AKI (Estonia) - 18.02.2022: Difference between revisions
(Added comments) |
m (Ar moved page AKI (Estonia) - 18.02.2097 to AKI (Estonia) - 18.02.2022) |
||
(15 intermediate revisions by 2 users not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
In an Article 60 procedure, | In an [[Article 60 GDPR]] procedure, the Estonian DPA handled three complaints regarding the same controller. The DPA reprimanded the controller for not adequately responding to data subject's requests. The authority also held that requesting an ID for verification purposes is acceptable when there is reasonable doubt about the data subject's identity ([[Article 12 GDPR#6|Article 12(6) GDPR]]). | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The Estonian DPA acted a lead supervisory authority for three different complaints regarding the same controller. | The Estonian DPA (DPA) acted as a lead supervisory authority for three different complaints regarding the same controller. Although not specifically disclosed, the controller seemed to be a transportation service. | ||
<u>Complaint 1: Latvian | <u>Complaint 1: Latvian data subject</u> | ||
The data subject contacted the controller by e-mail (in Latvian) on 28 September 2018, followed by several follow-ups. At a certain point (not clear from decision), the data subject filed a complaint at the Latvian DPA because he wanted to receive information regarding data collected about him. The Latvian DPA transferred this complaint on 4 November 2019 to the Estonian DPA. The DPA also send several inquiries to the controller in 2020. The controller stated that the data subject had already received the requested data and information on 28 October 2018. | |||
<u>Complaint 2: Polish data subject 1</u> | |||
This Polish data subject sent e-mails to three different e-mail addresses on 16 may 2019, requesting access and erasure of his personal data. The data subject also used the application of the controller to request erasure. The controller deleted the account of the data subject but was not able to provide access to personal data. There seemed to be a lot of miscommunication between the data subject and the controller. The controller stated for example that the data subject had not read the confirmation of deletion of the ''first account'', while the data subject created a ''second account'' to request erasure again. This second account was later also deleted by the controller, without providing access. On 25 June 2019, the data subject filed a complaint at the Polish DPA, which transferred the complaint to the Estonian DPA on 2 January 2020. After several inquiries by the latter, the controller admitted that it had not been able to comply with the access request, amongst other things caused by the abundance of communication channels. The controller stated it was preferred that data subjects would submit requests using the controller’s application to be sure that requests were made by the holder of the account. After another inquiry by the DPA, the controller was able to provide the data subject with the requested information. | |||
<u>Complaint | <u>Complaint 3: Polish data subject 2</u> | ||
On 5 January 2019, the second Polish data subject requested the controller to erase her personal data. However, the controller asked for a picture of the data subject with her ID in order to complete the deletion. The data subject filed a complaint with the Polish DPA on 4 February 2019. It is not clear when the decision was transferred to the Estonian DPA. After an inquiry by the latter, the controller explained that it had reasonable doubt about the identity of the data subject and was therefore allowed to request additional information to confirm the identity of the data subject ([[Article 12 GDPR#6|Article 12(6) GDPR)]]. The data subject contacted the controller through e-mail. For requests made through the controller's application, ID-verification was not required. The controller also clarified that its legal basis for processing the image and the ID-card was legitimate interest and that this ID-verification would prevent deleting the data of the wrong data subject. The controller also confirmed that it had already deleted the account of the data subject on 22 October 2019. | |||
The | |||
=== Holding === | === Holding === | ||
<u>Complaint 1: Latvian Data subject</u> | <u>Complaint 1: Latvian Data subject</u> | ||
The DPA determined that the controller | The DPA determined that the controller had provided the requested information to the data subject but that the processing could have been more transparent. The controller had to make its replies more clear in general. Specifically, it had to reply in depth about ''what'' data has been collected, ''how'' data was collected, ''when'' data was collected and ''through what information channels''. Because of the fact that the controller provided more specific answers after inquiries of the DPA, the latter found a reprimand pursuant of [[Article 58 GDPR#2b|Article 58(2)(b)]] GDPR appropriate. The DPA also stated that the controller did not have to change the email address because it could infringe its copyright. | ||
Because of the fact that the controller provided more specific answers | |||
<u>Complaint 2: Polish data subject</u> | <u>Complaint 2: Polish data subject</u> | ||
The DPA | The DPA stated that the abundance of communication channels had created communication problems. It was therefore reasonable for the controller to direct customers with an account to submit their requests using the application. The DPA determined that the personal data had been handed to the data subject and was deleted afterwards. The DPA still stated that the controller could have been more transparent about its processing. The controller should have been been more precise when answering data subject's requests. The DPA stated that the controller was able to provide personal data to an identified data subject, and that it was not necessary for the DPA to start a procedure to achieve this. Despite the fact that the controller provided the information, the DPA deemed it necessary to reprimand the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] because the data subject was entitled to ask about information collected about them, and the controller had to reply to the data subject within one month ([[Article 12 GDPR#3|Article 12(3) GDPR]]). On the mitigating side, the reprimand was also reasonable because the controller had responded to the complainant and had cooperated with the DPA. | ||
<u>Complaint 3: Polish data subject</u> | <u>Complaint 3: Polish data subject</u> | ||
The DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, the DPA stated again that the data processing could have been more transparent. The controller should have explained the legal grounds of its processing for the ID card better and it should have explained why it was necessary to request an ID card. However, without prejudice to [[Article 11 GDPR|Article 11 GDPR,]] the controller was allowed to request additional information to verify the identity of a data subject pursuant to [[Article 12 GDPR#6|Article 12(6) GDPR]] when it has reasonable doubt about the identity. The DPA also stated that the abundance of communication channels had made it more difficult for the controller to identify users outside the application. It was therefore reasonable to direct customers with an account to use the application for requests. The DPA also reprimanded the controller ([[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]). The reprimand was again deemed appropriate because the controller provided more specific answers to the complaint after inquiries of the DPA. | |||
== Comment == | |||
The controller seems to be some sort of transportation service. In paragraph 13.1, it is stated that the data subject did not specify whether or not she was a '''driver or customer''<nowiki/>'. | |||
Regarding the investigation of the first complaint, the Estonian DPA stated that it had difficulty acquiring information and translations from the Latvian DPA. It was not able to understand the contents of the original request of the data subject. It does not become clear in this decision whether or not the Latvian DPA actually provided the assistance the Estonian DPA requested. | |||
In all three complaints, the DPA issues a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. After this, the DPA draws attention to the fact that pursuant of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided with misleading information concerning the processing of data (including the deletion of data). The DPA also reiterated the data subject’s right of erasure under [[Article 17 GDPR]] at the end of all of the three complaints. | |||
== Further Resources == | == Further Resources == |
Latest revision as of 10:27, 13 December 2023
AKI - 18.02.2097 | |
---|---|
Authority: | AKI (Estonia) |
Jurisdiction: | Estonia |
Relevant Law: | Article 5(1) GDPR Article 5(1)(a) GDPR Article 12(6) GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.11.2019 |
Decided: | 18.02.2022 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 18.02.2097 |
European Case Law Identifier: | EDPBI:EE:OSS:D:2022:333 |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | Enzo Marquet |
In an Article 60 GDPR procedure, the Estonian DPA handled three complaints regarding the same controller. The DPA reprimanded the controller for not adequately responding to data subject's requests. The authority also held that requesting an ID for verification purposes is acceptable when there is reasonable doubt about the data subject's identity (Article 12(6) GDPR).
English Summary
Facts
The Estonian DPA (DPA) acted as a lead supervisory authority for three different complaints regarding the same controller. Although not specifically disclosed, the controller seemed to be a transportation service.
Complaint 1: Latvian data subject
The data subject contacted the controller by e-mail (in Latvian) on 28 September 2018, followed by several follow-ups. At a certain point (not clear from decision), the data subject filed a complaint at the Latvian DPA because he wanted to receive information regarding data collected about him. The Latvian DPA transferred this complaint on 4 November 2019 to the Estonian DPA. The DPA also send several inquiries to the controller in 2020. The controller stated that the data subject had already received the requested data and information on 28 October 2018.
Complaint 2: Polish data subject 1
This Polish data subject sent e-mails to three different e-mail addresses on 16 may 2019, requesting access and erasure of his personal data. The data subject also used the application of the controller to request erasure. The controller deleted the account of the data subject but was not able to provide access to personal data. There seemed to be a lot of miscommunication between the data subject and the controller. The controller stated for example that the data subject had not read the confirmation of deletion of the first account, while the data subject created a second account to request erasure again. This second account was later also deleted by the controller, without providing access. On 25 June 2019, the data subject filed a complaint at the Polish DPA, which transferred the complaint to the Estonian DPA on 2 January 2020. After several inquiries by the latter, the controller admitted that it had not been able to comply with the access request, amongst other things caused by the abundance of communication channels. The controller stated it was preferred that data subjects would submit requests using the controller’s application to be sure that requests were made by the holder of the account. After another inquiry by the DPA, the controller was able to provide the data subject with the requested information.
Complaint 3: Polish data subject 2
On 5 January 2019, the second Polish data subject requested the controller to erase her personal data. However, the controller asked for a picture of the data subject with her ID in order to complete the deletion. The data subject filed a complaint with the Polish DPA on 4 February 2019. It is not clear when the decision was transferred to the Estonian DPA. After an inquiry by the latter, the controller explained that it had reasonable doubt about the identity of the data subject and was therefore allowed to request additional information to confirm the identity of the data subject (Article 12(6) GDPR). The data subject contacted the controller through e-mail. For requests made through the controller's application, ID-verification was not required. The controller also clarified that its legal basis for processing the image and the ID-card was legitimate interest and that this ID-verification would prevent deleting the data of the wrong data subject. The controller also confirmed that it had already deleted the account of the data subject on 22 October 2019.
Holding
Complaint 1: Latvian Data subject
The DPA determined that the controller had provided the requested information to the data subject but that the processing could have been more transparent. The controller had to make its replies more clear in general. Specifically, it had to reply in depth about what data has been collected, how data was collected, when data was collected and through what information channels. Because of the fact that the controller provided more specific answers after inquiries of the DPA, the latter found a reprimand pursuant of Article 58(2)(b) GDPR appropriate. The DPA also stated that the controller did not have to change the email address because it could infringe its copyright.
Complaint 2: Polish data subject
The DPA stated that the abundance of communication channels had created communication problems. It was therefore reasonable for the controller to direct customers with an account to submit their requests using the application. The DPA determined that the personal data had been handed to the data subject and was deleted afterwards. The DPA still stated that the controller could have been more transparent about its processing. The controller should have been been more precise when answering data subject's requests. The DPA stated that the controller was able to provide personal data to an identified data subject, and that it was not necessary for the DPA to start a procedure to achieve this. Despite the fact that the controller provided the information, the DPA deemed it necessary to reprimand the controller pursuant of Article 58(2)(b) GDPR because the data subject was entitled to ask about information collected about them, and the controller had to reply to the data subject within one month (Article 12(3) GDPR). On the mitigating side, the reprimand was also reasonable because the controller had responded to the complainant and had cooperated with the DPA.
Complaint 3: Polish data subject
The DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, the DPA stated again that the data processing could have been more transparent. The controller should have explained the legal grounds of its processing for the ID card better and it should have explained why it was necessary to request an ID card. However, without prejudice to Article 11 GDPR, the controller was allowed to request additional information to verify the identity of a data subject pursuant to Article 12(6) GDPR when it has reasonable doubt about the identity. The DPA also stated that the abundance of communication channels had made it more difficult for the controller to identify users outside the application. It was therefore reasonable to direct customers with an account to use the application for requests. The DPA also reprimanded the controller (Article 58(2)(b) GDPR). The reprimand was again deemed appropriate because the controller provided more specific answers to the complaint after inquiries of the DPA.
Comment
The controller seems to be some sort of transportation service. In paragraph 13.1, it is stated that the data subject did not specify whether or not she was a 'driver or customer'.
Regarding the investigation of the first complaint, the Estonian DPA stated that it had difficulty acquiring information and translations from the Latvian DPA. It was not able to understand the contents of the original request of the data subject. It does not become clear in this decision whether or not the Latvian DPA actually provided the assistance the Estonian DPA requested.
In all three complaints, the DPA issues a reprimand under Article 58(2)(b) GDPR. After this, the DPA draws attention to the fact that pursuant of Article 5(1)(a) GDPR, data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided with misleading information concerning the processing of data (including the deletion of data). The DPA also reiterated the data subject’s right of erasure under Article 17 GDPR at the end of all of the three complaints.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
INTERNALUSE ONLY Authorityofinformation:DataProtection Inspectorate Markmade:18.02.2022 Access restrictionapplies to:18.02.2097 Legalground:AvTS§35lg 1p 12 Final decisionarticle 60 Data controller Complainants , and Reprimand in a personal data protection matter Notice of termination of proceedings 1. Complaint of 1.1.On 4 November 2019, the Estonian data protection authority (the Data Protection Inspectorate) received the complaint of through the IMI system, which was submitted to the inspectorate by the Latvian data protection authority. wanted to receive information on the data collected in regard to him, including his contact data, location details, purposes of data processing, the processing method used, where and how the personal data of the complainant is retained, and when the data of the complainant was last changed. The Estonian DPAaskedthe Latvian DPA for more information about the complaint severaltimes. 2. The correspondence betweenthe datacontrollerand the data subject 2. In the course of the supervision proceedings, forwarded to the inspectorate the emails of the complainant , his various requests, and the related metadata. 2.1.The complainant contacted the data controller ( ) on 28 September 2018, using the email address and writing a complaint in Latvian. The inspectorate is not aware of the contents of the requests, due to the requests being made in Latvian. 2.2.It appears to the inspectorate that responded to the request of the complainant on 28 October 2018 and forwarded to the complainant the documents concerning the complainant. 2.3.One of the emails does not open forthe inspectorate. It appears,however, that itself approached the complainant on 3 November 2018 – this correspondence also includes ’ own request. Once again, the content of the requestis difficult tounderstand. 2.4.The complainant contacted again on 5 November 2018. 2.5. answeredon 7 November 2018. 2.6.The complainant contacted on30 November 2018. The complainant did not receive a reply to this request. 2.7.The complainant contacted again on 2 January 2019. Tatari39 /10134 Tallinn /627 4135 / info@aki.ee/ www.aki.ee /Registrycode70004235 2.8. replied to the complainant’s email on 2 January 2019. 2.9.The complainant contacted again on 9 May 2019. has not attached any other documents concerning emails. 2.10. Additionally, has enclosed the complainant’s communication from 25 June 2019, which is in Latvian. The inspectorate is unable to understand to whom the communication is addressed. The complainant has contacted someone also on 30 July 2019; there is a reference in the subject line to . The third PDFdocument is entitled ‘ reply’ – presumably, this document includes the response of the data controller to the complainant’s requests. 2.11. The inspectorate asked the Latvian supervisory authority for clarification twice to understand what specifically the complainant requested; the inspectorate also asked to translate the complaint in Latvian into English. 3. Inquiries of the inspectorate to 3. The inspectorate then sent an inquiry to the data controller on 8April 2020. 3.1.The data controller replied on 5June 2020, apologising fornot responding to the inquiry of the Data Protection inspectorate on time on 8 April 2020 and thanking for the extension of the term. 3.2.The data controller confirmed that the user is identifiable by way of the inquiries made to the Customer Service and the emails exchanged between the complainant and the email address ( ). 3.3.To the knowledge of the data controller, does not currently have any active user accounts. Regardless of ’s ability/inability to identify , it is therefore not feasible to change the complainant’s email address. Should createa new accountand request thatit be linked to the aforementioned email address, reserves the right to refuse such a request, as the use of the word ‘ ’ in the email address may infringe ’s rights as the holder of a registered trade mark, the name may be misleading because of its other components, and therefore, it is unjustified to acceptthe aforementioned request. 3.4.The data controller added that, for reasons of data security, their preference is for customers to submit requests to close a user account and to transfer the collected data via in-app messages. This way, it is ensured in the best possible way that the actual owner of the user account is behind the request. For its part, does its best to grant the requests received through other channels (email). This requires additional manual work on the part of the customer support, which is open to human error due to the large number of customers, especially if the customer uses several user accounts and more than one channel to make different requests. The combination of the following actions is likely to yield the best results: a) making the submission of data subjects’ requests under the General Data Protection Regulation as simple, comprehensible, and convenient as possible whenusing in-app messages;b) promoting the use of the app for the above purpose among ’s customers, highlighting the advantages of the provided channel and the disadvantages of the alternative channels. 3.5.The inspectorate forwarded a new inquiry to the data controller on 13 May 2020. The inspectorate requestedthat the complainant be provided with all information concerning 2(11) the complainant, including the information that the complainant referred to. A request was also made to submit to the inspectorate a copy of the reply to the complainant together with the data file issued to the complainant. 3.6.The data controller replied on 26 May 2020 regarding the complaint made by as follows: 3.7. was provided with data about them in CSV format on 28 October2018. The purposes of processing the data were described in 2018 (as is done currently in ’s Privacy Policy, available at ). The data retention response was forwarded to on 7 November 2018 and the response log was sent in the response dated 28 October 2018. Information about was appended as an attachment to the reply given to the inspectorate. 4. Positionof the Data ProtectionInspectorate 4.1. The Estonian Data Protection Inspectorate finds that the data controller has responded to the complaint and handed out information the complainant asked. 4.2. The data controller has cooperated with the inspectorate (provided detailed responses to enquiries, forwarded the emails exchanged with complainants, as well as metadata). Therefore, it would be reasonable to reprimand the data controller in accordance with the GDPR and terminate the proceeding. 4.3. In regard to complaint , the complainant wished to receive information on the data collected in regardto them, including their contact data,location details, purposes of data processing, the processing method used, where and how the personal data of the complainant is retained, and when the data of the complainant was last changed. During the proceeding, the data controller has explained which data was collected in regard to complainant and clarified that the email address of the complainant cannot be changed to contain an email address referring to the data controller, as this would entail a copyright infringement 4.4. The data controller explained that based on the data security considerations, it is preferred that clients submit requests for deleting their user account or forwarding the data collected via in-app messages. That way, it can be best ensured that the request is indeed made by the actualholder ofthe useraccount. shall, in turn, do its best to support the satisfaction of requests received via other channels (email) as well. 4.5. The data controller has sent the metadata to the inspection and clarified that ’ user accounthas beendeleted. The data controller said that it is necessaryby law and with legitimate interest to retain certain data, e.g. accounting documents. 4.6. The inspectorate finds that data processing could have been more transparent. At the intervention of the inspectorate, the data controller provided more detailed and specific answers to the complainant. This is why a reprimand is appropriate as a result of the proceeding. 5. Decisionofthe inspectorate inthe complaint of 5.1. The Estonian DataProtection Inspectorate finds thatwhenprocessing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent 3(11) manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). cannot be held responsible for not changing the complainant’s email address to – it might bring up copyright issues because the email address refers to ‘ ’. 5.2. In addition, has to reply to data subjects in a more explained way, in the sense that the data subject receives their answer in depth about what data has been collected, how, when, and through what information channels. has to make the responses more clear to the data subjects in general. 6. The EstonianData ProtectionInspectorate issues areprimand to the data controller underArticle 58 (2)b) of the GeneralData ProtectionRegulation and draws attentionto the following: 6.1. When processing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). It is also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). 6.2. The data subject has a right to request the deletion of, for instance, an account as well as other personal data concerning this person without undue delay. They also have the right to demand this if there is no legal basis for the processing of data. The personal data shall be deleted without delay pursuant to Article 17 of the General DataProtection Regulation. 7. Complaint of 7.1. On2 January 2020, the Estonian Data Protection Inspectorate received the complaint of through the IMI system, which was submitted to the inspectorate by the Polish data protection authority. The complainant had turned to the Polish data protection authority on 25 June 2019. 7.2. According to the complaint, the citizen wanted to delete their user account and personal data from the system. Prior to that, the complainant had wantedto receive information collected about themselves. The complainant sent aletter to on 16 May 2019 requesting to delete their personal data. This letter was sent to the email addresses , and . The complainant was told by customer support that the deletion of data would take place through the application. The complainant adds that by the time of contacting ’s Polish customer support, the complainant had already deleted the application. The complainant wants to see the data collected about the complainant. 8. The correspondence betweenthe datacontrollerand data subject 8.1. On 16 May 2019, the data subject wrote the following to the controller: In accordance with the point “8.Deletion” of “Privacy for Passengers” and in the article 17 of GDPR,I hereby requestto permanently delete my account, Iwithdraw all consents to the processing of any of my personal data and I request to delete all data collected about me. Beforehand, in accordance with the point “9. Portability” of “Privacy Policy for Passengers” andrelevant regulations of GDPR, please send to my e-mail aadress or via another agreedchannel all the data collected about me. 4(11) 8.2. replied on 19 May 2019 that for the account to be deleted, the request must be sent through the application (from ). 8.3. Somehow, there is a response on 16 of May 2019 from , which says, “We are currently struggling with a significant number of incoming reports; out responses can therefore reachyou later than usual.” (It might be an automatic response). 8.4. On 19 May 2019, the data subject sent an email to , saying the following: I’m sorry, but you did not understand my request. You also did not checkthe exactstatus of my account (I submitted a request to delete my account in the application already on 16 May, and especially for you, I just createdan account and re-submitted a request to delete it). Deleting the account is just one element of my request. I am waiting for the next part to be completed. First of all, you have not read or understood my previous message. Please read and understand my request from 16 May 2019, in particular regarding the erasure of collected data. Before that, I recommend you familiarize with your own Privacy Policy and provisions of GDPR. In the event of failing to fulfil its statutory obligation, the matter will be refferedto the President of UODO (Personal Data Protection Office). Let me remind you that a fine up to EUR 20 million and up to 4% of the total annual turnover of the preceding financial year may be imposed for breaching the provisions of the GDPR. Please treatmy request from the previous email carefully, seriously and consider it with due diligence. 8.5. On 21 May 2019, the data subject once again wrote to the data controller: Mrs , I assure you that I got acquinted with it. I see,however, that we do not understand each other, therefore I want to end my correspondence with you at this point. I consider my request still unsolved by the office in Warsaw. I inform you that I will await for a response from competent individuals within your organization (i.e Data Protection Officer at until June 16. All messages in this correspondence were also sent to him and to customer support ( ). In case of further evasion of the obligation imposed by the GDPR, on 17 June 2019, an adequate letter will be sent to the UODO. 9. Inquiries of the inspectorate to 9.1. The inspectorate then sent an inquiry to the data processor on 8 April 2020. The Polish complainant has contacted forclarification and deletion of the data, but they are not satisfied with the answers provided. Polish national, , requests a copy of the data collected about them and allegedly not sentto them by . The inspectorate asked to forward all information and data collected on the Polish citizen, . Additionally, the inspectorate requested to delete data that could be deleted by in relation to and provide the inspectorate an explanation regarding this (which data was deleted). 9.2. replied on 5 May 2020: In answering this question, weaskthe DataProtection Inspectorate to specify the details of the transmission of the information and data collected (addressee, method and channel of transmission, if the Data Protection Inspectorate has any preferences in this regard). In particular, does the Data Protection Inspectorate: a) request that the information and data be provided directly to or b) want the information and data to be transmitted to an official designated by the Data Protection 5(11)Inspectorate, whose personal identification code could be used by to encrypt the information and data transmitted? Please indicate the above preference for the transmission of information and data no later than by 8 May 2020. In the absence of input, will forward the collected information and data directly to by email no later than 8 May 2020 and will share with the Data Protection Inspectorate the email confirming the transmission. 9.3. We have clarified in our previous cooperation with the Data Protection Inspectorate (see our answer to inquiry 2.1-1/19/1946 of the Data Protection Inspectorate) that the deletion process includes the following actions: -the useris logged out ofthe application (force logout); - first name and surname are deleted (fields are left blank); - the email address is deleted (the field is cleared); - the telephone number is replaced by a sequence of random numbers; all communication with the customer (especially the newsletter) is prohibited; - the deletion command is transmitted to the associated systems (communication platforms). 9.4. The user was identified through customer service inquiries and emails. Based on these and ’s information system logs, the chronology of user-related actions is as follows: Account 1: 06.09.2018 – creation of the account (account_no: ) Account 1: 11.05.2019 – account deletion request (in-app request) Account 1: 16.05.2019 – account is deleted, information is provided to the customer. The customer does not notice the confirmation of account deletion. Account 2: 19.05.2019 – a new request from the customer to delete the account is sent by email and instructions for making an in-app request are sent to the user. Account 2: 19.05.2019 – the customer creates a new account (account_no: ) and sends an in-app request for the new account to be deleted. Account 2: 21.05.2019 – customer service sends an in-app confirmation message that the account will be deleted within 30 days. Account 2: 25.05.2019 – the new account is deleted. ’s inquiries were answered, the deletion of accounts was performed more quickly than required under Article 12 (3) of the General Data Protection Regulation. In summary, the requests for deleting the in-app user account were granted on 16 May 2019 and25 May 2019 –however, the requestsetout in point (ii) wasdifficult to comply with and it was not fulfilled. The following contributed to this result: a) the abundance of communication channels and the customer’s statements of intent; b) the fact that ’s customer service may have assumed that the scope of the customer’s later statement of intent (19 May 2019 in-app request) (delete only the user account) may take precedence over the scope of the customer’s previous statement of intent (19 May 2019 email; deletion and prior transmission of the data collected). A further analysis of the communication related to this complaint indicates that the customer’s actual statement of intent included the transmission of the data collected about them. Further internal investigation will allow to fulfil the customer’s actual request, which we want to achieve no later than 8 May 2020, by forwarding the requested data to the email address of 9.5. The inspectorate forwarded a new inquiry to on 13 May 2020, requesting that the inspectorate be provided with the information provided to in connection with their complaint. At that point, a third complaint, by , came to the attention of the inspectorate, and the inspectorate asked for clarification. 9.6. answeredon 19 May 2020 forwarding the reply sentto on 8 May 2020. also included all the data that had collected on 6(11) Regulationand draws attentionto the following: 12.1. When processing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). It is also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). 12.2. The data subject has a right to request the deletion of, for instance, an account as well as other personal data concerning this person without undue delay. They also have the right todemand this if there is no legal basis for the processing of data. The personal data shall be deleted without delay pursuant to Article 17 of the GeneralDataProtection Regulation. 13. Complaint of 13.1. turned to the Polish data protection authority on 4 February 2019 to delete her account, but to do so, she was asked to provide a picture of herself with an ID-card. In her initial complaint to Poland, the complainant wrote that on 5 January 2019, she requested that delete her personal data. The complainant has not specified whether she is driver or a customer. The complainant wrote to the email address . 14. The correspondence betweenthe datacontrollerand data subject 14.1. The correspondence between the complainant and shows that on 5 January 2019, the complainant wrote that she wished to delete her account: 1.1. 5 January, 17:46 EET I resign. Please erase my e-mail and phone number from your database. 5 January, 18:34 EET Good morning, Certainly, I will satisfy your request, however I would like to inquire whatis the reason for the resignation from our services? Are you certain you wish to delete your account? 5 January, 18:42 EET I am certain. The reason is the multitude of notifications about discount (SMS, mail, app notifications). 5 January, 19:02 EET The deletion of your phone number can be done only if your entire account will be deleted. There is a possibility to only cancelthe notifications, so they don’t disturb you anymore. Therefore, what do you choose, cancellation of the notifications or the deletion of the entire account? 5 January, 19:04 EET What do you mean by ‘cancellation of notifications’? 8(11) 5 January, 19:09 EET Right now your setting regarding the receipt of notifications and messages is turned on. I can turn it off, so that all the offers will be blocked. The only messages you will receive would be the ones concerning the confirmations of fares, which is required by law. 5 January, 19:12 EET Ok. Please, delete my account. 6 January, 08:29 EET Good morning, Ok, I will get to it right away. The last thing I need to ask you is your clear photograph with an ID card close to your face (all this data will be deleted with the account) so that I can confirm your identity. It is necessaryat this moment, so that I can continue. 20.03.2019, the complainant further contacted the Polish data protection authority, explaining that they did not know where to turn. They added the address and contacts of the data controller, noting that the violation related to their contact details. 15. Inquiries of the Inspectorate to 15.1. The Inspectorate sent an inquiry to the data controller on 13 May 2020 as to the legal basis on which the complainant is obliged submit a picture of themselves together with their ID-cardto delete their account. 15.2. replied on 26 May 2020: ‘Pursuant toArticle 12 (6) of the GDPR, where the data controller has reasonable doubts concerning the identity of the natural person making the request, the controller may request the provision of additional information necessaryto confirm the identity of the data subject. The legal basis for processing the image and the ID-card is the legitimate interest of as the data controller. Providing a picture and ID-card helps to prevent fraud and allows to identify the person requesting the deletion of the account. This will also prevent a potentially more significant violation that would result from the deletion of data at the request of the wrong person. However, prefers to receive the data subject’s request for deletion through the application, which does not require additional information. Additional information in the form ofa picture andID-cardis required only if identification inside the application is unsuccessful. ’s account has been deleted as at22 October 2019.” 16. Positionofthe Data ProtectionInspectorate 16.1. The Estonian Data Protection Inspectorate finds that the data controller has responded to the complainant and cooperated with the inspectorate (provided detailed responses to enquiries, forwarded the emails exchanged with complainants, as well as metadata). Therefore, it would be reasonable to reprimand the data controller in accordance with the GDPR and terminate proceedings regarding the 9(11) complainant. 16.2. The data controller explained that based on the data security considerations, it is preferred that clients submit requests for deleting their user account or forwarding the data collected via in-app messages. That way, it can be best ensured that the request is indeed made by the actualholder of the useraccount. shall, in turn, do its best to support satisfaction of requests received via other channels (email) aswell. 16.3. The account of has beendeleted, sothe breachhas beeneliminated. 16.4. The inspectorate finds that data processing could have been more transparent. At the intervention of the inspectorate, the data controller provided more detailed and specific answers to the complainant. The data controller should have beenclearer about the factwhy and on what legal grounds it is necessaryto present anID-card. Therefore, a reprimand to the data controller is needed. This is why a reprimand is appropriate as a result of the proceeding. The complaints have indicated that if the data subject takes the necessary steps inside the application to express theirwill, be it to access the data collected, close the account, or make any otherrequest, communicationbetweenthe data subject and will then function better. The abundance of communication channels has createdcommunication problems. Itis also more difficult to identify the user and their identity when the communication takes place outside the application. Therefore, it is reasonable for to direct customers with an account to make theirdeclarations of intentthrough the application. 17. Decisionconcerning complaint 17.1. Concerning ’s complaint, The Estonian Data Protection Inspectorate finds that has the right to ask for the ID-cardpursuant toArticle 12 (6) of the GDPR. has made clear that without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessaryto confirm the identity of the data subject. 17.2. The data controller also has made clear that it does not ask for an ID-card when the inquiries are made in the application and are completed successfully. An ID-card is requested when the inquiries in the application have failed. only asked for the ID- card to protect sensitive information collected about the complainant. The data controller had to make sure that the person asking information is really the real user. The data controller has made an effort to protect the data. However, the data controller has to explain exactly why and on what legal grounds the ID-cardis being asked. 18. The Estonian Data ProtectionInspectorate issuesa reprimand to the data controller under Article 58 (2) b) of the General Data Protection Regulation and draws attentionto the following: 18.2. When processing personal data, the controller shall ensure that the data is processed lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5 (1) a) of the General Data Protection Regulation). It is also important that persons are not provided misleading information concerning the processing of data (including the deletion of data). 10 (11) 18.2. The data subject has a right to request the deletion of, for instance, an account as well as other personal data concerning this person without undue delay. They also have the right to demand this if there is no legal basis for the processing of data. The personal data shall be deleted without delay pursuant to Article 17 of the General DataProtection Regulation. 18.3. The controller is obligated to explain why certaindocuments are required from the complainant (e.g. ). The data controller could have explained to the complainant in more detail why and under what legal basis they requested them to provide a copy of their ID-card. This could have prevented the submission of a complaint to the supervisory authority. In view of the above, we shall terminate the supervisory proceeding. This decision may be challenged within 30 days by submitting one of the two: - A challenge to the Director General of the Estonian Data Protection Inspectorate pursuant to the Administrative Procedure Act , or - Anappealto anadministrative court under the Code ofAdministrative Court Procedure 2 (in this case,the challenge in the same matter canno longer be reviewed). Respectfully Lawyer Authorised by the Director General 1 2https://www riigiteataja.ee/en/eli/527032019002/consolide https://www riigiteataja.ee/en/eli/512122019007/consolide 11(11)