IMY (Sweden) - 2022-1032: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=2022-1032 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https://www.imy.se/contentassets/4a448ecb94804740b8e4389d771d1732/beslut-tillsyn-lensway-group-ab.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Origi...")
 
mNo edit summary
Line 85: Line 85:
Secondly, regarding the sending of the documents by mail, under [[Article 12 GDPR#2|Article 12(2) GDPR]], the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]].
Secondly, regarding the sending of the documents by mail, under [[Article 12 GDPR#2|Article 12(2) GDPR]], the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated [[Article 12 GDPR#2|Article 12(2) GDPR]].


Thus, the DPA issued a reprimand to the controller for breaching Articles 12(2) and 12(6) GDPR.
Thus, the DPA issued a reprimand to the controller for breaching [[Article 12 GDPR#2|Articles 12(2)]] and [[Article 12 GDPR#6|12(6) GDPR.]]


== Comment ==
== Comment ==

Revision as of 08:43, 23 April 2024

IMY - 2022-1032
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(2) GDPR
Article 12(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.01.2023
Published: 09.04.2024
Fine: n/a
Parties: Lensway Group AB
National Case Number/Name: 2022-1032
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: nzm

The DPA issued a reprimand against a controller for asking data subjects to provide a copy of their ID as well as signed documents by post, when there were no reasonable grounds to doubt the identity of the data subjects.

English Summary

Facts

A data subject in Finland contacted Lensway Group AB (“controller”) and made an erasure request. The controller replied that the data subject needed to send them his postal address so that they could send him documents related to the request, which should be signed and returned by him. The controller also asked the data subject to verify his identity by sending a copy of his ID by email. The data subject refused to provide this information. The data subject therefore lodged a complaint with the Finnish DPA.

Another data subject, in Denmark, contacted the same controller, also for an erasure request. To comply with the request, the controller asked the data subject to provide his social security number and a copy of his ID. The data subject questioned the need for the controller to collect personal data in order to delete his personal data and suggested that it could confirm his identity by sending an email to the address it had registered for him. The controller refused.

These two data subjects lodged complaints against the controller in Finland and Denmark. Given the cross-border nature of the processing, the Swedish DPA (“IMY”) made use of the cooperation and consistency mechanisms provided by the GDPR.

Regarding the documents that the data subject was required to submit, the controller argued that the name, email address and signature asked in these documents were mandatory to confirm the data subject’s identity and to ensure that they had read the information and given consent. The controller also indicated that they should always ensure that the right person is contacting them regarding requests to exercise a right under the GDPR and that in the present case, the data subjects had not been identified on a good and secure way when contacting the controller.

Holding

Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA considered that in the present case, the controller had not demonstrated that there were reasonable grounds to doubt the data subjects’ identity.

The DPA also examined if the information requested was necessary to confirm the data subjects’ identity. The IMY considered that providing a copy of an ID is an intrusive measure and is only appropriate when alternative less intrusive verification methods are inappropriate. The DPA found that in the present case, the controller did not demonstrate that a copy of an ID or a signature were absolutely necessary or appropriate.

Therefore, the DPA concluded that the controller breached Article 12(6) GDPR.

Secondly, regarding the sending of the documents by mail, under Article 12(2) GDPR, the use of ordinary mail as the only means of contact is accepted in exceptional circumstances. The DPA added that alternative ways of submitting requested data should be offered. The IMY held that sending a copy of an identity document may entail special risks which may justify that the document be sent by post, if this is necessary to confirm the identity of the data subject. However, as this was not the case, the DPA found that the controller violated Article 12(2) GDPR.

Thus, the DPA issued a reprimand to the controller for breaching Articles 12(2) and 12(6) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(8)






                                                                    Lensway Group AB









Diary number:
IMY-2022-1032 Decision after supervision according to

                               data protection regulation - Lensway

Date:
2023-01-19 Group AB






                               The Privacy Protection Authority's decision


                               The Privacy Protection Authority states that Lensway Group AB when handling
                               the deletion request made on February 20, 2020 by the complainant in complaint 1,
                               and on June 25, 2020 by the complainant in complaint 2, has processed personal data in violation

                               with:

                                    • article 12.6 of the data protection regulation by requesting a copy of

                                        identity document and signature when this was not necessary to confirm
                                        the identities of the complainants as well
                                    • Article 12.2 of the Data Protection Regulation by requiring the complainants at
                                        requests for deletion must submit data to confirm their identities

                                        via post, which did not facilitate the appellants' exercise of their right to
                                        deletion.


                               The Privacy Protection Authority gives Lensway Group AB a reprimand according to article
                               58.2 b of the data protection regulation for violation of articles 12.2 and 12.6 of
                               data protection regulation.


                               Account of the supervisory matter


                               Handling
                               The Swedish Privacy Protection Agency (IMY) has started supervision of Lensway Group AB
                               (the company) due to two complaints, mainly to investigate the Lensway Group

                               AB has received and handled the complainant's request for deletion in a correct manner
                               according to articles 12 and 17 of the data protection regulation. The complaints have been handed over to
                               IMY, in its capacity as responsible supervisory authority pursuant to Article 56 i

Postal address: data protection regulation. The handover has taken place from the supervisory authorities in that country
Box 8114 where the complainants have filed their complaints (Finland and Denmark) pursuant to
104 20 Stockholm Regulation's provisions on cooperation in cross-border processing.
Website:

www.imy.se
E-mail:
imy@imy.se 1
                                REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free flow of such data and on
08-657 61 00 repeal of directive 95/46/EC (general data protection regulation). The Swedish Privacy Agency Diary number: IMY-2022-1032 2(8)
                               Date: 2023-01-19






                               The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies
                               cross-border treatment, IMY has used the mechanisms for cooperation
                               and uniformity found in Chapter VII of the Data Protection Regulation. Affected

                               supervisory authorities have been the data protection authorities in Denmark, Norway and Finland.

                               The complaints

                               The complaints essentially state the following.

                               Complaint 1 (Complaint from Finland with national diary number 1576/153/2020)


                               The complainant has been in contact with the company on 20 February 2020 and requested deletion.
                               The company has replied to the complainant that he needs to send his postal address to them so that they
                               may send documents relating to his request to him. These actions would

                               appellant sign and return. Furthermore, the company has requested that the complainant should
                               verify their identity by sending a copy of their identity document via e-mail. Of
                               for security reasons, the appellant has not been willing to submit what was requested of

                               him.

                               Complaint 2 (Complaint from Denmark with national diary number 2020-31-3616)


                               The complainant has requested deletion of his information on lensway.dk. To accommodate
                               request, the company has requested that he provide his social security number and

                               submit a copy of their identity document. However, the company cannot tell
                               the appellant why they need this information other than they need it to
                               able to confirm his identity. The appellant disputes that the company needs to collect
                               personal data to delete personal data. The complainant suggested that the company instead

                               could confirm his identity by sending an email to the address that
                               was registered to him but they refused.


                               What the company has stated
                               The company has in its opinion from 20 April, 12 May and 11 August 2022 in
                               essentially stated the following. The company is responsible for the processing of personal data

                               to which the complaints relate.

                               Complaint 1


                               The company has received the complainant's request for deletion, but the complainant has not followed through
                               the company's verification process applicable at the time. The company has requested that the complainant should
                               send in a copy of your identity document. It is the only way that the company so far

                               have been able to ensure the customer's identity on The copy would be sent via ordinary
                               mail aisle. The company has also requested that the complainant submit a signed
                               request for deletion. The company has so far not been able to receive this data digitally.

                               To ensure that they have received original documents, they have asked the complainant to send them in
                               this via regular mail.


                               Complaint 2

                               The company has received the request for deletion on June 25, 2020, but the complainant has not

                               completed the company's verification process applicable at the time. It is true that the company
                               requested the appellant's social security number in the written record but it has
                               was voluntary in providing this information. As an addition to the information in the written

                               basis, the company has requested that the complainant submit a copy of his
                               identity document. The company has so far not been able to identify the complainant in any other way.
                                Date: 2023-01-19






                                way. The appellant has been asked to submit the information via ordinary post in order to
                                ensure that the company has received documents in original.


                                Regarding both complaints, the company has stated the following

                                As regards the written request that both appellants would submit, states
                                the company follows regarding which personal data was mandatory to provide and

                                why the information was necessary.

                                     • Name is a mandatory information that is requested in order to confirm it

                                         data subject's identity.
                                     • E-mail address is a mandatory information requested to be used as
                                         a unique identifier of customers in the company's system.

                                     • Signature is a mandatory task for the company to ensure that
                                         the registrant has read the information and given his consent.

                                The company states that they should always ensure that it is the right person who contacts them then

                                it concerns requests to exercise a right under the Data Protection Regulation. Then
                                the company was previously unable to identify the customer in a good and safe way when they
                                contacted the company via customer service has the manual process via regular mail

                                been the one they used. In this way, they have achieved a two-step verification.
                                Functionality to enable confirmation of the customer's identity via customer service has
                                not been in place.


                                The customer relationship with the company can be established in two ways, either the customer implements one
                                buy or the customer logs in to My Pages. When the customer creates an account on Mina

                                Pages provide the customer with their email address and a confirmation email
                                sent to the customer. The customer can then access one via the link in the email
                                web page where he links a password to the e-mail address. The customer account is then
                                created and the company thus receives a two-step verification. The appellants have used

                                of the other means by which the customer relationship can be established.

                                The complainants have made purchases with the company and they have then been identified via the company's

                                payment service provided by Klarna. For most payment options, Klarna requires that
                                the customer verifies himself via bankID. For certain payment methods, for example payment with
                                credit card, the customer can choose not to have to verify themselves via bankID through

                                Klarna's app.

                                The company's existing digital contact route is Mina Sidor. However, there has been none

                                functionality to handle requests to exercise a right under
                                the data protection regulation on My Pages. Since April 2022, the company's customers can now
                                request to be deleted or receive a copy of their personal data directly via My Pages.

                                The customer's identity is then verified via regular login.



                                Justification of the decision


                                Applicable regulations, etc.

                                According to Article 17.1, the data subject shall have the right to the personal data controller without

                                unnecessary delay have their personal data deleted and the personal data controller
                                shall be obliged to delete personal data about any of them without undue delay
                                prerequisites listed in the article exist, for example if the information is not
                                 Date: 2023-01-19






                                 are no longer necessary for the purposes for which they have been collected or consented to

                                 treatment is withdrawn.


                                 According to Article 12.2, the personal data controller must facilitate its exercise
                                 data subject's rights in accordance with Articles 15–22.


                                 Article 12.6 states that, without prejudice to the application of Article 11, it may

                                 personal data controller, if he has reasonable grounds to doubt its identity
                                 natural person who submits a request under Articles 15-21, request that additional

                                 information necessary to confirm the identity of the data subject is provided.

                                                                                                                2
                                 In the European Data Protection Board's (EDPB) Guidelines 01/2022 on access is stated among
                                 other following.


                                     65. If the data controller requests additional information that is

                                     necessary to confirm the identity of the data subject it shall
                                     personal data controller each time assess which information will

                                     enable the personal data controller to confirm the data subject
                                     identity and possibly ask additional questions of the requesting person or

                                     request the data subject to provide additional identifying information, if any
                                     proportionately (see section 3.3). Such additional information should not be more than

                                     the information originally needed to control it was recorded
                                     identity (authentication). In general, the fact that the

                                     the controller may request additional information to assess it
                                     data subject's identity does not lead to excessive demands and to the collection of

                                     personal data that is not relevant or necessary to strengthen the connection
                                     between the individual and the personal data requested. 3


                                     […]


                                     73. It should be emphasized that the use of a copy of an identity document as a
                                     part of the authentication process poses a risk to the security of personal data and

                                     may lead to unauthorized or illegal processing, and therefore should be considered inappropriate,
                                     unless absolutely necessary, appropriate and in accordance with national

                                     legislation. In such cases, the personal data controllers should have systems that
                                     ensures a level of security suitable to reduce the higher risks of

                                     the freedom and rights of the data subject to receive such data. It is also
                                     important to note that identification using an identity card not necessarily

                                     helps in an online context (e.g. when using pseudonyms) about it
                                     the person concerned cannot provide any other evidence, e.g. further
                                                                                   4
                                     properties that match the user account.



                                 2EDPB, Guidelines 01/2022 on data subject rights - Right of access, Version 1.0 (EDPB's Guidelines 01/2022 on
                                 the right of access). The guidelines have been out for public consultation and are awaiting final adoption.
                                 3IMY's translation, original: In cases where the controller requests the provision of additional information necessary
                                 to confirm the identity of the data subject, the controller shall each time assess what information will allow it to confirm
                                 the data subject's identity and possibly ask additional questions to the requesting person or request the data subject
                                 to present some additional identification elements, if it is proportionate (see section 3.3). Such additional information
                                 should not be more than the information initially needed for the verification of the data subject's identity
                                 (authentication). In general, the fact that the controller may request additional information to assess the data subject's
                                 identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary

                                 4o strengthen the link between the individual and the personal data requested.
                                  IMY's translation, original: It should be emphasized that using a copy of an identity document as a part of the
                                 authentication process creates a risk for the security of personal data and may lead to unauthorized or unlawful
                                 processing, and as such it should be considered inappropriate, unless it is strictly necessary, suitable, and in line with
                                 national law. In such cases the controllers should have systems in place that ensure a level of security appropriate to
                                Date: 2023-01-19






                                The Swedish Privacy Protection Authority's assessment


                                Based on the current complaints in the case, IMY has reviewed the company's
                                action in these two individual cases.


                                Has the company acted in accordance with 12.6 of the data protection regulation when the company
                                requested current information from the complainants?


                                Did Lensway Group have reasonable grounds to doubt the identity of the complainants?


                                It is only when the personal data controller has reasonable grounds to doubt the identity
                                with the person who made the request who receives additional information to confirm the identity
                                is requested. What constitutes "reasonable grounds" in Article 12.6 of the Data Protection Regulation should

                                assessed based on the circumstances of the individual case. The assessment of whether there is
                                reasonable grounds to doubt in an individual case the identity of the person making the request is made
                                normally in light of the information provided in connection with the request. The

                                applies especially in situations where the person in charge of personal data lacks further knowledge
                                about this person. However, the fact that an individual assessment is required does not preclude that
                                routines are established for how the person in charge of personal data normally verifies it

                                data subject's identity.


                                The company has been given the opportunity to justify the individual assessment based on which it was made
                                the appellants' situation if they considered that they had reasonable grounds to doubt the identity of
                                the appellants when they presented their requests. Regarding both appellants, the company has i

                                mainly stated the following. The company should always ensure that it is the right person who
                                contacts them regarding requests to exercise a right under
                                data protection regulation. The customer has not previously been able to be identified in a good and

                                secure way when they contacted the company via Customer Service. Functionality for management of
                                requests to exercise a right under the Data Protection Regulation have never existed
                                at Customer Service or on My Pages.


                                IMY states that it is not clear from the investigation in the case which data are
                                the appellants submitted in connection with their request and if based on these there were any

                                reason for the company to doubt their identity. However, IMY considers that against the background
                                from what has emerged in the case, there is no reason to question the company's statement
                                that the company had reason to doubt the identity of the complainants. In the assessment

                                does the IMY consider the fact that the obligation to ensure the identity of the person making a
                                the request also has the purpose of protecting data subjects against someone else doing it incorrectly
                                requests in their name, which may lead to negative consequences for it

                                registered. The risks of these negative consequences in case of false requests are
                                particularly evident when it comes to more intrusive measures, such as the exercise of

                                the right to erasure. IMY therefore finds that it has not been shown other than that the company in the relevant
                                the cases had reasonable grounds to doubt the identity of the appellants.

                                Has the information requested by Lensway Group been necessary to confirm

                                the identity of the complainants?

                                Even if the personal data controller has reasonable grounds to doubt the identity of those

                                complainant, the personal data controller shall not collect more personal data than what
                                which is necessary to enable identification of the requesting data subject.

                                mitigate the higher risks for the rights and freedoms of the data subject to receive such data. It is also important to
                                note that identification by means of an identity card does not necessarily help in the online context (e.g. with the use
                                of pseudonyms) if the person concerned cannot contribute any other evidence, e.g. further characteristics matching to
                                the user account. The Swedish Data Protection Agency Diary number: IMY-2022-1032 6(8)
                                Date: 2023-01-19







                                The company has essentially stated the following regarding the necessity of that information
                                those requested by both appellants. A copy of the identity document has been requested when it was

                                the only way the company has so far been able to ensure the customer's identity. In addition to
                                copy of identity document, the appellants should submit a written document. The
                                information that has been requested in the written documentation and why it was necessary,

                                is reported by the company essentially as follows. The name has been requested to confirm it
                                data subject's identity. The email address has been requested to be used as a unique
                                identifier of customers in the company's system. The signature has also been requested and is as per

                                the company a necessary information in order for the company to be able to ensure that it
                                registrant has read through the information and given his consent to the handling of
                                request.


                                Regarding whether the identity of the complainants has been verified, the company has stated that both
                                the complainant has made purchases where they have been identified via the company's payment service as

                                provided by Klarna.

                                It appears from the company's opinion that it was not required that the company itself verified

                                the true identity of the appellants when the customer relationship was established, i.e. upon purchase. IMY
                                notes that the company cannot demand more personal data when the complainant wants to use it
                                their rights than what was required when establishing the customer relationship. Copy of

                                identity document and signature are information that the company has not requested
                                the establishment of the customer relationship in these two current cases. Furthermore, IMY considers that according to
                                The EDPB's guidelines on the right of access should the use of a copy of an identity document

                                as part of the authentication process is considered inappropriate, unless it is absolute
                                necessary, appropriate and in accordance with national legislation. IMY considers that the requirement to
                                providing the personal data controller with a copy of their identity document is one
                                interventional measure, which is only appropriate when the personal data controller previously has

                                ensured the actual identity of the registered and then alternative less
                                intrusive verification methods are inappropriate. IMY assesses that it has not emerged
                                some circumstances that speak against other, less intrusive,

                                verification methods could have been used in the current cases, for example login
                                via My Pages or control questions. IMY notes that in the case it therefore does not
                                emerged that the request for the copy of the identity document or the signature would have been

                                absolutely necessary or appropriate.

                                In light of this, IMY assesses that the copy of the identity document and the signature

                                thus cannot be considered to have been necessary to confirm the identity of the appellants
                                in accordance with Article 12.6 of the Data Protection Regulation.


                                Has the company acted in accordance with 12.2 of the data protection regulation when the company
                                requested that the complainants send the information by post?


                                The next question is whether it has been permissible to require the appellants to send them
                                the requested information to the company via ordinary post.


                                In light of the requirements to facilitate the exercise of the data subject's rights i
                                article 12.2 of the data protection regulation, it can only be accepted in exceptional cases that a
                                personal data controller as the only contact means refers individuals to regular mail

                                they must submit information to ensure their identities,
                                for example if it is justifiable with regard to security reasons. The starting point should
                                be that alternative ways of submitting requested information must be offered. The company has the Swedish Data Protection Agency Diary number: IMY-2022-1032 7(8)
                                Date: 2023-01-19






                                this part essentially stated that they have demanded that the data be sent via ordinary
                                post office to ensure that they have received the original written documentation.


                                IMY assesses that sending a copy of an identity document can indeed
                                involve special risks which may justify requiring that the act

                                sent by post. This is provided that it is a necessary task in order to
                                confirm the identity of the data subject.


                                In the current cases, IMY assesses above that there was no copy of the identity document
                                necessary to confirm the identity of the complainants. By demanding of
                                the complainants that the information must also be sent via regular mail, IMY considers that

                                the company has not made it easier for the complainants to exercise their right to erasure. IMY assesses
                                thereby that the company thereby acted in violation of Article 12.2 of the data protection regulation.


                                Choice of intervention

                                From articles 58.2 i and 83.2 of the data protection regulation, it appears that IMY has the authority

                                to impose administrative penalty fees in accordance with Article 83. Subject to
                                the circumstances of the individual case, administrative penalty fees must be imposed
                                in addition to or instead of the other measures referred to in Article 58.2, such as

                                injunctions and prohibitions. Furthermore, Article 83.2 states which factors must
                                taken into account when deciding whether administrative penalty charges are to be imposed and at
                                determining the size of the fee. If it is a question of a minor violation, IMY gets

                                as set out in recital 148 instead of imposing a penalty charge issue one
                                reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating factors
                                circumstances of the case, such as the nature, severity and duration of the infringement

                                as well as previous violations of relevance.

                                IMY notes the following relevant circumstances. It has of the investigation in the matter

                                found that a copy of the identity document and signature are no longer requested by
                                Lensway Group AB in the event of requests from registered users to exercise their right to
                                deletion according to the data protection regulation. Furthermore, the established violations have

                                occurred relatively far back in time (2020) and has affected two registrants. Against this one
                                background, IMY finds that it is a question of such minor violations in that sense
                                as referred to in reason 148 which means that Lensway Group AB must be given a reprimand according to

                                Article 58.2 b of the Data Protection Regulation for the identified violations.

                                __________________________________________________


                                This decision has been taken by the special decision-maker lawyer Evelin Palmér after
                                presentation by the lawyer Anna Mlynska.





                                Evelin Palmér, 2023-01-19 (This is an electronic signature) The Swedish Privacy Agency Diary number: IMY-2022-1032 8(8)
                                Date: 2023-01-19






                                How to appeal


                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.