the information necessary to ensure the organization, planning, implementation and monitoring of patient care.

However, the EDPS has issued a remark to the controller, as the controller did not communicate to the customer clearly enough what action it has taken following the customer’s request or why the data cannot be deleted.

If If the controller does not take action on the data subject’s request, the Data Protection Regulation requires the data controller to inform the data subject of the reasons without delay and at the latest within one month of receiving the request.

The Data Protection Officer has also instructed the controller to comply with the customer’s request to have his or her data deleted in so far as it is not a case of patient documents in accordance with the Patient Status and Rights Act.

The decision is not final, as it can be appealed to an administrative court.