IMY (Sweden) - IMY-2022-1032: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 69: | Line 69: | ||
}} | }} | ||
In the context of an erasure request, requiring identity documents | In the context of an erasure request, requiring copy of identity documents which are not strictly necessary to identify a data subject breaches [[Article 12 GDPR|Article 12(6) GDPR]]. Moreover, in these cases, the use of regular mail does not facilitate the exercise of data subjects' right under [[Article 12 GDPR|Article 12(2) GDPR.]] | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Two data subjects had customer relationship with Lensway (controller). | Two data subjects had customer relationship with Lensway (controller). In february and June 2020 they requested erasure of their data. To comply with the request, the controller required the data subjects to provide, by regular mail, a copy of an identity document and a written and signed form. In one case, also the data subject's social security number. | ||
In | |||
In | |||
The data subjects respectively filed complaints with the supervisory authorities of Finland and Denmark which handed them over to the Swedish DPA (IMY) according to [[Article 56 GDPR|Article 56 GDPR]] in its quality of lead supervisory authority. | The data subjects respectively filed complaints with the supervisory authorities of Finland and Denmark which handed them over to the Swedish DPA (IMY) according to [[Article 56 GDPR|Article 56 GDPR]] in its quality of lead supervisory authority. | ||
Line 87: | Line 83: | ||
Since the complaints were against the same controller, the IMY joined them. It started by reminding that under [[Article 12 GDPR#2|Article 12(2) GDPR]], the controller must facilitate the exercise of data subject rights and that under [[Article 12 GDPR|Article 12(6)]], the controller can request additional information to confirm the identity of the data subject if it has reasonable doubts. | Since the complaints were against the same controller, the IMY joined them. It started by reminding that under [[Article 12 GDPR#2|Article 12(2) GDPR]], the controller must facilitate the exercise of data subject rights and that under [[Article 12 GDPR|Article 12(6)]], the controller can request additional information to confirm the identity of the data subject if it has reasonable doubts. | ||
''First'', the IMY assessed if in these two cases, the controller had reasonable grounds to doubt the identity of the data subjects. It held that was not entirely clear what information the data subjects provided with their request | ''First'', the IMY assessed if, in these two cases, the controller had reasonable grounds to doubt the identity of the data subjects. It held that was not entirely clear what information the data subjects provided with their request. The company's doubts about the identity of the data subjects were therefore reasonable. | ||
''Second'', the IMY then examined the necessity of the information requested. Taking into account the customer relationship between the data subjects and the controller, the IMY considered that the controller | ''Second'', the IMY then examined the necessity of the "additional information" requested by the controller to overcome such doubts. Taking into account the customer relationship between the data subjects and the controller, the IMY considered that the controller could not, in this occasion, require more personal data than were asked when establishing the customer relationship. The IMY also referred to the [https://edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf EDPB guidelines on the right of access] which state that the use of an identity document as part of an authentification process should be considered inappropriate unless strictly necessary under national law. In this case, the IMY held that other less intrusive means could have been sufficient to identify the data subjects. For example, using control questions or requiring the data subject to log in on the controller’s website. | ||
''Last'', the IMY analysed whether requesting the data subjects to send their information by regular mail was in line with [[Article 12 GDPR#2|Article 12(2) GDPR]]. It considered that the use of regular mail could be justifiable for reasons of security. However, in this case, provided that the identity documents were not necessary, the IMY concluded that the controller did not facilitate the exercise of the data subjects’ rights. | ''Last'', the IMY analysed whether requesting the data subjects to send their information by regular mail was in line with [[Article 12 GDPR#2|Article 12(2) GDPR]]. It considered that the use of regular mail could be justifiable for reasons of security. However, in this case, provided that the identity documents were not necessary, the IMY concluded that the controller did not facilitate the exercise of the data subjects’ rights. |
Latest revision as of 07:51, 7 June 2023
IMY - IMY-2022-1032 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(2) GDPR Article 12(6) GDPR Article 17 GDPR Article 56 GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 19.01.2023 |
Published: | |
Fine: | n/a |
Parties: | Lensway |
National Case Number/Name: | IMY-2022-1032 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | IMY (in EN) |
Initial Contributor: | n/a |
In the context of an erasure request, requiring copy of identity documents which are not strictly necessary to identify a data subject breaches Article 12(6) GDPR. Moreover, in these cases, the use of regular mail does not facilitate the exercise of data subjects' right under Article 12(2) GDPR.
English Summary
Facts
Two data subjects had customer relationship with Lensway (controller). In february and June 2020 they requested erasure of their data. To comply with the request, the controller required the data subjects to provide, by regular mail, a copy of an identity document and a written and signed form. In one case, also the data subject's social security number.
The data subjects respectively filed complaints with the supervisory authorities of Finland and Denmark which handed them over to the Swedish DPA (IMY) according to Article 56 GDPR in its quality of lead supervisory authority.
In its defense, the controller stated that it could not identify the data subjects with other means. Requesting identity documents was therefore necessary to comply with the erasure requests. It added that the use of regular mail was necessary to ensure that they received the original written documentation.
Holding
Since the complaints were against the same controller, the IMY joined them. It started by reminding that under Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights and that under Article 12(6), the controller can request additional information to confirm the identity of the data subject if it has reasonable doubts.
First, the IMY assessed if, in these two cases, the controller had reasonable grounds to doubt the identity of the data subjects. It held that was not entirely clear what information the data subjects provided with their request. The company's doubts about the identity of the data subjects were therefore reasonable.
Second, the IMY then examined the necessity of the "additional information" requested by the controller to overcome such doubts. Taking into account the customer relationship between the data subjects and the controller, the IMY considered that the controller could not, in this occasion, require more personal data than were asked when establishing the customer relationship. The IMY also referred to the EDPB guidelines on the right of access which state that the use of an identity document as part of an authentification process should be considered inappropriate unless strictly necessary under national law. In this case, the IMY held that other less intrusive means could have been sufficient to identify the data subjects. For example, using control questions or requiring the data subject to log in on the controller’s website.
Last, the IMY analysed whether requesting the data subjects to send their information by regular mail was in line with Article 12(2) GDPR. It considered that the use of regular mail could be justifiable for reasons of security. However, in this case, provided that the identity documents were not necessary, the IMY concluded that the controller did not facilitate the exercise of the data subjects’ rights.
Taking into account that the infringements occurred far back in time, only affected two data subjects and that in the meantime, the controller stopped requesting copies of identity documents and written forms, the IMY considered that this constituted a minor infringement and issued a reprimand.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
1(8) Notice: This document is an unofficial translation of the Swedish Authority for Privacy Protection’s decision 2023- 01-19, no. IMY-2022-1032. Only the Swedish version of the decision is deemed authentic. Ref no: IMY-2022-1032 Decision under the General Data Protection Regulation – Lensway Date of decision: 2023-01-19 Group AB Decision of the Swedish Authority for Privacy Protection The Swedish Authority for Privacy Protection finds that Lensway Group AB when handling the request for erasure made on 20 February 2020 by the complainant in Complaint 1, and the request for erasure made on 25 June 2020 by the complainant in Complaint 2, has processed personal data in breach of: • Article 12(6) GDPR by requesting a copy of the identity document and signature when this was not necessary to confirm the identities of the complainants; and • Article 12(2) of the GDPR by requiring that the complainants when requesting erasure submit information by mail in order to confirm their identities, which did not facilitate the exercise of the complainants` right to erasure. The Swedish Authority for Privacy Protection issues a reprimand to Lensway Group AB pursuant to Article 58(2)(b) of the GDPR for infringement of Articles 12(2) and 12(6) of the GDPR. Presentation of the supervisory case The Swedish Authority for Privacy Protection (IMY) has initiated supervision regarding Lensway Group AB (the company) due to two complaints, mainly to investigate whether Lensway Group AB has received and handled the complainants’ requests for erasure in accordance with Articles 12 and 17 of the GDPR. The complaints have been submitted to IMY as the lead supervisory authority pursuant to Article 56 of the GDPR. The handover has been made by the supervisory authority of the country where the complainants have lodged their complaints (Finland and Denmark) in Postal address: accordance with the provisions of the GDPR on cooperation in cross-border Box 8114 104 20 Stockholm processing. Website: The case has been handled through written procedure. In view of the complaint www.imy.se E-mail: relating to cross-border processing, IMY has made use of the cooperation and imy@imy.se 1 Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the Phone: protection of natural persons with regard to he processing of personal data and on the free movement of such data, 08-657 61 00 and repealing Directive 95/46/EC (General Data Protection Regulation).Privacy Protection Authority Our ref: IMY-2022-1032 2(8) Date:2022-12-12 consistency mechanisms provided for in Chapter VII of the GDPR. The supervisory authorities concerned have been the data protection authorities in Denmark, Norway and Finland. The complaints The complainants have mainly stated the following. Complaint 1 (Complaint from Finland with national registration number 1576/153/2020) The complainant was in contact with the company on 20 February 2020 and requested erasure. The company replied to the complainant that the complainant needs to send them the postal address so that they can send the complainant documents relating to the complainant’s request. These documents were to be signed and returned by the complainant. In addition, the company requested the complainant to verify the identity by sending a copy of the complainant´s identity document by e-mail. For security reasons, the complainant was not willing to provide what was requested. Complaint 2 (Complaint from Denmark with national registration number 2020-31- 3616) The complainant requested erasure of the complainant´s information on lensway.dk. In order to comply with the request, the company requested that the complainant provide the social security number and a copy of the identity document. However, the company could not tell the complainant why they need that information except that they need it in order to confirm the complainant´s identity. The complainant questions the need for the company to collect personal data in order to erase personal data. The complainant suggested that the company could instead confirm the complainant´s identity by sending an e-mail to the address registered on the complainant but they refused. What Lensway Group AB has stated In its statements of 20 April, 12 May and 11 August 2022, the company has mainly stated the following. The Company is the data controller concerning the processing to which the complaints relates. Complaint 1 The company has received the complaint’s request for erasure, but the complainant has not completed the company´s at the time current verification process. The company has requested the complainant to submit a copy of the identity document. This is the only way the company has so far been able to ensure the identity of the customer. The copy was to be sent by regular mail. The company also requested the complainant to submit a signed request for erasure. The company has so far not been able to receive this information digitally. In order to ensure that they have received original documents, they have asked the complainant to submit it via regular mail. Complaint 2 The company received the request for erasure on 25 June 2020 but the complainant did not complete the company’s at the time current verification process. It is true that the company requested the complainant’s social security number in the written form, but it has been voluntary to provide this information. In addition to the information requested in the written form, the company requested the complainant to submit aPrivacy Protection Authority Our ref: IMY-2022-1032 3(8) Date:2022-12-12 copy of the identity document. The company has so far not been able to identify the complainant in any other way. The complainant was asked to submit the information by regular mail in order to ensure that the company had received the original documents. As regards both complaints the company has stated the following: As regards the written form to be submitted by both complainants, the company states the following concerning the personal data required to disclose and why the information was necessary. • Name is mandatory information which is requested to confirm the identity of the data subject. • Email address is mandatory information which is requested because it is used as a unique identifier of customers in the company’s system. • Signature is mandatory for the company to be able to ensure that the data subject has read the information and has given his or her consent. The company states that they should always ensure that it is the right person that contacts them when it comes to requests to exercise a right under the GDPR. Since the company was previously unable to identify the customer in a good and secure way when they contacted the company through customer service, the manual process via regular mail has been the one they have used. In this way, they have had a two-step verification. Functionality to enable confirmation of the customer’s identity through customer service has not been in place. The customer relationship with the company can be established in two ways, either the customer makes a purchase or the customer logs in to My Pages. When the customer creates an account on My Pages, the customer enters their email address and an email with confirmation is sent to the customer. The customer can then, via the link in the email, come to a web page where they link a password to the email address. The customer account is then created and the company thus receives a two-step verification. The complainants used the second method by which the customer relationship can be established. The complainants made purchases with the company and they were identified through the company’s payment service provided by Klarna. For most payment options, Klarna requires the customer to verify themselves via bank ID. For certain payment methods, for example payment by credit card, the customer may choose not to have to verify via bank ID through Klarna’s app. The company’s existing digital contact channel is My Pages. However, there has been no functionality to handle requests to exercise a right under the GDPR on My Pages. Since April 2022, the company’s customers can now request to be erasured or receive a copy of their personal data directly via My Pages. The customer’s identity is then verified via regular login.Privacy Protection Authority Our ref: IMY-2022-1032 4(8) Date:2022-12-12 Statement of reasons for the decision Applicable provisions, etc. According to Article 17(1), the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds set out in the Article applies, for example when the personal data are no longer necessary in relation to the purposes for which they were collected or if the data subject withdraws consent on which the processing is based. Article 12(2) requires the controller to facilitate the exercise of data subject rights under Articles 15 to 22. Article 12(6) states that, without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject . The European Data Protection Board’s (EDPB) Guidelines 01/2022 on access state 2 inter alia: 65. In cases where the controller requests the commission of additional information necessary to confirm the identity of the data subject, the controller shall each time assess what information will allow it to confirm the data subject’s identity and possibly ask additional questions to the requesting person or request the data subject to present some additional identification elements, if it is proportionate (see section 3.3). Such additional information should not be more than the information initially needed for the verification of the data subject’s identity (authentication). In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which is not relevant or necessary to strengthen the link between the individual and the personal data requested. [...] 73. It should be emphasised that using a copy of an identity document as a part of the authentication process creates a risk for the security of personal data and may lead to unauthorised or unlawful processing, and as such it should be considered inappropriate, unless it is strictly necessary, suitable, and in line with national law. In such cases the controllers should have systems in place that ensure a level of security appropriate to mitigate the higher risks for the rights and freedoms of the data subject to receive such data. It is also important to note that identification by means of an identity card does not necessarily help in the online context (e.g. with the use of pseudonyms) if the person concerned cannot contribute any other evidence, e.g. further characteristics matching to the user account. 2EDPB, Guidelines 01/2022 on data subject rights — Right of access, Version 1.0. The guidelines have been out for public consultation and are awaiting final adoption.Privacy Protection Authority Our ref: IMY-2022-1032 5(8) Date:2022-12-12 Assessment of IMY On the basis of the complaints in question, IMY has examined the company’s conduct in these two individual cases. Has the company acted in accordance with 12(6) of the General Data Protection Regulation when the company requested current information from the complainants? Has Lensway Group had reasonable grounds to doubt the identity of the complainants? It is only when the controller has reasonable grounds to doubt the identity of the person making the request that additional information to confirm the identity may be requested. What constitutes “reasonable grounds” in Article 12(6) GDPR should be assessed on the basis of the circumstances in the individual case. The assessment of whether there are reasonable grounds in an individual case to doubt the identity of the one requesting is normally made in the light of the information provided in connection with the request. This applies particularly in situations where the controller has no further knowledge of the person. However, the need for an individual assessment does not preclude the establishment of routines for how the controller normally verifies the identity of the data subject. The company was given the opportunity to motivate the individual assessment made based on the complainants’ situation if they considered that they had reasonable doubts as to the identity of the complainants when the complainants submitted their requests. With regard to both complainants, the company argues mainly as follows. The company should always ensure that it is the right person that contact them when it comes to requests to exercise a right under the GDPR. The customer has not previously been able to be identified in a good and secure manner when they contacted the company through Customer Service. Functionality for handling requests to exercise a right under the GDPR has not been available through Customer Service or on My Pages. IMY notes that it is not clear from the investigation in the case what information the complainants provided in connection with their request and whether there were reasons for the company to doubt their identity on the basis of those requests. However, IMY considers that, in light of what has emerged in the case, there is no need to question the company´s statement that it had reason to doubt the identity of the complainants. In the assessment, IMY takes into consideration the fact that the obligation to ensure the identity of the one requesting also is intended to protect data subjects against someone else making requests in their name, which may lead to negative consequences for the data subject. The risks of these negative consequences in the event of false requests are particularly obvious in the case of more invasive measures, such as the exercise of the right to erasure. IMY therefore takes the view that it has not been shown other than that the company, in the present cases, have had reasonable grounds to doubt the identity of the complainants. Has the information requested by the Lensway Group been necessary to confirm the identity of the complainants?Privacy Protection Authority Our ref: IMY-2022-1032 6(8) Date:2022-12-12 Although the controller has reasonable grounds to doubt the identity of the data subjects, the controller shall not collect more personal data than is necessary to enable the confirmation of the identity of the requesting data subject. The company mainly states the following concerning the necessity of the information they have requested from both complainants. A copy of the identity document has been requested as it was the only way in which the company has so far been able to verify the identity of the customer. In addition to a copy of the identity document, the complainants were required to submit a written form. The information requested in the written form and why it was necessary is presented by the company in essence as follows. The name has been requested to confirm the identity of the data subject. The email address has been requested because it is used as a unique identifier of customers in the company’s system. The signature has also been requested and is, according to the company, a necessary information for the company to be able to ensure that the data subject has read the information and given his or her consent to the handling of the request. As regards the verification of the identity of the complainants, the company states that both complainants made purchases where they were identified through the company’s payment service provided by Klarna. It appears from the company’s statements that it was not required that the company itself verified the identity of the complainants when the customer relationship was established, i.e. at the time of purchase. IMY states that the company cannot require more personal data when the complainant wishes to exercise its rights than was required when establishing the customer relationship. A copy of the identity document and signature is information that the company has not requested at the establishment of the customer relationship in these two cases. Furthermore, IMY takes into account that, according to the EDPB Guidelines on the right of access, the use of a copy of an identity document as part of the authentication process should be considered inappropriate, unless strictly necessary, suitable and in line with national law. IMY considers that the requirement to provide the controller with a copy of its identity document is an intrusive measure, which is only appropriate where the controller has previously ensured the actual identity of the data subject and where alternative less intrusive means of verification are inappropriate. IMY considers that there have been no circumstances identified that speak against that other, less intrusive, verification methods could have been used in the present cases, such as login via My Pages or control questions. IMY notes that it has therefore not appeared in the case that the request for a copy of the identity document or the signature would have been absolutely necessary or appropriate. Against this background, IMY considers that the copy of the identity document and the signature cannot therefore be considered to have been necessary to confirm the identity of the complainants in accordance with Article 12(6) of the GDPR. Has the company acted in accordance with 12(2) of the General Data Protection Regulation when the company requested the complainants to send the information by mail? The next question is whether it has been permissible to require the complainants to send the requested information to the company by regular mail.Privacy Protection Authority Our ref: IMY-2022-1032 7(8) Date:2022-12-12 In view of the requirements to facilitate the exercise of the data subject’s rights in Article 12(2) GDPR, it can only be accepted in exceptional cases that a controller as the sole channel of contact refers individuals to ordinary mail if they have to submit information in order to ensure their identities, for example if it is justifiable for reasons of security. The starting point should be that alternative means of submitting requested information should be offered. In that regard, the company has mainly stated that it required the information to be sent by regular mail in order to ensure that they received the original written documentation. IMY takes the view that the transmission of a copy of an identity document may indeed pose particular risks, which may justify requiring that the document be sent by mail. This provided that it is necessary information to confirm the identity of the data subject. In the present cases, IMY concludes above that a copy of the identity document was not necessary to confirm the identity of the complainants. By requiring the complainants additionally to send the information by regular mail, IMY takes the view that the company did not facilitate for the complainants to exercise their right to erasure. IMY therefore considers that the company thereby acted in breach of Article 12(2) of the GDPR. Choice of corrective measure It follows from Article 58(2)(i) and Article 83(2) of the GDPR that IMY has the power to impose administrative fines in accordance with Article 83. Depending on the circumstances of the case, administrative fines shall be imposed in addition to or in place of the other measures referred to in Article 58(2), such as injunctions and prohibitions. Furthermore, Article 83(2) determines the factors to be taken into account when imposing administrative fines and when determining the amount of the fine. In the case of a minor infringement, IMY may, as stated in recital 148, instead of imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Account needs to be taken to the aggravating and mitigating circumstances of the case, such as the nature, gravity and duration of the infringement as well as past infringements of relevance. IMY notes the following relevant facts. It has emerged from the investigation in the case that a copy of an identity document and signature is no longer requested by Lensway Group AB upon requests from data subjects to exercise their right to erasure under the GDPR. Furthermore, the infringements found have occurred relatively far back in time (2020) and have affected two data subjects. Against this background, IMY considers that it is a minor infringement within the meaning of recital 148 and that Lensway Group AB must be given a reprimand pursuant to Article 58(2)(b) of the GDPR. ___________________________________________________ This decision has been taken by the specially appointed decision-maker, legal advisor , following a presentation by legal advisoPrivacy Protection Authority Our ref: IMY-2022-1032 8(8) Date:2022-12-12 How to appeal If you wish to appeal IMY:s decision, please write to IMY. Please indicate in your letter the decision you are appealing and the amendment that you are requesting. The appeal must reach IMY no later than three weeks from the date on which you received the decision. If the appeal has been received in due time, IMY forwards it to the Administrative Court in Stockholm for trial. You can send the appeal by email to IMY if the appeal does not contain any sensitive personal data or information that may be subject to confidentiality. IMY:s contact details are set out in the first page of the decision.