IMY (Sweden) - IMY-2022-9109: Difference between revisions
No edit summary |
No edit summary |
||
Line 84: | Line 84: | ||
The data subject lodged a complaint against the controller at the French DPA. Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The data subject asked to investigate whether the controller handled the data subject’s request for erasure correctly, whether the information that the controller requested was necessary to confirm the data subject’s identity and whether the controller sufficiently facilitated the exercise of the data subject’s rights in the GDPR. | The data subject lodged a complaint against the controller at the French DPA. Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The data subject asked to investigate whether the controller handled the data subject’s request for erasure correctly, whether the information that the controller requested was necessary to confirm the data subject’s identity and whether the controller sufficiently facilitated the exercise of the data subject’s rights in the GDPR. | ||
The controller argued that it was difficult to locate the personal data of the data subject, as the account of the data subject was closed for a long time and neither the email address from which the request came and the Facebook ID was linked to any account with the controller. Moreover, since Facebook changed the way Facebook ID works for privacy reasons, the number that the controller received from Facebook is only linked to the controller and not linked to an individual’s Facebook account. The controller further argued that as the case turned into an access request, the controller asked that the request is made from within the data subject’s account for privacy reasons, as user data may contain chat logs. To protect data subjects' privacy of their chat logs, accounts are password-protected with password recovery via a provided email address. The controller argued that it is difficult to take action on requests when data subjects have forgotten their login details and cannot recover their account via email. Therefore, the controller asked to re-install the game, so that information on the phone and operating system could help the data subject recover their account. When the data subject refused to do this, the controller asked as a last resort for additional information (see the 4 points above) that the data subject should know and should be easy for the data subject to remember but is difficult for others to know to verify the identification of the data subject. The controller argued that this information they request also is not personally identifiable information and already in the controller’s register. | The controller argued that it was difficult to locate the personal data of the data subject, as the account of the data subject was closed for a long time and neither the email address from which the request came and the Facebook ID was linked to any account with the controller. Moreover, since Facebook changed the way Facebook ID works for privacy reasons, the number that the controller received from Facebook is only linked to the controller and not linked to an individual’s Facebook account. | ||
The controller further argued that as the case turned into an access request, the controller asked that the request is made from within the data subject’s account for privacy reasons, as user data may contain chat logs. To protect data subjects' privacy of their chat logs, accounts are password-protected with password recovery via a provided email address. The controller argued that it is difficult to take action on requests when data subjects have forgotten their login details and cannot recover their account via email. Therefore, the controller asked to re-install the game, so that information on the phone and operating system could help the data subject recover their account. When the data subject refused to do this, the controller asked as a last resort for additional information (see the 4 points above) that the data subject should know and should be easy for the data subject to remember but is difficult for others to know to verify the identification of the data subject. The controller argued that this information they request also is not personally identifiable information and already in the controller’s register. | |||
The controller also explained that it will soon release a new process to handle such requests in case of missing account information in an easier way by requesting less information from the data subject. | The controller also explained that it will soon release a new process to handle such requests in case of missing account information in an easier way by requesting less information from the data subject. |
Revision as of 13:38, 29 April 2024
IMY - IMY-2022-9109 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 12(2) GDPR Article 12(6) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 22.05.2023 |
Published: | 14.04.2024 |
Fine: | n/a |
Parties: | MAG Interactive AB |
National Case Number/Name: | IMY-2022-9109 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | ec |
The DPA issued a reprimand against a controller for requiring data subjects to log in to their game to request erasure and if they could not log in, asking data subjects to provide the usernames of three friends and three opponents in the game, which was unnecessary and disproportionate.
English Summary
Facts
A data subject in France requested the erasure of their personal data in the game QuizDuel by MAG Interactive AB (“controller”), a mobile gaming company based in Sweden. The data subject logged into the game via their Facebook account.
The controller replied with requesting additional information from the data subject for identification purposes, even though the data subject had provided their Facebook ID and email addresses in their request for erasure. The controller explained that neither the Facebook ID and the three email addresses the data subject provided in their erasure request resulted in any hits on a direct search in the controller’s system. The controller furthermore explained that the easiest way for the data subject to request erasure was by downloading the game again and request for erasure within the game.
The data subject responded that they longer have an account.
The controller then requested the following information to restore the data subject’s account and to enable the data subject to request the erasure of his personal data: (1) the username, (2) names of three friends, (3) names of three opponents and (4) an email address to link the account with.
The data subject replied and requested access to the information the controller had about them. The controller again informed the data subject it could not find the data subject’s account with the data subject’s Facebook ID and stated that the data subject could request access to personal data from within a game of the controller.
The data subject replied that they had played the game “QuizDual” on Facebook and did not have an account with the controller and therefore cannot request access from the account. The controller argued that the game never existed on Facebook but that the data subject may have logged in via a Facebook on a mobile application. However, as the data subject for the first time mentioned the game, the controller could use the game information to locate an account linked to one of the email addresses the data subject provided.
The data subject then received an email to confirm they wanted their account to be erased. The data subject replied and confirmed they owned the account and they wanted it erased. The controller then erased the account and informed the data subject of the erasure.
The data subject lodged a complaint against the controller at the French DPA. Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The data subject asked to investigate whether the controller handled the data subject’s request for erasure correctly, whether the information that the controller requested was necessary to confirm the data subject’s identity and whether the controller sufficiently facilitated the exercise of the data subject’s rights in the GDPR.
The controller argued that it was difficult to locate the personal data of the data subject, as the account of the data subject was closed for a long time and neither the email address from which the request came and the Facebook ID was linked to any account with the controller. Moreover, since Facebook changed the way Facebook ID works for privacy reasons, the number that the controller received from Facebook is only linked to the controller and not linked to an individual’s Facebook account.
The controller further argued that as the case turned into an access request, the controller asked that the request is made from within the data subject’s account for privacy reasons, as user data may contain chat logs. To protect data subjects' privacy of their chat logs, accounts are password-protected with password recovery via a provided email address. The controller argued that it is difficult to take action on requests when data subjects have forgotten their login details and cannot recover their account via email. Therefore, the controller asked to re-install the game, so that information on the phone and operating system could help the data subject recover their account. When the data subject refused to do this, the controller asked as a last resort for additional information (see the 4 points above) that the data subject should know and should be easy for the data subject to remember but is difficult for others to know to verify the identification of the data subject. The controller argued that this information they request also is not personally identifiable information and already in the controller’s register.
The controller also explained that it will soon release a new process to handle such requests in case of missing account information in an easier way by requesting less information from the data subject.
Holding
Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA, in light of the controller’s argumentation, held that the controller had reasonable grounds to doubt the identity of the data subject. The DPA also took into account that the controller had an obligation to ensure the identity of the data subject making a request to protect the data subject against someone else wrongly making requests in their name, leading to negative consequences for the data subject.
The DPA then continued and stated that even if the controller had reasonable grounds, it should carry out a proportionality assessment to justify the verification method used to not unnecessarily collect more personal data. The DPA found that at the time of the data subject’s erasure request, the controller only processed an email address linked to the data subject, the advertising ID of the data subject’s phone and the data subject’s username and password. The DPA therefore held that an erroneous deletion of the said data would not result in any major disadvantages or consequences for the data subject, and thus the requirements for identification could therefore be set relatively low. The DPA also stated that in the end, the controller was able to comply with the erasure request with only the email address linked to the user account. Thus, the DPA considered that asking for additional data in the form of the usernames of three friends and three opponents were neither necessary nor proportionate to confirm the identity of the data subject under Article 12(6) GDPR.
The DPA then examined whether requiring the data subject to log into their account and make their erasure request from within the game was compatible with Article 12(2) GDPR. The EDPB guidelines on right of access (01/2022) state that the controller may encourage the data subject to use a self-service tool, but that the controller must also deal with access requests that are not sent through the established communication channel. By requiring the data subject to log in to a game to send their requests, the controller did not facilitate in the data subject’s exercise of their right to erasure.
The DPA therefore held that the controller was in breach of Article 12(2) GDPR.
The DPA found that the infringements were minor pursuant to Recital 148, because (1) the infringements found date back relatively far in time and (2) the controller did fully comply with the data subject’s request for erasure. Thus, the DPA issued a reprimand to the controller for breaching Article 12(2) GDPR and Article 12(6) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(12) MAG Interactive AB Diary number: IMY-2022-9109 Decision after supervision according to Article 60 i Date: data protection regulation - MAG 2023-05-22 Interactive AB The Privacy Protection Authority's decision The Swedish Privacy Protection Authority notes that MAG Interactive AB (556804-3524) at handling of the request for erasure made by the complainant on January 31, 2021 has processed personal data in violation of: 1 - Article 12.6 of the Data Protection Regulation by requesting information in the form of usernames of three friends and three opponents in the game QuizDuel when this not been necessary to confirm that appellant's identity as well - Article 12.2 of the Data Protection Regulation by, after the complainant requested deletion by email, also require the complainant to log into the game in order to send their request from within the game which has not facilitated the complainant exercising their right to erasure. The Swedish Privacy Protection Authority gives MAG Interactive AB a reprimand according to article 58.2 b the data protection regulation for the established violation. Account of the supervisory matter Handling The Swedish Privacy Protection Authority (IMY) has started supervision of MAG Interactive AB (the company) due to a complaint, mainly to investigate whether the company has taken received and handled the complainant's request for deletion in a correct manner, i.a. if the company had reasonable grounds to doubt the identity of the complainant and in such cases whether they information requested by the complainant has been necessary to confirm the complainant identity and whether the company has facilitated the exercise of the complainant's rights i sufficient extent (Articles 11, 12 and 17 of the Data Protection Regulation). Mailing address: Box 8114 The complaints have been handed over to IMY, in its capacity as the responsible supervisory authority according to 104 20 Stockholm article 56 of the data protection regulation. The handover has taken place from the supervisory authority Website: www.imy.se E-mail: imy@imy.se 1 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of Telephone: natural persons with regard to the processing of personal data and on the free flow of such data and on 08-657 61 00 repeal of Directive 95/46/EC (General Data Protection Regulation). The Swedish Privacy Agency Diary number: IMY-2022-9109 2(12) Date: 2023-05-22 in the country where the complainant has filed his complaint (France) in accordance with the regulation's provisions on cooperation in cross-border processing. The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies cross-border treatment, IMY has used the mechanisms for cooperation and uniformity found in Chapter VII of the Data Protection Regulation. Affected supervisory authorities have been the data protection authorities of Denmark, France, Ireland, Norway, Poland, Germany and Austria. The complaint The complaint essentially states the following. On January 31, 2021, the complainant requested the deletion of his personal data in the game QuizDuel, a game the appellant used through his Facebook account. The company then has requested additional information from the appellant for identification purposes despite the fact that the appellant in his request for deletion stated their Facebook ID and email addresses. To the complaint the appellant has attached email correspondence between the appellant and the company of which the following i.a. appears. On February 28, 2021, the company replied to the complainant that they have not ability to locate the complainant's account using the complainant's Facebook ID and that the appellant needs to open any of the MAG Interactive games to make one request. The complainant has replied to this that he no longer has a MAG Interactive account. On 11 March 2021, the company has i.a. requested the following information from the appellant i purpose of restoring the complainant's account and thus enabling the complainant to request deletion of their personal data: username, name of three friends, name of three opponent and an email address to which he wants to connect the account. What the company has stated In statements from November 4 and 7, 2022, the company essentially stated the following. Description of the course of events surrounding the handling of the complainant's request for deletion On January 31, 2021, the complainant contacted one of the company's support email addresses and provided a Facebook ID and three email addresses and requested to be deleted. At this one time, given the information the support received, the company did not receive any direct hits typing in the company's system, neither on Facebook ID nor on any of the specified the email addresses. The company's support responded on February 1, 2021 with instructions for how the complainant can request deletion from the game. The appellant contacted us again on the 8th February 2021 and said that he does not have the game left but wants to delete his data. The On February 9, the company's support replied that the easiest way is to download the game again and request deletion from within the game. On February 12, 2021, the appellant responded and announced that she instead wanted to know what information the company has about her. From this time the case was handled by the company as a request for access. On February 13, 2021, the company's support responded that the complainant can request access from the game. The complainant contacted again on 20 February 2021 and had problems to use their Facebook account. The complainant asked again if the company can find him account with his Facebook ID. On February 23, 2021, support replied that they did not find any account with the Facebook ID the complainant specified but that he should be able to start any of the company's games and request the personal data from within a game. On February 27, 2021, the complainant asked if the company had really tried to search for him Facebook ID. Support replied again on February 28, 2021 that they cannot find him account on the Facebook ID she entered, but that she should be able to start any Date: 2023-05-22 of their game and request access from within the game. On March 4, 2021, the appellant responded that he played "QuizDuel" on Facebook and does not have an account with MAG Interactive. She cannot therefore request access from there. This was probably a misunderstanding then the game was never on Facebook but he may have logged in via a Facebook button originally which was possible several years ago. It was the first time the appellant mentioned which game it was for which made it much easier to look for them tasks. On March 11, 2021, support replied that they cannot find the complainant's account through his Facebook ID but that they will try to help him get into his account so that he can request access or delete their account. The support had then probably managed to locate one account linked to one of the complainant's provided email addresses using the information about the game. Support then sent the standard questions the company asks when they are supposed to help users log into their account if they have forgotten their credentials. The complainant never responded to that email and when enough time passed the company closed the case. On October 30, 2022, after the company's CTO received the case, the CTO located an account who could be connected to the complainant and emailed the complainant for confirmation that the account should be deleted. On November 6, 2022, the appellant responded and confirmed that he owns the account and that the account should be deleted. November 7, 2022 was deleted the complainant's account and the complainant was informed about it. The company's processing of the complainant's personal data at the time of the complainant's request At the time of the complainant's request for deletion, the company was processing an email address which is linked to the complainant and probably the advertisingId/vendorId from their phone, the complainant's username and password. Otherwise, the company did not process any others of the complainant's personal data as any chat history and ip number are deleted long ago due to the company's retention policy. Why the company claims to have had reasonable grounds to doubt the identity of the complainant The complainant provided in his deletion request a Facebook ID and three email addresses and wrote that he used one of the company's apps on Facebook. The company's games are played on not on Facebook but on mobile phones and he did not specify nor any surrounding information such as username, which game it was or even that it was a game. The game which the appellant, according to later information, had played is so old that you didn't get any hits on the other email addresses either. Because the game to which the complainant's user account has been linked for a long time is also closed makes it difficult to find with email address alone. Email addresses are public and one providing an email address is therefore not proof of ownership. The email address that the request came from was also not linked to any account with the company and neither the Facebook ID entered. Regarding the other two email addresses, there was nothing proof that it is the complainant's email addresses. The Facebook ID the complainant provided is not registered with the company. Facebook has since many years stopped using global user numbers for privacy reasons. In the service of the company shut down many years ago where you could log in via your Facebook account the company does not see the same number as the complainant indicates. The customer number the company received from the Swedish Data Protection Agency Diary number: IMY-2022-9109 4(12) Date: 2023-05-22 Facebook is only connected to the company and cannot be linked to a person by the company Facebook account. Given the knowledge of which game it was about that the company eventually got, had managed to find the account to which one email address was linked. The company then had was able to send an email to that email address in order to confirm the complainant's identity. The however, had played no role in this case when the case was changed on 13 February 2021 to an access request. How the complainant would go about requesting erasure and subsequent access Support initially suggested that the complainant request deletion directly from the game because it is the easiest and safest way. It is normal for users to have the game remains on the phone. In addition, the company's game helps with a reinstallation the user to get back to the correct account. When support has difficulty finding an account with the user's data it is therefore reasonable that they suggest a reinstallation to get to the right account. Support can also delete information directly about ownership the information can be substantiated. In the current case, the case turned to a request for access and then the company normally wants the user to be logged into their account. The company has stated that, just as for requests for deletion, proof is required ownership of the account to request access, this for privacy reasons and in accordance with the data protection regulation. Since user data may contain chat logs is the handling of access requests a little more strict than when handling a request for deletion of user data. The company therefore requires that the request be made from within player's account. Information that has been requested for the purpose of confirming identity The game the appellant had played was a game with user accounts. In game with user accounts often have chats for players to talk to each other. Of for privacy reasons, it is important that anyone cannot read anyone else's chats. The accounts are therefore password protected. Users can enter an email address for password reset but not all users do it or they have changed their email address. One issue all online services grapple with is how to handle the cases where users forgot the login details and it is not possible to restore the account via email. A part uses security questions, where users are allowed to fill in the name of their first pet or similar. In the company's case, it is a bit more complicated, as the company partly does not want to ask the users about more information than absolutely necessary, partly the game has that the current case was about a user base built up since 2012 with 100 million users who have not entered any such information. When users have forgotten If the login details and the account cannot be restored via email, the company resolves it in that the games make use of information on the phone and the operating system for to help users back to the account which is why the support sometimes asking users to install the game, which also appears to have been done by support in this case. When it doesn't work or as in this case when the user doesn't want the support asks as a last resort about information the player should know and should be easy for one user to remember but difficult for others to know. This one information is requested so that the company can ensure that it is the account holder to whom they grant access to the account. The information that support requests in such cases is as follows: The Swedish Privacy Agency Diary number: IMY-2022-9109 5(12) Date: 2023-05-22 - The registrant's username. A task that is assumed to be easy for most people to answer. However, it is also a task that is relatively easy for others to figure out. - Usernames of three of the registrant's in-game friends. Most people who play this game have some friends they have played with for years. The the task should also be easy to answer. - Usernames of three of the registrant's opponents in the game. This task is often a bit more difficult to provide but for users who mostly playing against random players and not adding friends is one required task. Support also asked which email address the user wanted to link the account to. This is so that the complainant can log in and request their user data from within the game. The data must normally be provided by email in the ongoing support dialogue. The is not a requirement that one is right on all questions, but an assessment is made based on how right/wrong the answer is. The company also does not ask for personally identifiable information but only about usernames which are normally anonymous/pseudonymous and which already can be found in the company's register. The only data that is personally identifiable information is the email address the user wants to connect to the account. If the user can answer that well that the company deems that the user actually owns the account, the support sets the email address for recovery. The user can then set a new password and log in. The company is continuously working on improving its support tools and will be coming soon release a new version where this particular scenario can be handled and which should make it easier for support to find users even with very limited information. The support have instructions to delete the user's account directly about the email address on the account matches the user's email address and otherwise help the user take delete the account through the game. In this case, you can think of a third solution, that the company sends an email out a link to the linked account and that the user confirms deletion via the link to verify their identity. The company intends to add such an option. The complainant's account has been deleted The appellant's request for erasure has now been granted. The company has emailed the complainant on 30 October 2022 both at the email address he used in the support matter and the email address they found when searching. The company's CTO has asked the appellant to reply from that email address. Answer received from the appellant on November 6, 2022 with a confirmation that the appellant owns the account. The company's CTO has subsequently deleted the complainant's account and informed the complainant of this. Justification of the decision Applicable regulations, etc. According to Article 17.1, the data subject shall have the right to the personal data controller without unnecessary delay have their personal data deleted and the personal data controller shall be obliged to delete personal data about any of them without undue delay prerequisites listed in the article exist, for example if the information is not Date: 2023-05-22 are no longer necessary for the purposes for which they have been collected or consented to treatment is withdrawn. Article 11.1 states that if the purposes for which the personal data controller processes personal data does not require or no longer requires that the data subject is identified by the personal data controller, the personal data controller shall not be required to retain, acquire or process additional information in order to identify the data subject only for the purpose of complying with this regulation. According to Article 11.2, if the personal data controller, in the cases referred to in paragraph 1 of this article, can show that he is not in a position to identify it registered, the person in charge of personal data shall, if possible, inform the registered about this. In such cases, Articles 15–20 shall not apply, except when the registered for exercise of its rights in accordance with these Articles provides further information that makes identification possible. Article 12.6 states that, without prejudice to the application of Article 11, it may personal data controller, if he has reasonable grounds to doubt its identity natural person who submits a request under Articles 15-21, request that additional information necessary to confirm the identity of the data subject is provided. According to Article 12.2, the personal data controller must facilitate its exercise data subject's rights in accordance with Articles 15–22. In the cases referred to in article 11.2 the personal data controller may not refuse to accommodate the data subject the request to exercise its rights under Articles 15-22, unless it personal data controller shows that he or she is not in a position to identify it registered. 2 In the European Data Protection Board's (EDPB) Guidelines 01/2022 on access is stated among other following. 53. The European Data Protection Board calls on the data controllers to provide the most appropriate and user-friendly communication channels, in accordance with articles 12.2 and 25 of the data protection regulation, so that it Data subjects can make an effective request. If the data subject makes a request using a communication channel provided by it personal data controller, which is different from the one indicated as the one who is preferred, such request shall generally be deemed effective and it the personal data controller should process such a request accordingly (see examples below). The personal data controllers should take all reasonable steps to ensure that the exercise of data subjects' rights is facilitated (if the data subject for example, sending a request to an employee who is on leave can be done automatically notification of an alternative communication channel for the request to it 3 registered be a reasonable effort). 2EPPB, Guidelines 01/2022 on data subject rights – Right of access, Version 2.0 (EDPB's Guidelines 01/2022 on the right to access), finally adopted on 28 March 2023. 3IMY's translation, original: The EDPB encourages controllers to provide the most appropriate and user-friendly communication channels, in line with Art. 12(2) and Art. 25 GDPR, to enable the data subject to make an effective request. Nevertheless, if a data subject makes a request using a communication channel provided by the controller28, which is different from the one indicated as the preferable one, such request shall be, in general, considered effective and the controller should handle such a request accordingly (see the examples below). The controllers should undertake all reasonable efforts to make sure that the Privacy Protection Agency Diary number: IMY-2022-9109 7(12) Date: 2023-05-22 […] 67. In cases where the person in charge of personal data requests or receives from the registered person additional information necessary to confirm the identity of the data subject the personal data controller must each time assess which information will enable it to confirm the identity of the data subject and possibly ask the requesting person additional questions or request that it data subjects provide additional identification data, if it is proportionate (see section 3.3). 4 68. To allow the data subject to provide the additional information required to identify his or her personal data, the personal data controller shall inform the data subject of the type of additional information required to enable identification. Such additional information should not be more than that information originally needed for the authentication of the data subject. IN generally, the fact that the controller may request additional information to assess the identity of the data subject does not lead to excessive demands and to the collection of personal data that is not relevant or necessary to strengthen the connection between the individual and the personal data requested. 5 […] 70. If the personal data controller has reasonable grounds to doubt the requester the person's identity, it may, as stated above, request additional information for to confirm the identity of the data subject. However, the personal data controller must at the same time ensure that it does not collect more personal data than is necessary to enable authentication of the requesting person. Therefore it should personal data controller make a proportionality assessment, which must take consideration of the type of personal data being processed (e.g. special categories of information or not), the nature of the request, the context in which the request is made as well as any damage that may occur as a result of improper disclosure. At the assessment of proportionality should be remembered to avoid excessive data collection at the same time as an appropriate level of security during processing is ensured. 6 exercise of data subject rights is facilitated (for example, when a data subject sends an access request to an employee who is on leave, an automatic message informing the data subject about an alternative communication channel for this request could be a reasonable effort). 4IMY's translation, original: In cases where the controller requests or is provided by the data subject with additional information necessary to confirm the identity of the data subject, the controller shall, each time, assess what information will allow it to confirm the data subject's identity and possibly ask additional questions to the requester person or request the data subject to present some additional identification elements, if it is proportionate (see section 3.3). 5IMY's translation, original: In order to allow the data subject to provide the additional information required to identify his or her data, the controller should inform the data subject of the nature of the additional information required to allow identification. Such additional information should not be more than the information initially needed for the authentication of the data subject. In general, the fact that the controller may request additional information to assess the data subject's identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the 6ndividual and the personal data requested. IMY's translation, original: As indicated above, if the controller has reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm the data subject's identity. However, the controller must at the same time ensure that it does not collect more personal data than is necessary to enable authentication of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security. Data Protection Agency Diary number: IMY-2022-9109 8(12) Date: 2023-05-22 […] 138. The use of self-service tools should never limit the scope of personal data received. If it is not possible to provide all information according to Article 15 through the self-service tool, the remaining information must provided in another way. The controller may encourage it registered to use a self-service tool like that data controller has set up to handle requests for access. The however, it should be noted that the personal data controller must also manage access requests that are not sent through the established the communication channel. 7 The Swedish Privacy Authority's assessment Based on the current complaint in the case, IMY has reviewed the company's action in this individual case. Has the company been able to identify the complainant? The company has stated that based on the information in the complainant's request for deletion on 31 January 2021, the company was unable to identify the data subject. The information that provided by the appellant in the request did not, according to the company's data, yield any hits at a direct punching in the company's system, neither on that Facebook ID nor on any of them email addresses provided by the complainant. The company's opinion further states that when the company on March 4, 2021 received information about which game the complainant's request referred to they could find an account that one of the complainant's provided email addresses was associated with. Against background of this, IMY notes that the company could at least connect on March 4, 2021 the appellant's request for a user account and identification of the appellant was thereby Possible. IMY therefore assesses that the appellant in accordance with what is prescribed in article 11.2 of the data protection regulation provided such additional information as does the identification possible. The company has thus not shown that it was unable to identify the data subject, and therefore could not refuse to accommodate it either registered the request to exercise their rights under Article 12.2 i data protection regulation. Has the company acted in accordance with 12.6 of the data protection regulation when the company requested current information from the complainant? Has the company had reasonable grounds to doubt the identity of the complainant It is only when the personal data controller has reasonable grounds to doubt the identity with the person who made the request who receives additional information to confirm the identity is requested. What constitutes "reasonable grounds" in Article 12.6 of the Data Protection Regulation should assessed based on the circumstances of the individual case. The assessment of whether there is reasonable grounds to doubt in an individual case the identity of the person making the request is made normally in light of the information provided in connection with the request. The applies especially in situations where the person in charge of personal data lacks further knowledge about this person. However, the fact that an individual assessment is required does not preclude that 7IMY's translation, original: The use of self-service tools should never limit the scope of personal data received. If not possible to give all the information under Art. 15 through the self-service tool, the remaining information needs to be provided in a different manner. The controller may indeed encourage the data subject to use a self-service tool that the controller has set in place for handling access requests. However, it should be noted that the controller must also handle access requests that are not sent through the established channel of communication. The Swedish Privacy Agency Diary number: IMY-2022-9109 9(12) Date: 2023-05-22 routines are established for how the person in charge of personal data normally verifies it data subject's identity. From the appendix to the complaint, it appears that the complainant provided the following information when he Requested deletion on January 31, 2021: Facebook ID and three email addresses and one email address from which the email with the request was sent. The company has stated that at the time of the complainant's request for deletion did they process an email address associated with the complainant and probably also advertisingId/vendorId from the complainant's phone, the complainant's username and password. The company has been given the opportunity to justify the individual assessment based on which it was made the appellant's situation if they considered that they had reasonable grounds to doubt the appellant identity when he made his request. The company has essentially stated the following. The company's games are not played on Facebook but on mobile phones, why not Facebook IDs contributed to the verification of the appellant's identity. Email addresses are public and an indication of such is no evidence of ownership. The email address the request came from nor linked to any account with the company nor the Facebook ID which was specified. The appellant did not provide any surrounding information, such as username, which game it applies to or even that it is a game. The game that the appellant, according to later information, had played was so old that the company did not get either any hits on the other email addresses provided in the request. Using the information the company received on 4 March 2021 from the complainant about the game in question the company found a user account linked to one of the complainant's provided email addresses. In light of what the company stated and the information the complainant provided in his request regarding deletion, IMY states that the company had reasonable grounds to doubt the identity of the appellant. In the assessment, IMY also considers the fact that the obligation to ensuring the identity of the person making the request also aims to protect data subjects against someone else falsely making requests on their behalf, which may lead to negative consequences for the data subject. Has the information the company requested from the complainant been necessary to confirm his identity? Even if the personal data controller has reasonable grounds to doubt the identity of it registered, the personal data controller shall not collect more personal data than what which is necessary to enable identification of the requesting data subject. The personal data controller must carry out a proportionality assessment and be able to justify the verification method used. The company has stated that the request was changed to an access request on March 4, 2021 and the company then demanded that the request be made from within the player's account. Then user data may contain chat logs, the handling of the request for access is little more strict than when handling a request for the deletion of user data has the company stated. Regarding the necessity of the information they requested from it complainant in order to confirm his identity, the company has essentially stated the following. Usernames are requested as the task is assumed to be easy for most people to answer. The is, however, a task that is relatively easy for others to figure out. Username of three friends in the game are requested as most people who play this game have some friends played for years with. That task should therefore be easy to answer. Username on three opponents in the game is more difficult to provide but for people who play the most Date: 2023-05-22 against random players and not adding friends it is a necessary task to request in. It is not a requirement that the requester is right on all questions, but it is done a judgment based on how right or wrong the answer is. IMY notes that from the basis the company has submitted, consisting of email correspondence between the appellant and the company, it appears that the appellant has not waived its request for erasure. Of the email correspondence, especially the email that was sent by the MAG Support Team on March 11, 2021, it is further stated that the current the information was requested by the company in order for the complainant to gain access to the account i purpose of requesting deletion. The company's claim that the complainant's request for deletion had been changed to instead refer to a request for access, and that they requested the data intended to identify the appellant only in the event of a request for access can therefore be disregarded. The company has indeed requested more information from the appellant in order to confirm the appellant's identity, but IMY assesses that it is clear that it is still a request for erasure as the appellant wants it to be accommodated. It also appears that the company has requested the relevant information in in connection with the complainant's request for erasure. Regarding the information requested by the company from the complainant, states IMY following. Of the EDPB's guidelines on the right of access, i.a. that it personal data controller must take that type into account in the proportionality assessment of personal data processed (e.g. special categories of data or not), the nature of the request, the context in which the request is made and any damage that may occur arise as a result of improper disclosure. At the time of appellant's request the company only processed an email address that is linked to the complainant as well advertisingId/vendorId from their phone, the complainant's username and password. One According to IMY, incorrect deletion of said data would not involve any major problems disadvantages or consequences for the appellant. The requirements for identification could therefore set relatively low. It has also been shown that correct answers to all questions are not was required and that the complainant's identity could later be confirmed by another identification method that required significantly fewer data. Confirmation that it is the complainant's user account sent from the email address linked to the user account was deemed sufficient to confirm the appellant's identity and accommodate the request on November 7, 2022. IMY therefore assesses that, taking into account the nature of the request, the type of personal data that was processed and the identification method that was later used, that the data in form of username of three friends and three opponents neither can be considered to have been necessary or proportionate to confirm the identity of the complainant accordingly with article 12.6 of the data protection regulation. Has the company made it easier for the complainant to exercise his right to erasure according to article 12.2 of the data protection regulation? The next question is whether it has been consistent with Article 12.2 of the Data Protection Regulation to require the complainant to log into their account and make their request from within the game. The company has essentially stated the following. If the user can answer so well that the company assesses that the user owns the account, the support sets the email address for recovery. The player can then set a new password and log in. Because the case in it the current case had turned into a request for access, the company normally wants to the user must be logged in to their account to exercise their request. The Swedish Privacy Protection Agency Diary number: IMY-2022-9109 11(12) Date: 2023-05-22 As IMY noted in the section above, it is clear from the company's documentation submitted that the appellant has not waived his request for deletion and that the company has requested the relevant information in order for the complainant to access the account i purpose of requesting deletion from within the game. The EDPB's guidelines on access include, among other things, that the personal data controller can encourage the data subject to use a self-service tool but that it Data controllers also have to deal with requests for access that do not sent via the established communication channel. By demanding from the appellant whose request for deletion has been received by the company after answering questions whose purpose was to confirm his identity, must log into a game to exit the game send his request, the company has not made it easier for the complainant to exercise his right to deletion. IMY thereby assesses that the company thereby acted in violation of Article 12.2 i data protection regulation. Has the complainant's request for erasure pursuant to Article 17 of the Data Protection Regulation accommodated? The complaint states that the complainant requested deletion on January 31, 2021 and that it has not been satisfied at the time of the complaint. The company has stated that the company on 7 November 2022, after email correspondence with the complainant on 30 October and November 6, 2022, have deleted the complainant's data and the complainant have been informed of this. Since the appellant's request for erasure has now been granted there is no reason to investigate the matter further in that part. Choice of intervention From articles 58.2 i and 83.2 of the data protection regulation, it appears that IMY has the authority to impose administrative penalty fees in accordance with Article 83. Subject to the circumstances of the individual case, administrative penalty fees must be imposed in addition to or instead of the other measures referred to in Article 58.2, such as injunctions and prohibitions. Furthermore, Article 83.2 states which factors must taken into account when deciding whether administrative penalty charges are to be imposed and at determining the size of the fee. If it is a question of a minor violation, IMY gets as set out in recital 148 instead of imposing a penalty charge issue one reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating circumstances circumstances of the case, such as the nature, severity and duration of the infringement as well as previous violations of relevance. IMY notes the following relevant circumstances. The current supervision includes MAG Interactive AB's handling of an individual complainant's request for deletion and the the violations found are relatively far back in time (2021). MAG Interactive AB has now also satisfied the complainant's request for deletion in full. Against against this background, IMY finds that it is a question of such minor violations in it meaning referred to in recital 148 which means that MAG Interactive AB must be given a reprimand according to article 58.2 b of the data protection regulation for those found the violations. ________________________________________________ This decision has been taken by the special decision maker lawyer Evelin Palmér after presentation by the lawyer Anna Mlynska. Evelin Palmér, 2023-05-22 (This is an electronic signature) The Swedish Privacy Agency Diary number: IMY-2022-9109 12(12) Date: 2023-05-22 How to appeal If you want to appeal the decision, you must write to IMY. State in the letter which decision you made appeals and the change you request. The appeal must have been received by IMY no later than three weeks from the day you received the decision. If the appeal has been received In due course, IMY forwards it to the Administrative Court in Stockholm for consideration. You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information personal data or information that may be subject to confidentiality. The authority's contact details appear on the first page of the decision.