IMY states that the data subjects’ right of access can be practiced under “my profile”

In August 2020, an unauthorized person accessed the complainant’s account at the streaming service SF Anytime. The unauthorized person rented a movie, which the complainant was charged for. When the complainant noticed the situation, the person concerned turned to SF Anytime to receive the unauthorized person’s IP address to be attached in a police report. SF Anytime denied the complainant’s request, whereupon the complainant requested access to all his personal data stored by SF Anytime. The controller (SF Anytime) referred to the “my profile” page at their website where the personal data, including the IP address requested, could be accessed. However, the complainant alleged that the file did not contain all his personal data.

Furthermore, SF Anytime highlights that no infringements have taken place in the company’s environments and that the customer is responsible for the protection of the login details according to the terms and conditions. Consequently, the streaming service concludes that the unauthorized person most likely has accessed the account through the complainant’s username and password.

IMY states that there is no reason to question SF Anytime’s description of the lack of infringements and accepts the company’s use of “my profile” as a means of granting the data subject the right of access. This is because all personal data could be found in the downloaded file. Hence, IMY terminates the supervision and closes the case.

Source: https://edpb.europa.eu/system/files/2023-02/se_2022-11_decision_public_redacted.pdf