IDPC (Malta) - EDPBI:MT:OSS:D:2022:341: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 67: Line 67:
}}
}}


The DPA of Malta reprimanded a controller pursuant of [[Article 58 GDPR#2d|Article 58(2)(b) GDPR]]) for requiring an ID-photo as identification method to exercise an access request. The DPA also ordered the controller to comply with the request pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]).
The DPA of Malta reprimanded a controller pursuant of [[Article 58 GDPR#2d|Article 58(2)(b) GDPR]]) for requiring an ID-photo as identification method to exercise an access request. The DPA also ordered the controller to comply with the request pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject filed an access request pursuant of [[Article 15 GDPR|Article 15 GDPR]] on 22 September 22. The controller asked a certified copy of his identity card or passport on the same day. The data subject provided a photo of his identity card. However, the data subject stated that there were no grounds for requesting this photo. The controller replied that the photo was necessary for identification purposes, considering the fact that the data subject’s request involved sensitive personal data. On the other hand, the data subject stated that the request for an ID photo was unlawful and contrary to the GDPR. The controller should have use other information, such as an e-mail address, to confirm the data subjects identity.   
The data subject filed an access request pursuant of [[Article 15 GDPR|Article 15 GDPR]] on 22 September 2022. The controller asked a certified copy of his identity card or passport on the same day. The data subject provided a photo of his identity card. However, the data subject stated that there were no grounds for requesting this photo. The controller replied that the photo was necessary for identification purposes, considering the fact that the data subject’s request involved sensitive personal data. On the other hand, the data subject stated that the request for an ID photo was unlawful and contrary to the GDPR. The controller should have used other information, such as an e-mail address, to confirm the data subjects identity.   
 
In the end, the controller did not comply with the access request. 


The data subject filed a complaint against the controller at the Berlin DPA on 30 October 2020, which lodged a mutual assistance notification under [[Article 61 GDPR]]. After the Berlin DPA transferred the complaint, the Information and data protection commissioner of Malta (DPA) was the Lead Supervisory Authority.   
The data subject filed a complaint against the controller at the Berlin DPA on 30 October 2020, which lodged a mutual assistance notification under [[Article 61 GDPR]]. After the Berlin DPA transferred the complaint, the Information and data protection commissioner of Malta (DPA) was the Lead Supervisory Authority.   


The DPA started an investigation into the controller. During this investigation, the controller stated that it had received false requests in the past to get acces to user data from its ‘players’. Therefore, the controller needed to adopt additional measures to verify player’s authenticity, including requesting proof of identity. Occasionally, when the customer support agents of the controller would not be satisfied, they would request additional methods of verification, that being a certified or notarized copy of users indentification documents, as defined in recital 64 GDPR as 'identity verification'.  
The DPA started an investigation into the controller. During this investigation, the controller stated that it had received false requests in the past to get access to user data from its ‘players’. Therefore, the controller needed to adopt additional measures to verify player’s authenticity, including requesting proof of identity. Occasionally, when the customer support agents of the controller would not be satisfied, they would request additional methods of verification, that being a certified or notarised copy of users indentification documents, as defined in recital 64 GDPR as 'identity verification'.  


The controller stated at first that data subject had multiple user accounts, which was the reason it had doubts regarding the identity of the data subject.  However, the controller later informed the DPA that the data subject only had one registred user account.
The controller stated at first that data subject had multiple user accounts, which was the reason it had doubts regarding the identity of the data subject.  However, the controller later informed the DPA that the data subject only had one registred user account.
Line 87: Line 85:
The DPA held that the controller violated Article 12(2) by not complying with the access request ([[Article 15 GDPR]]).   
The DPA held that the controller violated Article 12(2) by not complying with the access request ([[Article 15 GDPR]]).   


The controller stated that [[Article 12 GDPR|Article 12(2)]] aims to ensure substantive rights for data subjects by establishing clear, proportionate and effective conditions how data subjects can exercise their rights. Also, the controller shall not refuse to act on the request of data subjects for exercising their rights under Articles 15 – 22 GDPR, unless the controller is not in a position to identify the data subject. The controller should use all ''reasonable measures'' to verify the identity of a data subject, in particular in the context of online services and online identifiers (Recital 64).  
The controller stated that [[Article 12 GDPR|Article 12(2)]] aims to ensure substantive rights for data subjects by establishing clear, proportionate and effective conditions how data subjects can exercise their rights. Also, the controller was not allowed not refuse to act on the request of data subjects for exercising their rights under Articles 15 – 22 GDPR, unless the controller was not in a position to identify the data subject. The controller should use all ''reasonable measures'' to verify the identity of a data subject, in particular in the context of online services and online identifiers (Recital 64).  


The DPA held that the GDPR did not describe how to authenticate data subjects. Therefore, the DPA referred to the WP29 Guidelines on data portability for elaboration and held that the controller shall not refuse to act on a request where a data subject provides additional information enabling his or her identification. Also, the controller’s ability to request additional information to determine identities cannot lead to excessive demands and the collection of data which are not necessary or relevant to strengthen the link between the individual and the personal data requested.   
The DPA held that the GDPR did not describe how to authenticate data subjects. Therefore, the DPA referred to the WP29 Guidelines on data portability for elaboration and held that the controller shall not refuse to act on a request where a data subject already provided additional information enabling his or her identification. Also, the controller’s ability to request additional information cannot lead to excessive demands and the collection of data which are not necessary or relevant.   


The DPA continued with the fact that the GDPR does not define ‘''reasonable measures''’, but sated that the GDPR descibes an example in the context of online services and identifiers in Recital 57: an authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the controller.  
The DPA continued with the fact that the GDPR does not define ‘''reasonable measures''’, but stated that the GDPR descibes an example in the context of online services and identifiers in Recital 57: an authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the controller.  


The DPA stated that the request to verify the identity of the data subject must be proportionate. The controller is not allowed to require a broader range of personal data other than that which has already been processed prior to the request, unless this is strictly necessary. The DPA stressed that when the controller asks for additional information for the purpose of identity verification, this processing has to comply with the data minimisation principle ([[Article 5 GDPR|Article 5(1)(c) GDPR)]]. The controller should also take into account the broad range of categories of personal data included in the copy of an identity document and the risk arising from the processing of such personal data.   
The DPA stated that the request to verify the identity of the data subject must be proportionate. The controller is not allowed to require a broader range of personal data other than that which has already been processed prior to the request, unless this is strictly necessary. The DPA stressed that when the controller asks for additional information for identity verification, this processing has to comply with the data minimisation principle ([[Article 5 GDPR|Article 5(1)(c) GDPR)]]. The controller should also take into account the broad range of categories of personal data included in the copy of an identity document and the risk arising from the processing of such personal data.   


<u>Present case</u>   
<u>Present case</u>   
Line 99: Line 97:
The DPA determined that the controller’s own procedure for ID verification did not dictate that a certified copy of the ID is requested in every case, but only in rare cases, where the controller’s customer service support representative had doubts about the data subject’s authenticity. The DPA was also not able to find any references concerning certified copies of ID’s for verification purposes in the submissions from the controller during the investigation.   
The DPA determined that the controller’s own procedure for ID verification did not dictate that a certified copy of the ID is requested in every case, but only in rare cases, where the controller’s customer service support representative had doubts about the data subject’s authenticity. The DPA was also not able to find any references concerning certified copies of ID’s for verification purposes in the submissions from the controller during the investigation.   


The DPA concluded that the controller had no reason to have doubt about the controller’s identity, especially after the controller confirmed that the data subject had only one account. The DPA also determined that this case did not concern a fraudulent attempt which the controller had received in the past, given that the data subject's request was submitted by the same account holder. The controller could have used other reasonable measures to verify the data subject’s identity, which could have been as equally effective and efficient. The DPA provided a few examples of such measures, such as matching the information and personal data provided by the data subject with the identity document on file, or requesting confirmation or further details, such as biographical details and details concerning the complainant’s activity or usage of the controller’s platform.  
The DPA concluded that the controller had no reason to doubt the data subject's identity, especially after the controller confirmed that the data subject had only one account. The controller could have used other reasonable measures to verify the data subject’s identity, which could have been as equally effective and efficient. The DPA provided a few examples of such measures, such as matching the information and personal data provided by the data subject with the identity document on file, or requesting confirmation or further details, such as biographical details and details concerning the complainant’s activity or usage of the controller’s platform.  


Because of the above, the controller unjustifiably requested a copy of the data subject’s ID for verification purposes and did not facilitate the data subjects access request ([[Article 15 GDPR]]). Therefore, the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]]. The DPA reprimanded the controller ([[Article 58 GDPR|Article 58(2)(b) GDPR)]] and ordered the controller to respond to the access request ([[Article 58 GDPR|Article 58(2)(d) GDPR]]).
Because of the above, the controller unjustifiably requested a copy of the data subject’s ID for verification purposes and did not facilitate the data subjects access request ([[Article 15 GDPR]]). Therefore, the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]]. The DPA reprimanded the controller ([[Article 58 GDPR|Article 58(2)(b) GDPR)]] and ordered the controller to respond to the access request ([[Article 58 GDPR|Article 58(2)(d) GDPR]]).

Revision as of 18:11, 8 November 2022

IDPC - EDPBI:MT:OSS:D:2022:341
LogoMT.jpg
Authority: IDPC (Malta)
Jurisdiction: Malta
Relevant Law: Article 12(2) GDPR
Article 15 GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Article 61 GDPR
Type: Complaint
Outcome: Upheld
Started: 30.10.2020
Decided: 04.03.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: EDPBI:MT:OSS:D:2022:341
European Case Law Identifier: EDPBI:MT:OSS:D:2022:341
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

The DPA of Malta reprimanded a controller pursuant of Article 58(2)(b) GDPR) for requiring an ID-photo as identification method to exercise an access request. The DPA also ordered the controller to comply with the request pursuant of Article 58(2)(d) GDPR.

English Summary

Facts

The data subject filed an access request pursuant of Article 15 GDPR on 22 September 2022. The controller asked a certified copy of his identity card or passport on the same day. The data subject provided a photo of his identity card. However, the data subject stated that there were no grounds for requesting this photo. The controller replied that the photo was necessary for identification purposes, considering the fact that the data subject’s request involved sensitive personal data. On the other hand, the data subject stated that the request for an ID photo was unlawful and contrary to the GDPR. The controller should have used other information, such as an e-mail address, to confirm the data subjects identity.

The data subject filed a complaint against the controller at the Berlin DPA on 30 October 2020, which lodged a mutual assistance notification under Article 61 GDPR. After the Berlin DPA transferred the complaint, the Information and data protection commissioner of Malta (DPA) was the Lead Supervisory Authority.

The DPA started an investigation into the controller. During this investigation, the controller stated that it had received false requests in the past to get access to user data from its ‘players’. Therefore, the controller needed to adopt additional measures to verify player’s authenticity, including requesting proof of identity. Occasionally, when the customer support agents of the controller would not be satisfied, they would request additional methods of verification, that being a certified or notarised copy of users indentification documents, as defined in recital 64 GDPR as 'identity verification'.

The controller stated at first that data subject had multiple user accounts, which was the reason it had doubts regarding the identity of the data subject. However, the controller later informed the DPA that the data subject only had one registred user account.

Holding

Relevant provisions and considerations WP29

The DPA held that the controller violated Article 12(2) by not complying with the access request (Article 15 GDPR).

The controller stated that Article 12(2) aims to ensure substantive rights for data subjects by establishing clear, proportionate and effective conditions how data subjects can exercise their rights. Also, the controller was not allowed not refuse to act on the request of data subjects for exercising their rights under Articles 15 – 22 GDPR, unless the controller was not in a position to identify the data subject. The controller should use all reasonable measures to verify the identity of a data subject, in particular in the context of online services and online identifiers (Recital 64).

The DPA held that the GDPR did not describe how to authenticate data subjects. Therefore, the DPA referred to the WP29 Guidelines on data portability for elaboration and held that the controller shall not refuse to act on a request where a data subject already provided additional information enabling his or her identification. Also, the controller’s ability to request additional information cannot lead to excessive demands and the collection of data which are not necessary or relevant.

The DPA continued with the fact that the GDPR does not define ‘reasonable measures’, but stated that the GDPR descibes an example in the context of online services and identifiers in Recital 57: an authentication mechanism such as the same credentials, used by the data subject to log-in to the online service offered by the controller.

The DPA stated that the request to verify the identity of the data subject must be proportionate. The controller is not allowed to require a broader range of personal data other than that which has already been processed prior to the request, unless this is strictly necessary. The DPA stressed that when the controller asks for additional information for identity verification, this processing has to comply with the data minimisation principle (Article 5(1)(c) GDPR). The controller should also take into account the broad range of categories of personal data included in the copy of an identity document and the risk arising from the processing of such personal data.

Present case

The DPA determined that the controller’s own procedure for ID verification did not dictate that a certified copy of the ID is requested in every case, but only in rare cases, where the controller’s customer service support representative had doubts about the data subject’s authenticity. The DPA was also not able to find any references concerning certified copies of ID’s for verification purposes in the submissions from the controller during the investigation.

The DPA concluded that the controller had no reason to doubt the data subject's identity, especially after the controller confirmed that the data subject had only one account. The controller could have used other reasonable measures to verify the data subject’s identity, which could have been as equally effective and efficient. The DPA provided a few examples of such measures, such as matching the information and personal data provided by the data subject with the identity document on file, or requesting confirmation or further details, such as biographical details and details concerning the complainant’s activity or usage of the controller’s platform.

Because of the above, the controller unjustifiably requested a copy of the data subject’s ID for verification purposes and did not facilitate the data subjects access request (Article 15 GDPR). Therefore, the controller violated Article 12(2) GDPR. The DPA reprimanded the controller (Article 58(2)(b) GDPR) and ordered the controller to respond to the access request (Article 58(2)(d) GDPR).

Comment

The nature of the controller was not specified. However, the data subject was designated as a 'player' on the controller's platform, which might be an indication regarding the nature of the controller.

Also, this decision did not provide a case number from the DPA of Malta on the top on the first page, wheras this is usually the case. There was however an ECLI - number provided on the website of the EDPB.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.