AKI (Estonia) - 18.02.2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Estonia |DPA-BG-Color= |DPAlogo=LogoEE.png |DPA_Abbrevation=AKI |DPA_With_Country=AKI (Estonia) |Case_Number_Name=18.02.2097 |ECLI=EDPBI:EE:OS...") |
No edit summary |
||
Line 65: | Line 65: | ||
}} | }} | ||
The | In an Article 60 procedure, The Estonian DPA handled three complaints regarding the same controller. It reprimanded the controller for not adequately responding to erasure and access requests. The DPA confirmed in the third decision that requesting an ID for verification is acceptable when there is reasonable doubt about the identity of the data subject. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Estonian DPA | The Estonian DPA acted a lead supervisory authority for three different complaints regarding the same controller. One was transferred by the Estonian DPA, the other two were transferred by the Polish DPA. | ||
<u>Complaint 1: Latvian Data subject</u> | |||
This complaint was transferred on 4 November 2019 by the Latvian DPA to the Estonian DPA. | |||
The second Polish data subject | The data subject submitted an access request to the controller on 28 September 2018 and stated that he wanted to receive information regarding personal data collected about him. The data subject also wanted to change his email address. However, the new email address proposed by the data subject included the name of the controller. | ||
After inquiries from the DPA, the controller stated that the data subject did not have any active user accounts at the moment. However, the controller also mentioned that the data subject had received the requested information already on 28 October 2018. | |||
<u>Complaint 2: Polish Data subject</u> | |||
This complaint was transferred on 25 June 2019 by the Polish DPA to the Estonian DPA. | |||
The Polish data subject also asked for a copy of their data and then requested the deletion of his account. However, the controller deleted the data before sending a copy of the data. The controller said this happened because the data subject had submitted the same request in an unstructured way through 3 different channels. The data subject later made a second account specifically to request his personal data again. This account had also to be deleted afterwards. The controller provided the personal data and deleted the account. | |||
After inquiries from the DPA, the controller stated that based on security considerations, it was preferred that clients would submit requests using the in-app messages with the controller’s application. This way, it would be best ensured that the request was made by the holder of the account. The controller stated that it would do its best to answer request via other channels such as e-mail as well. | |||
<u>Complaint 3: Polish Data subject</u> | |||
The second Polish data subject requested the controller to delete her personal data. However, the controller asked for a picture of herself with her ID in order to complete the deletion. | |||
The Data subject filed a complaint with the Polish DPA on 4 February 2019. | |||
The controller explained that it had reasonable doubt about the identity of the data subject and that it was therefore allowed to request additional information necessary in order to confirm the identity of the data subject (Article 12(6) GDPR)). The data subject had contacted the controller through mail, and not through its application. As such, the controller had to verify the identity of the data subject. For requests made through the controller's application, no such verification was required. The controller also stated that it had deleted the account of the data subject on 22 October 2019. | |||
=== Holding === | === Holding === | ||
<u>Complaint 1: Latvian Data subject</u> | |||
The DPA determined that the controller responded to the request of the data subject and provided the information the data subject had requested. However, the DPA determined that the controller could have responded in a more in-depth manner to the access request. The DPA ever stated that the controller should make responses to data subject more clear in general. | |||
Because of the fact that the controller provided more specific answers to the complaint after inquiries of the DPA, the latter found that a reprimand pursuant of Article 58(2)(b) GDPR was appropriate. | |||
The DPA drew attention to the fact that pursuant of [[Article 5 GDPR|Article 5(1)(a) GDPR]], data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). The DPA stated that the controller did not have to change the email address according to the wishes of the data subject because it could infringe copyright of the controller. The controller also reiterated the data subject’s right of erasure under Article 17 GDPR. | |||
<u>Complaint 2: Polish data subject</u> | |||
The DPA stated that the controller responded to the request of the data subject. However, the DPA also stated that the abundance of communication channels (In-app messages and e-mail) had created communication problems. It was therefore reasonable to direct customers with an account to make their intentions clear through the application. However, The DPA also stated that the controller could have been more transparent about its processing. In its answers to the data subject. The DPA stated that the controller has to reply to the data subject within one month based on Article 12(3) GDPR). If the request had been fulfilled faster and directly to the data subject, there would have not been complaint in the first place. The DPA determined that a reprimand pursuant of Article 58(2) GDPR was necessary because the data subject is entitled to ask about information collected about them. The DPA specifically reprimanded the controller for not sending a copy to the data subject of its first account. The DPA also drew attention to [[Article 5 GDPR|Article 5(1)(a) GDPR]] and Article 17 GDPR, in the same way it did with Complaint 1. | |||
<u>Complaint 3: Polish data subject</u> | |||
Regarding the last complaint, the DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, it held again that the data processing could have been more transparent. | |||
the DPA stated that the controller may request additional information to verify the identity of a data subject pursuant to [[Article 12 GDPR|Article 12(6) GDPR]] when there is reasonable doubt about the identity. It also stated again that the abundance of communication channels had created communication problems. The DPA also stated that it had made it more difficult to identify users in communication outside the application. It was therefore reasonable to direct customers with an account to use the application. | |||
However, the DPA also reprimanded the controller (Article 58(2)(b) GDPR because it could have explained the legal grounds of its processing for the ID card better and why it was necessary to present an ID card in the first place. The DPA also drew attention again to [[Article 5 GDPR|Article 5(1)(a) GDPR]] and Article 17 GDPR, in the same way it did with Complaint 1 and 2. | |||
The DPA terminated this supervisory proceeding. | |||
== Comment == | == Comment == |
Revision as of 16:11, 15 November 2022
AKI - 18.02.2097 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 5(1) GDPR Article 5(1)(a) GDPR Article 12(6) GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.11.2019 |
Decided: | 18.02.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 18.02.2097 |
European Case Law Identifier: | EDPBI:EE:OSS:D:2022:333 |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | Enzo Marquet |
In an Article 60 procedure, The Estonian DPA handled three complaints regarding the same controller. It reprimanded the controller for not adequately responding to erasure and access requests. The DPA confirmed in the third decision that requesting an ID for verification is acceptable when there is reasonable doubt about the identity of the data subject.
English Summary
Facts
The Estonian DPA acted a lead supervisory authority for three different complaints regarding the same controller. One was transferred by the Estonian DPA, the other two were transferred by the Polish DPA.
Complaint 1: Latvian Data subject
This complaint was transferred on 4 November 2019 by the Latvian DPA to the Estonian DPA.
The data subject submitted an access request to the controller on 28 September 2018 and stated that he wanted to receive information regarding personal data collected about him. The data subject also wanted to change his email address. However, the new email address proposed by the data subject included the name of the controller.
After inquiries from the DPA, the controller stated that the data subject did not have any active user accounts at the moment. However, the controller also mentioned that the data subject had received the requested information already on 28 October 2018.
Complaint 2: Polish Data subject
This complaint was transferred on 25 June 2019 by the Polish DPA to the Estonian DPA.
The Polish data subject also asked for a copy of their data and then requested the deletion of his account. However, the controller deleted the data before sending a copy of the data. The controller said this happened because the data subject had submitted the same request in an unstructured way through 3 different channels. The data subject later made a second account specifically to request his personal data again. This account had also to be deleted afterwards. The controller provided the personal data and deleted the account.
After inquiries from the DPA, the controller stated that based on security considerations, it was preferred that clients would submit requests using the in-app messages with the controller’s application. This way, it would be best ensured that the request was made by the holder of the account. The controller stated that it would do its best to answer request via other channels such as e-mail as well.
Complaint 3: Polish Data subject
The second Polish data subject requested the controller to delete her personal data. However, the controller asked for a picture of herself with her ID in order to complete the deletion.
The Data subject filed a complaint with the Polish DPA on 4 February 2019.
The controller explained that it had reasonable doubt about the identity of the data subject and that it was therefore allowed to request additional information necessary in order to confirm the identity of the data subject (Article 12(6) GDPR)). The data subject had contacted the controller through mail, and not through its application. As such, the controller had to verify the identity of the data subject. For requests made through the controller's application, no such verification was required. The controller also stated that it had deleted the account of the data subject on 22 October 2019.
Holding
Complaint 1: Latvian Data subject
The DPA determined that the controller responded to the request of the data subject and provided the information the data subject had requested. However, the DPA determined that the controller could have responded in a more in-depth manner to the access request. The DPA ever stated that the controller should make responses to data subject more clear in general.
Because of the fact that the controller provided more specific answers to the complaint after inquiries of the DPA, the latter found that a reprimand pursuant of Article 58(2)(b) GDPR was appropriate.
The DPA drew attention to the fact that pursuant of Article 5(1)(a) GDPR, data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). The DPA stated that the controller did not have to change the email address according to the wishes of the data subject because it could infringe copyright of the controller. The controller also reiterated the data subject’s right of erasure under Article 17 GDPR.
Complaint 2: Polish data subject
The DPA stated that the controller responded to the request of the data subject. However, the DPA also stated that the abundance of communication channels (In-app messages and e-mail) had created communication problems. It was therefore reasonable to direct customers with an account to make their intentions clear through the application. However, The DPA also stated that the controller could have been more transparent about its processing. In its answers to the data subject. The DPA stated that the controller has to reply to the data subject within one month based on Article 12(3) GDPR). If the request had been fulfilled faster and directly to the data subject, there would have not been complaint in the first place. The DPA determined that a reprimand pursuant of Article 58(2) GDPR was necessary because the data subject is entitled to ask about information collected about them. The DPA specifically reprimanded the controller for not sending a copy to the data subject of its first account. The DPA also drew attention to Article 5(1)(a) GDPR and Article 17 GDPR, in the same way it did with Complaint 1.
Complaint 3: Polish data subject
Regarding the last complaint, the DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, it held again that the data processing could have been more transparent.
the DPA stated that the controller may request additional information to verify the identity of a data subject pursuant to Article 12(6) GDPR when there is reasonable doubt about the identity. It also stated again that the abundance of communication channels had created communication problems. The DPA also stated that it had made it more difficult to identify users in communication outside the application. It was therefore reasonable to direct customers with an account to use the application.
However, the DPA also reprimanded the controller (Article 58(2)(b) GDPR because it could have explained the legal grounds of its processing for the ID card better and why it was necessary to present an ID card in the first place. The DPA also drew attention again to Article 5(1)(a) GDPR and Article 17 GDPR, in the same way it did with Complaint 1 and 2.
The DPA terminated this supervisory proceeding.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
INTERNALUSE ONLY Authorityofinformation:DataProtection Inspectorate Markmade:18.02.2022 Access restrictionapplies to:18.02.2097 Legalground:AvTS§35lg 1p 12 Final decisionarticle 60 Data controller Complainants , and Reprimand in a personal data protection matter Notice of termination of proceedings 1. Complaint of 1.1.On 4 November 2019, the Estonian data protection authority (the Data Protection Inspectorate) received the complaint of through the IMI system, which was submitted to the inspectorate by the Latvian data protection authority. wanted to receive information on the data collected in regard to him, including his contact data, location details, purposes of data processing, the processing method used, where and how the personal data of the complainant is retained, and when the data of the complainant was last changed. The Estonian DPAaskedthe Latvian DPA for more information about the complaint severaltimes. 2. The correspondence betweenthe datacontrollerand the data subject 2. In the course of the supervision proceedings, forwarded to the inspectorate the emails of the complainant , his various requests, and the related metadata. 2.1.The complainant contacted the data controller ( ) on 28 September 2018, using the email address and writing a complaint in Latvian. The inspectorate is not aware of the contents of the requests, due to the requests being made in Latvian. 2.2.It appears to the inspectorate that responded to the request of the complainant on 28 October 2018 and forwarded to the complainant the documents concerning the complainant. 2.3.One of the emails does not open forthe inspectorate. It appears,however, that itself approached the complainant on 3 November 2018 – this correspondence also includes ’ own request. Once again, the content of the requestis difficult tounderstand. 2.4.The complainant contacted again on 5 November 2018. 2.5. answeredon 7 November 2018. 2.6.The complainant contacted on30 November 2018. The complainant did not receive a reply to this request. 2.7.The complainant contacted again on 2 January 2019. Tatari39 /10134 Tallinn /627 4135 / info@aki.ee/ www.aki.ee /Registrycode70004235 2.8. replied to the complainant’s email on 2 January 2019. 2.9.The complainant contacted again on 9 May 2019. has not attached any other documents concerning emails. 2.10. Additionally, has enclosed the complainant’s communication from 25 June 2019, which is in Latvian. The inspectorate is unable to understand to whom the communication is addressed. The complainant has contacted someone also on 30 July 2019; there is a reference in the subject line to . The third PDFdocument is entitled ‘ reply’ – presumably, this document includes the response of the data controller to the complainant’s requests. 2.11. The inspectorate asked the Latvian supervisory authority for clarification twice to understand what specifically the complainant requested; the inspectorate also asked to translate the complaint in Latvian into English. 3. Inquiries of the inspectorate to 3. The inspectorate then sent an inquiry to the data controller on 8April 2020. 3.1.The data controller replied on 5June 2020, apologising fornot responding to the inquiry of the Data Protection inspectorate on time on 8 April 2020 and thanking for the extension of the term. 3.2.The data controller confirmed that the user is identifiable by way of the inquiries made to the Customer Service and the emails exchanged between the complainant and the email address ( ). 3.3.To the knowledge of the data controller, does not currently have any active user accounts. Regardless of ’s ability/inability to identify , it is therefore not feasible to change the complainant’s email address. Should createa new accountand request thatit be linked to the aforementioned email address, reserves the right to refuse such a request, as the use of the word ‘ ’ in the email address may infringe ’s rights as the holder of a registered trade mark, the name may be misleading because of its other components, and therefore, it is unjustified to acceptthe aforementioned request. 3.4.The data controller added that, for reasons of data security, their preference is for customers to submit requests to close a user account and to transfer the collected data via in-app messages. This way, it is ensured in the best possible way that the actual owner of the user account is behind the request. For its part, does its best to grant the requests received through other channels (email). This requires additional manual work on the part of the customer support, which is open to human error due to the large number of customers, especially if the customer uses several user accounts and more than one channel to make different requests. The combination of the following actions is likely to yield the best results: a) making the submission of data subjects’ requests under the General Data Protection Regulation as simple, comprehensible, and convenient as possible whenusing in-app messages;b) promoting the use of the app for the above purpose among ’s customers, highlighting the advantages of the provided channel and the disadvantages of the alternative channels. 3.5.The inspectorate forwarded a new inquiry to the data controller on 13 May 2020. The inspectorate requestedthat the complainant be provided with all information concerning 2(11) the complainant, including the information that the complainant referred to. A request was also made to submit to the inspectorate a copy of the reply to the complainant together with the data file issued to the complainant. 3.6.The data controller replied on 26 May 2020 regarding the complaint made by as follows: 3.7. was provided with data about them in CSV format on 28 October2018. The purposes of processing the data were described in 2018 (as is done currently in ’s Privacy Policy, available at ). The data retention response was forwarded to on 7 November 2018 and the response log was sent in the response dated 28 October 2018. Information about was appended as an attachment to the reply given to the inspectorate. 4. Positionof the Data ProtectionInspectorate 4.1. The Estonian Data Protection Inspectorate finds that the data controller has responded to the complaint and handed out information the complainant asked. 4.2. The data controller has cooperated with the inspectorate (provided detailed responses to enquiries, forwarded the emails exchanged with complainants, as well as metadata). Therefore, it would be reasonable to reprimand the data controller in accordance with the GDPR and terminate the proceeding. 4.3. In regard to complaint , the complainant wished to receive information on the data collected in regardto them, including their contact data,location details, purposes of data processing, the processing method used, where and how the personal data of the complainant is retained, and when the data of the complainant was last changed. During the proceeding, the data controller has explained which data was collected in regard to complainant and clarified that the email address of the complainant cannot be changed to contain an email address referring to the data controller, as this would entail a copyright infringement 4.4. The data controller explained that based on the data security considerations, it is preferred that clients submit requests for deleting their user account or forwarding the data collected via in-app messages. That way, it can be best ensured that the request is indeed made by the actualholder ofthe useraccount. shall, in turn, do its best to support the satisfaction of requests received via other channels (email) as well. 4.5. The data controller has sent the metadata to the inspection and clarified that ’ user accounthas beendeleted. The data controller said that it is necessaryby law and with legitimate interest to retain certain data, e.g. accounting documents. 4.6. The inspectorate finds that data processing could have been more transparent. At the intervention of the inspectorate, the data controller provided more detailed and specific answers to the complainant. This is why a reprimand is appropriate as a result of the proceeding. 5. Decisionofthe inspectorate inthe complaint of 5.1. The Estonian DataProtection Inspectorate finds thatwhenprocessing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent 3(11) manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). cannot be held responsible for not changing the complainant’s email address to – it might bring up copyright issues because the email address refers to ‘ ’. 5.2. In addition, has to reply to data subjects in a more explained way, in the sense that the data subject receives their answer in depth about what data has been collected, how, when, and through what information channels. has to make the responses more clear to the data subjects in general. 6. The EstonianData ProtectionInspectorate issues areprimand to the data controller underArticle 58 (2)b) of the GeneralData ProtectionRegulation and draws attentionto the following: 6.1. When processing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). It is also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). 6.2. The data subject has a right to request the deletion of, for instance, an account as well as other personal data concerning this person without undue delay. They also have the right to demand this if there is no legal basis for the processing of data. The personal data shall be deleted without delay pursuant to Article 17 of the General DataProtection Regulation. 7. Complaint of 7.1. On2 January 2020, the Estonian Data Protection Inspectorate received the complaint of through the IMI system, which was submitted to the inspectorate by the Polish data protection authority. The complainant had turned to the Polish data protection authority on 25 June 2019. 7.2. According to the complaint, the citizen wanted to delete their user account and personal data from the system. Prior to that, the complainant had wantedto receive information collected about themselves. The complainant sent aletter to on 16 May 2019 requesting to delete their personal data. This letter was sent to the email addresses , and . The complainant was told by customer support that the deletion of data would take place through the application. The complainant adds that by the time of contacting ’s Polish customer support, the complainant had already deleted the application. The complainant wants to see the data collected about the complainant. 8. The correspondence betweenthe datacontrollerand data subject 8.1. On 16 May 2019, the data subject wrote the following to the controller: In accordance with the point “8.Deletion” of “Privacy for Passengers” and in the article 17 of GDPR,I hereby requestto permanently delete my account, Iwithdraw all consents to the processing of any of my personal data and I request to delete all data collected about me. Beforehand, in accordance with the point “9. Portability” of “Privacy Policy for Passengers” andrelevant regulations of GDPR, please send to my e-mail aadress or via another agreedchannel all the data collected about me. 4(11) 8.2. replied on 19 May 2019 that for the account to be deleted, the request must be sent through the application (from ). 8.3. Somehow, there is a response on 16 of May 2019 from , which says, “We are currently struggling with a significant number of incoming reports; out responses can therefore reachyou later than usual.” (It might be an automatic response). 8.4. On 19 May 2019, the data subject sent an email to , saying the following: I’m sorry, but you did not understand my request. You also did not checkthe exactstatus of my account (I submitted a request to delete my account in the application already on 16 May, and especially for you, I just createdan account and re-submitted a request to delete it). Deleting the account is just one element of my request. I am waiting for the next part to be completed. First of all, you have not read or understood my previous message. Please read and understand my request from 16 May 2019, in particular regarding the erasure of collected data. Before that, I recommend you familiarize with your own Privacy Policy and provisions of GDPR. In the event of failing to fulfil its statutory obligation, the matter will be refferedto the President of UODO (Personal Data Protection Office). Let me remind you that a fine up to EUR 20 million and up to 4% of the total annual turnover of the preceding financial year may be imposed for breaching the provisions of the GDPR. Please treatmy request from the previous email carefully, seriously and consider it with due diligence. 8.5. On 21 May 2019, the data subject once again wrote to the data controller: Mrs , I assure you that I got acquinted with it. I see,however, that we do not understand each other, therefore I want to end my correspondence with you at this point. I consider my request still unsolved by the office in Warsaw. I inform you that I will await for a response from competent individuals within your organization (i.e Data Protection Officer at until June 16. All messages in this correspondence were also sent to him and to customer support ( ). In case of further evasion of the obligation imposed by the GDPR, on 17 June 2019, an adequate letter will be sent to the UODO. 9. Inquiries of the inspectorate to 9.1. The inspectorate then sent an inquiry to the data processor on 8 April 2020. The Polish complainant has contacted forclarification and deletion of the data, but they are not satisfied with the answers provided. Polish national, , requests a copy of the data collected about them and allegedly not sentto them by . The inspectorate asked to forward all information and data collected on the Polish citizen, . Additionally, the inspectorate requested to delete data that could be deleted by in relation to and provide the inspectorate an explanation regarding this (which data was deleted). 9.2. replied on 5 May 2020: In answering this question, weaskthe DataProtection Inspectorate to specify the details of the transmission of the information and data collected (addressee, method and channel of transmission, if the Data Protection Inspectorate has any preferences in this regard). In particular, does the Data Protection Inspectorate: a) request that the information and data be provided directly to or b) want the information and data to be transmitted to an official designated by the Data Protection 5(11)Inspectorate, whose personal identification code could be used by to encrypt the information and data transmitted? Please indicate the above preference for the transmission of information and data no later than by 8 May 2020. In the absence of input, will forward the collected information and data directly to by email no later than 8 May 2020 and will share with the Data Protection Inspectorate the email confirming the transmission. 9.3. We have clarified in our previous cooperation with the Data Protection Inspectorate (see our answer to inquiry 2.1-1/19/1946 of the Data Protection Inspectorate) that the deletion process includes the following actions: -the useris logged out ofthe application (force logout); - first name and surname are deleted (fields are left blank); - the email address is deleted (the field is cleared); - the telephone number is replaced by a sequence of random numbers; all communication with the customer (especially the newsletter) is prohibited; - the deletion command is transmitted to the associated systems (communication platforms). 9.4. The user was identified through customer service inquiries and emails. Based on these and ’s information system logs, the chronology of user-related actions is as follows: Account 1: 06.09.2018 – creation of the account (account_no: ) Account 1: 11.05.2019 – account deletion request (in-app request) Account 1: 16.05.2019 – account is deleted, information is provided to the customer. The customer does not notice the confirmation of account deletion. Account 2: 19.05.2019 – a new request from the customer to delete the account is sent by email and instructions for making an in-app request are sent to the user. Account 2: 19.05.2019 – the customer creates a new account (account_no: ) and sends an in-app request for the new account to be deleted. Account 2: 21.05.2019 – customer service sends an in-app confirmation message that the account will be deleted within 30 days. Account 2: 25.05.2019 – the new account is deleted. ’s inquiries were answered, the deletion of accounts was performed more quickly than required under Article 12 (3) of the General Data Protection Regulation. In summary, the requests for deleting the in-app user account were granted on 16 May 2019 and25 May 2019 –however, the requestsetout in point (ii) wasdifficult to comply with and it was not fulfilled. The following contributed to this result: a) the abundance of communication channels and the customer’s statements of intent; b) the fact that ’s customer service may have assumed that the scope of the customer’s later statement of intent (19 May 2019 in-app request) (delete only the user account) may take precedence over the scope of the customer’s previous statement of intent (19 May 2019 email; deletion and prior transmission of the data collected). A further analysis of the communication related to this complaint indicates that the customer’s actual statement of intent included the transmission of the data collected about them. Further internal investigation will allow to fulfil the customer’s actual request, which we want to achieve no later than 8 May 2020, by forwarding the requested data to the email address of 9.5. The inspectorate forwarded a new inquiry to on 13 May 2020, requesting that the inspectorate be provided with the information provided to in connection with their complaint. At that point, a third complaint, by , came to the attention of the inspectorate, and the inspectorate asked for clarification. 9.6. answeredon 19 May 2020 forwarding the reply sentto on 8 May 2020. also included all the data that had collected on 6(11) Regulationand draws attentionto the following: 12.1. When processing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). It is also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). 12.2. The data subject has a right to request the deletion of, for instance, an account as well as other personal data concerning this person without undue delay. They also have the right todemand this if there is no legal basis for the processing of data. The personal data shall be deleted without delay pursuant to Article 17 of the GeneralDataProtection Regulation. 13. Complaint of 13.1. turned to the Polish data protection authority on 4 February 2019 to delete her account, but to do so, she was asked to provide a picture of herself with an ID-card. In her initial complaint to Poland, the complainant wrote that on 5 January 2019, she requested that delete her personal data. The complainant has not specified whether she is driver or a customer. The complainant wrote to the email address . 14. The correspondence betweenthe datacontrollerand data subject 14.1. The correspondence between the complainant and shows that on 5 January 2019, the complainant wrote that she wished to delete her account: 1.1. 5 January, 17:46 EET I resign. Please erase my e-mail and phone number from your database. 5 January, 18:34 EET Good morning, Certainly, I will satisfy your request, however I would like to inquire whatis the reason for the resignation from our services? Are you certain you wish to delete your account? 5 January, 18:42 EET I am certain. The reason is the multitude of notifications about discount (SMS, mail, app notifications). 5 January, 19:02 EET The deletion of your phone number can be done only if your entire account will be deleted. There is a possibility to only cancelthe notifications, so they don’t disturb you anymore. Therefore, what do you choose, cancellation of the notifications or the deletion of the entire account? 5 January, 19:04 EET What do you mean by ‘cancellation of notifications’? 8(11) 5 January, 19:09 EET Right now your setting regarding the receipt of notifications and messages is turned on. I can turn it off, so that all the offers will be blocked. The only messages you will receive would be the ones concerning the confirmations of fares, which is required by law. 5 January, 19:12 EET Ok. Please, delete my account. 6 January, 08:29 EET Good morning, Ok, I will get to it right away. The last thing I need to ask you is your clear photograph with an ID card close to your face (all this data will be deleted with the account) so that I can confirm your identity. It is necessaryat this moment, so that I can continue. 20.03.2019, the complainant further contacted the Polish data protection authority, explaining that they did not know where to turn. They added the address and contacts of the data controller, noting that the violation related to their contact details. 15. Inquiries of the Inspectorate to 15.1. The Inspectorate sent an inquiry to the data controller on 13 May 2020 as to the legal basis on which the complainant is obliged submit a picture of themselves together with their ID-cardto delete their account. 15.2. replied on 26 May 2020: ‘Pursuant toArticle 12 (6) of the GDPR, where the data controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessaryto confirm the identity of the data subject. The legal basis for processing the image and the ID-card is the legitimate interest of as the data controller. Providing a picture and ID-card helps to prevent fraud and allows to identify the person requesting the deletion of the account. This will also prevent a potentially more significant violation that would result from the deletion of data at the request of the wrong person. However, prefers to receive the data subject’s request for deletion through the application, which does not require additional information. Additional information in the form ofa picture andID-cardis required only if identification inside the application is unsuccessful. ’s account has been deleted as at22 October 2019.” 16. Positionofthe Data ProtectionInspectorate 16.1. The Estonian Data Protection Inspectorate finds that the data controller has responded to the complainant and cooperated with the inspectorate (provided detailed responses to enquiries, forwarded the emails exchanged with complainants, as well as metadata). Therefore, it would be reasonable to reprimand the data controller in accordance with the GDPR and terminate proceedings regarding the 9(11) complainant. 16.2. The data controller explained that based on the data security considerations, it is preferred that clients submit requests for deleting their user account or forwarding the data collected via in-app messages. That way, it can be best ensured that the request is indeed made by the actualholder of the useraccount. shall, in turn, do its best to support satisfaction of requests received via other channels (email) aswell. 16.3. The account of has beendeleted, sothe breachhas beeneliminated. 16.4. The inspectorate finds that data processing could have been more transparent. At the intervention of the inspectorate, the data controller provided more detailed and specific answers to the complainant. The data controller should have beenclearer about the factwhy and on what legal grounds it is necessaryto present anID-card. Therefore, a reprimand to the data controller is needed. This is why a reprimand is appropriate as a result of the proceeding. The complaints have indicated that if the data subject takes the necessary steps inside the application to express theirwill, be it to access the data collected, close the account, or make any otherrequest, communicationbetweenthe data subject and will then function better. The abundance of communication channels has createdcommunication problems. Itis also more difficult to identify the user and their identity when the communication takes place outside the application. Therefore, it is reasonable for to direct customers with an account to make theirdeclarations of intentthrough the application. 17. Decisionconcerning complaint 17.1. Concerning ’s complaint, The Estonian Data Protection Inspectorate finds that has the right to ask for the ID-cardpursuant toArticle 12 (6) of the GDPR. has made clear that without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessaryto confirm the identity of the data subject. 17.2. The data controller also has made clear that it does not ask for an ID-card when the inquiries are made in the application and are completed successfully. An ID-card is requested when the inquiries in the application have failed. only asked for the ID- card to protect sensitive information collected about the complainant. The data controller had to make sure that the person asking information is really the real user. The data controller has made an effort to protect the data. However, the data controller has to explain exactly why and on what legal grounds the ID-cardis being asked. 18. The Estonian Data ProtectionInspectorate issuesa reprimand to the data controller under Article 58 (2) b) of the General Data Protection Regulation and draws attentionto the following: 18.2. When processing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). It is also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). 10 (11) 18.2. The data subject has a right to request the deletion of, for instance, an account as well as other personal data concerning this person without undue delay. They also have the right to demand this if there is no legal basis for the processing of data. The personal data shall be deleted without delay pursuant to Article 17 of the General DataProtection Regulation. 18.3. The controller is obligated to explain why certaindocuments are required from the complainant (e.g. ). The data controller could have explained to the complainant in more detail why and under what legal basis they requested them to provide a copy of their ID-card. This could have prevented the submission of a complaint to the supervisory authority. In view of the above, we shall terminate the supervisory proceeding. This decision may be challenged within 30 days by submitting one of the two: - A challenge to the Director General of the Estonian Data Protection Inspectorate pursuant to the Administrative Procedure Act , or - Anappealto anadministrative court under the Code ofAdministrative Court Procedure 2 (in this case,the challenge in the same matter canno longer be reviewed). Respectfully Lawyer Authorised by the Director General 1 2https://www riigiteataja.ee/en/eli/527032019002/consolide https://www riigiteataja.ee/en/eli/512122019007/consolide 11(11)