DPC (Ireland) - Groupon Ireland Operations Limited: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Ireland |DPA-BG-Color=background-color:#013d35; |DPAlogo=LogoIE.png |DPA_Abbrevation=DPC |DPA_With_Country=DPC (Ireland) |Case_Number_Name=Groupon Ireland Operations Limited |ECLI= |Original_Source_Name_1=DPC |Original_Source_Link_1=https://www.dataprotection.ie/sites/default/files/uploads/2024-06/Final-Decision-Groupon-International-Limited-March-2024-EN_0.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Ori...") |
mNo edit summary |
||
Line 78: | Line 78: | ||
On 11 June 2018, a data subject made an access request and an erasure request to Groupon (the controller) via email. The controller directed the data subject to its online portal, which required the complainant to upload a photo of their ID to verify their identity. | On 11 June 2018, a data subject made an access request and an erasure request to Groupon (the controller) via email. The controller directed the data subject to its online portal, which required the complainant to upload a photo of their ID to verify their identity. | ||
The data subject considered this an obstacle to exercising their GDPR rights and submitted a complaint to the Baden-Württemberg DPA on 19 June 2018. | The data subject considered this an obstacle to exercising their GDPR rights and submitted a complaint to the [https://www.landtag-bw.de/home.html Baden-Württemberg DPA] on 19 June 2018. The BW DPA transferred it to the Irish Data Protection Commission (DPC), which it considered to be the leading supervisory authority in this case. | ||
The controller subsequently facilitated the complainant’s requests without requiring verification of identity. Still, the data subject was concerned that their data had not been fully deleted. | The controller subsequently facilitated the complainant’s requests without requiring verification of identity. Still, the data subject was concerned that their data had not been fully deleted. | ||
The DPC considered two main issues: | The DPC considered two main issues: | ||
# Was the controller’s request for ID to verify the data subject’s identity compliant with the GDPR? | |||
# Did the controller appropriately demonstrate that the complainant’s personal data was fully deleted in response to the erasure request? | |||
=== Holding === | === Holding === | ||
The DPC found that the controller infringed Articles 5(1)(c), 6(1), 12(2), 15(1) and (3) and 17(1) GDPR with regard to its request for ID to verify the data subject’s identity. It issued a reprimand with no monetary penalty. | The DPC found that the controller infringed [[Article 5 GDPR#1c|Articles 5(1)(c]]), [[Article 6 GDPR#1|6(1)]],[[Article 12 GDPR#2|12(2]]), [[Article 15 GDPR#1|15(1)]] and [[Article 15 GDPR#3|(3)]] and [[Article 17 GDPR#1|17(1) GDPR]] with regard to its request for an ID to verify the data subject’s identity. It issued a reprimand with no monetary penalty. | ||
The DPC found that the controller infringed [[Article 12 GDPR#2|Article 12(2) GDPR]] when it requested additional information as to the data subject’s identity. Under [[Article 12 GDPR#6|Article 12(6) GDPR]], a controller may only request additional information where it has reasonable doubts concerning the identity of a person making the request. The controller did not demonstrate such doubts here. | The DPC found that the controller infringed [[Article 12 GDPR#2|Article 12(2) GDPR]] when it requested additional information as to the data subject’s identity. Under [[Article 12 GDPR#6|Article 12(6) GDPR]], a controller may only request additional information where it has reasonable doubts concerning the identity of a person making the request. The controller did not demonstrate such doubts here. | ||
Line 93: | Line 94: | ||
Furthermore, requiring the complainant to provide a copy of their ID to verify their identity for access and erasure requests was a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. Data minimisation obligations require any requests for additional information to be necessary, proportionate and consistent. In this case, no such verification was required to initially open an account; thus, the controller would have been unable to cross-check the identities claimed. In additional, the controller could have used a less-data driven means to verify the data subject’s identity. Indeed, in October 2018, the controller amended its procedures and to no longer require photo ID in these circumstances. | Furthermore, requiring the complainant to provide a copy of their ID to verify their identity for access and erasure requests was a violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. Data minimisation obligations require any requests for additional information to be necessary, proportionate and consistent. In this case, no such verification was required to initially open an account; thus, the controller would have been unable to cross-check the identities claimed. In additional, the controller could have used a less-data driven means to verify the data subject’s identity. Indeed, in October 2018, the controller amended its procedures and to no longer require photo ID in these circumstances. | ||
In addition, the controller violated Articles 15(1) and (3) as well as 17(1) GDPR by failing to comply with the data subject’s initial access or erasure requests when initially made without a lawful basis for not complying. | In addition, the controller violated [[Article 15 GDPR#1|Articles 15(1)]] and [[Article 15 GDPR#3|(3)]] as well as [[Article 17 GDPR#1|17(1) GDPR]] by failing to comply with the data subject’s initial access or erasure requests when initially made without a lawful basis for not complying. | ||
The DPC also determined that the controller infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by continuing to process the complainant’s personal data following receipt of their initial request for erasure. | The DPC also determined that the controller infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] by continuing to process the complainant’s personal data following receipt of their initial request for erasure. | ||
Finally, the DPC found no infringement concerning whether | Finally, the DPC found no infringement concerning whether the controller had appropriated demonstrated that the data subject’s personal data was fully deleted. | ||
The DPC issued a reprimand with no monetary penalty. In doing so, it considered that the controller no longer required photographic ID to verify a data subject’s identity for the purpose of exercising rights under the GDPR. | The DPC issued a reprimand with no monetary penalty. In doing so, it considered that the controller no longer required photographic ID to verify a data subject’s identity for the purpose of exercising rights under the GDPR. |
Revision as of 15:17, 18 June 2024
DPC - Groupon Ireland Operations Limited | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 12(2) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 17(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 19.06.2018 |
Decided: | 08.03.2024 |
Published: | |
Fine: | n/a |
Parties: | Groupon Ireland |
National Case Number/Name: | Groupon Ireland Operations Limited |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | DPC (in EN) |
Initial Contributor: | lm |
The DPA found that Groupon lacked a legal basis for requiring a data subject’s ID in order to fulfill access and erasure requests, and thus violated data minimisation obligations in requesting the ID.
English Summary
Facts
On 11 June 2018, a data subject made an access request and an erasure request to Groupon (the controller) via email. The controller directed the data subject to its online portal, which required the complainant to upload a photo of their ID to verify their identity.
The data subject considered this an obstacle to exercising their GDPR rights and submitted a complaint to the Baden-Württemberg DPA on 19 June 2018. The BW DPA transferred it to the Irish Data Protection Commission (DPC), which it considered to be the leading supervisory authority in this case.
The controller subsequently facilitated the complainant’s requests without requiring verification of identity. Still, the data subject was concerned that their data had not been fully deleted.
The DPC considered two main issues:
- Was the controller’s request for ID to verify the data subject’s identity compliant with the GDPR?
- Did the controller appropriately demonstrate that the complainant’s personal data was fully deleted in response to the erasure request?
Holding
The DPC found that the controller infringed Articles 5(1)(c), 6(1),12(2), 15(1) and (3) and 17(1) GDPR with regard to its request for an ID to verify the data subject’s identity. It issued a reprimand with no monetary penalty.
The DPC found that the controller infringed Article 12(2) GDPR when it requested additional information as to the data subject’s identity. Under Article 12(6) GDPR, a controller may only request additional information where it has reasonable doubts concerning the identity of a person making the request. The controller did not demonstrate such doubts here.
Furthermore, requiring the complainant to provide a copy of their ID to verify their identity for access and erasure requests was a violation of Article 5(1)(c) GDPR. Data minimisation obligations require any requests for additional information to be necessary, proportionate and consistent. In this case, no such verification was required to initially open an account; thus, the controller would have been unable to cross-check the identities claimed. In additional, the controller could have used a less-data driven means to verify the data subject’s identity. Indeed, in October 2018, the controller amended its procedures and to no longer require photo ID in these circumstances.
In addition, the controller violated Articles 15(1) and (3) as well as 17(1) GDPR by failing to comply with the data subject’s initial access or erasure requests when initially made without a lawful basis for not complying.
The DPC also determined that the controller infringed Article 6(1) GDPR by continuing to process the complainant’s personal data following receipt of their initial request for erasure.
Finally, the DPC found no infringement concerning whether the controller had appropriated demonstrated that the data subject’s personal data was fully deleted.
The DPC issued a reprimand with no monetary penalty. In doing so, it considered that the controller no longer required photographic ID to verify a data subject’s identity for the purpose of exercising rights under the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DPC Complaint Ref: IMI Ref: Complaint Received From: Baden-Wurttemburg DPA Date Of Decision: 8 March 2024 Complainant: Data Controller: Groupon International Limited Re: v Groupon International Limited DECISION This is a Decision of the Data Protection Commission of Ireland (“DPC”) in relation to DPC complaint reference, (hereinafter referred to as the “Complaint”), submitted by (“Complainant”) against Groupon International Limited (“Groupon”) to the Baden-Wurttemburg Data Protection Authority (“BW DPA”). As the subject matter of the Complaint was determined to be cross-border in nature, the Complaint was subsequently transferred to the DPC, as the Lead Supervisory Authority (“LSA”) for Groupon. This Decision is made pursuant to the powers conferred on the DPC by section 113(2)(a) of the Data Protection Act 2018 (“Act”) and Article 60 of the General Data Protection Regulation (“GDPR”). Communication of Draft Decision to “supervisory authorities concerned” In accordance with Article 60(3) GDPR, the DPC is obliged to communicate the relevant information and submit a draft decision, in relation to a complaint regarding cross border processing, to the supervisory authorities concerned for their opinion and to take due account of their views. In accordance with its obligation, the DPC transmitted a Draft Decision in relation to the matter to the “supervisory authorities concerned”. As Groupon offers services across the 1EU, and therefore the processing is likely to substantially affect data subjects in every EU member state, the DPC in its role as lead supervisory authority identified that each supervisory authority is a supervisory authority concerned as defined in Article 4(22) of the GDPR. On this basis, the Draft Decision of the DPC in relation to the Complaint was transmitted to each supervisory authority in the EU and EEA for their opinion. Background to the Complaint 1. On 11 June 2018, the Complainant contacted Groupon by email requesting access to their personal data and the subsequent erasure of those personal data. The Complainant sent this email to a number of different channels within Groupon. The Complainant also telephoned Groupon on 13 and 14 June 2018 in relation to their access and erasure requests. 2. In response, the Complainant was directed to submit their requests via Groupon’s online portal, which required the Complainant to upload a copy of an ID document in order to verify their identity. 3. The Complainant considered this requirement to be excessive and an obstacle to the exercise of their rights. The Complainant also noted that no such requirements were in place in order to register or create an account with Groupon. Accordingly, on 19 June 2018, the Complainant submitted a Complaint to the BW DPA. The Complaint at this point was solely in relation to the Complainant’s concerns about being asked to upload a copy of an ID document. In the circumstances where the DPC was deemed to be the competent authority for the purpose of Article 56(1) GDPR, the BW DPA subsequently transferred the Complaint to the DPC. Complaint Handling and Investigation by the DPC 4. On 1 February 2019, the DPC wrote to Groupon formally commencing its investigation and requesting that Groupon address the concerns raised. 5. In response, Groupon explained that it had since changed its verification requirements in October 2018 so that photo ID is no longer required, and that it now authenticates data subject rights requests on the basis of the associated email address in order to ensure the request is valid in accordance with GDPR requirements. Groupon invited the Complainant to submit another request which Groupon would process in accordance with this new system. 26. The Complainant subsequently submitted a new access and erasure request on 17 April 2019 both via email and via Groupon’s portal. In response to the erasure request, Groupon advised the Complainant as follows: “After the deletion of your personal information, we will only store your personal information when it is necessary to continue to operate our business effectively, including your transactions for financial reporting or fraud prevention purposes until they are no longer necessary to comply with our legal obligations, settle disputes and enforce our agreements. If you have previously purchased through Groupon, the data may include your customer number, name, e-mail address, billing address, delivery address, payment details, purchased items, and invoice amount. These data are stored on a completely separate system and used only for ongoing fraud prevention purposes. The data stored on this system is kept for a strictly limited period of time (two years) and then deleted. In particular, for purposes of fraud prevention, we store information about transactions made through Groupon to ensure that your account has not been exposed to fraud. It is also in the customer's interest that we can analyze traffic patterns on our platform to prevent fraudulent activity. In accordance with Article 21 GDPR, we have a reasonable and legitimate interest in the fight against fraud in order to retain personal data for this strictly limited purpose.” 7. The access request was completed by Groupon on 10 May 2019. Groupon availed of the two month extension provided by Article 12(3) GDPR in order to complete the erasure request. The erasure request was completed on 5 June 2019. The Complainant received confirmation of the completion of the erasure request on 11 June 2019. In that confirmation, Groupon stated as follows: “Hello, Regarding your request to deletion TYIQZV from 04/17/2019, we hereby inform you that we have deleted all personal data concerning the e-mail address [Complainant’s email address], subject to the following legal requirements: 3 - The storage of personal data in our systems is necessary for us to fulfil our legal obligations (e.g. personal data in invoices for financial reporting purposes). - The storage of personal data is necessary for us to establish, assert and/or defend legal claims. - The storage of personal data in our systems is necessary for the limited purpose of ongoing fraud prevention. This personal information is stored in a separate system that is accessible for limited purposes only. In the confidence that this response will fulfil your request, we will consider it closed. If you require further information, you can submit a new request via the Groupon Privacy Portal. Thank you, Groupon Privacy Team” 8. In response to this confirmation notification, the Complainant wrote to Groupon again asking for confirmation as to whether all their personal data had been deleted completely. In the event that this was not the case, the Complainant asked for further information about the data retained, and about where, how long and by whom the data are stored: “Hello Groupon Privacy Team, From your message/reply I can not clearly see whether all pesonal data concerning my e-mail address [Complainant’s email address] have been deleted completely. Therefore the question: Have all my personal data been deleted completely? Yes or no? If the answer to my question is "no", I would like to know: - Which data are concerned? - Who stores and/or processes this data? - Where is this data stored? (Which location? Which country?) - How long is this data stored? (Please specify the exact date on which the final deletion will take place.) - I would like to get a precise explanation for this. 4 Kind regards,” 9. A copy of the Complainant’s correspondence above was forwarded to the DPC for further investigation, and the DPC duly followed up with Groupon in relation to the concerns raised and requested that Groupon identify to the Complainant the specific information it had retained. In response, Groupon stated as follows: “…we are unfortunately not in a position to advise the data subject the precise information that has been retained in relation to his account. Our policy is not to disclose data that we retain for fraud prevention purposes, and to give priority to preventing fraud in order to protect our business and the best interests all of our customers. We have already advised the data subject of the data that we may retain for the purposes of fraud prevention. This is in accordance with our policy and relevant GDPR requirements. I confirm that the information is retained as per policy in its original form.” At this point, the DPC noted that the unspecified personal data that Groupon continued to retain about the Complainant was for the purposes of fraud prevention (“retained data”) and that, as set out in Groupon’s response to the erasure request of 17 April 2019 (see paragraph 6 above), these data would be retained for a period of 2 years. 10.The DPC provided Groupon’s response above to the Complainant for their views. The Complainant was not satisfied with the response and queried whether the retained data had been or would be transferred to any third parties prior to its deletion, where any such third parties are located, and the appropriate measures applied by Groupon to any transfers of the retained data to third countries. The Complainant also noted that the last transaction they had carried out with Groupon was almost three years ago, and wanted to know the exact date on which the retained data would be deleted. 11.Groupon provided a substantive response addressing the Complainant’s queries in relation to third party transfers, which included a list of third parties to whom their data had been transferred and confirmation that each of those third parties had been informed of the Complainant’s erasure request. 512.In relation to the Complainant’s query about the exact date their data would be deleted, Groupon stated that it was not possible to provide a specific date and nor was it possible to inform customers as to when their data has been deleted. The Complainant was dissatisfied at this response, stating that “I cannot discern when the two years indicated by Groupon will have expired and how I can/will then find out that my data has indeed been irrevocably deleted”. 13.The DPC subsequently put the Complainant’s outstanding concerns to Groupon. In response, Groupon stated as follows: “I confirm that [the Complainant’s] data was deleted from our systems, effective 30 August 2018, two years after the last transaction on his account. This was in accordance with our Records Retention Policy as advised in previous responses to this complaint. Please note that it is not our practice, nor indeed industry standard practice, to inform all customers when their data has been deleted in accordance with policy. We believe it is not a GDPR requirement to do so, while we endeavour at all times to provide information as necessary to comply with GDPR requirements and in the interests of transparency. 14.This response created some confusion for the Complainant, who noted that Groupon had previously provided them with confirmation following their deletion request (see paragraph 7 above) that certain data (i.e. the retained data) were being retained by Groupon. The DPC subsequently raised these inconsistencies with Groupon and requested that it clarify the position. 15.Groupon then carried out an internal investigation into the matter and, by way of clarification, provided the DPC with a full timeline of the actions taken by Groupon in relation to the Complainant’s account and its responses provided to the Complainant. In this regard, Groupon stated as follows: “Groupon wishes to highlight the following relevant facts to the DPC from the table below, which we hope will rectify any confusion about our handling of the Data Subject's erasure request: The Data Subject made his last purchase with Groupon on 30 August 2016. 6 Information about the Data Subject's purchases with Groupon was retained for the purposes of fraud prevention for two years and then deleted, in line with Groupon's records retention policy. Our standard response to a deletion request informs data subjects that information may be retained for fraud prevention purposes, but this only applies where a purchase was made less than two years before the date a deletion request was received. Here, the information held on Groupon's fraud database in respect of the Data Subject's last purchase was deleted by 30 August 2018 - two years after his last purchase on the site. However at this time, Groupon still held personal data in respect of the Data Subject including his account registration information and purchase details within it’s main database. On 17 April 2019 [the Complainant] submitted an access request and request for deletion of data to Groupon’s customer service through email (info@groupon.de) and through the Groupon Privacy Portal (copy attached as Document 1). Groupon responded to that access request on 10 May 2019 (copy attached as Document 2) in which Groupon confirmed the information it held about the Data Subject. Note that at this date (i.e. 10 May 2019), the information held on the Data Subject on Groupon's fraud database had already been deleted in accordance with Groupon's records retention policy, as noted immediately above. The Data Subject's request for deletion of all remaining personal data held by Groupon was initiated within Groupon on 10 May 2019. Groupon went on to delete all account registration information, purchase history, communications with customer service and other relevant information (i.e. the remaining personal data held by Groupon about the Data Subject) in satisfaction of that request by 5 June 2019. On 5 June 2019, the Data Subject was notified that his deletion request was completed (copy attached as Document 3), which included Groupon's standard response sent to data subjects when a request is completed and includes information to indicate that information could be retained under certain circumstances. Regrettably, a lack of further investigation on our part created some confusion for the Data Subject who went on to request what, if any, information about him had been retained on Groupon's systems (copy attached as Document 4). Further, this fact was not communicated to the DPC in subsequent exchanges with the DPC between 21 June 2019 and 7 17 January 2020, resulting in further confusion and uncertainty, for which we sincerely apologise. We have checked our records and can confirm that the response provided by Groupon's (then) DPO on 1 July 2019 and 15 August 2019 did not correctly reflect the situation. Those communications should have instead confirmed that no personal data about the Data Subject was retained in any of Groupon’s databases, including the fraud database. From the point at which the erasure request was satisfied on 5 June 2019, the only information held about the Data Subject by Groupon was any information held in the context of handling this complaint, Groupon's exchanges with the Data Subject and the DPC, and information related to his access and deletion requests within the Privacy Portal. Taking all of this into account, I can confirm that Groupon no longer processes any data relating to the Data Subject (other than in the context of handling the access and deletion request and this complaint)”. 16.In summary, in light of this information, the DPC understood that the retained data had in fact been deleted on 30 August 2018 (two years from the date of the Complainant’s last purchase on their account) and that the confusion seemed to stem from the fact that Groupon had included a generic or standard confirmation response to the Complainant’s erasure request which suggested that further data had been retained. As clarified by Groupon however, this was not correct and all personal data it held about the Complainant were fully deleted at the time the erasure request was completed on 5 June 2019 (save for “any information held in the context of handling this complaint, Groupon's exchanges with the Data Subject and the DPC, and information related to his access and deletion requests within the Privacy Portal”). 17.A substantive response detailing the explanations above was subsequently provided to the Complainant (via the DPC) by Groupon. However, the Complainant did not accept Groupon’s confirmation that their personal data had been fully deleted and stated that “[d]ata are only deleted when they are actually and irretrievably deleted”. The Complainant therefore further stated as follows: “I hereby reiterate my demand and expect it to be fulfilled in a timely manner: 8 Groupon and the Irish DPC may please confirm the complete and irretrievable deletion of my data from all systems and media. The Irish DPC shall please explain how it ensures or has ensured that Groupon actually and verifiably deletes or has deleted my data completely and irretrievably from all systems and media (e.g. also from possible backups).” 18.The DPC then put the Complainant’s outstanding concerns above to Groupon and specifically sought appropriate documentary evidence (e.g. erasure logs, relevant screenshots, etc.) to demonstrate that all of the Complainant’s personal data had been permanently deleted. 19.In response, Groupon provided the DPC with a zip folder containing an Excel file of exported system logs relating to the Complainant’s requests, as well as an explanatory note to assist both the Complainant and the DPC in understanding the technical information contained in the file. 20.Two requests were recorded in the Excel file, labelled ‘TYIQZV’ and ‘JWXDYL’. Regarding the contents of the Excel file, Groupon explained the column headings and the details contained within the entry labelled ‘TYIQZV’ as follows: “Deadline and extension - The Deadline was extended because request included both Data Access as well as Deletion afterwards and possible technical issues. Completed date - this is the Date the full data deletion was confirmed to the customer. Request Type is set to "deletion" as this was the last request type chosen as it was changed during processing, (later a because of the occurring need there was a [sic] additional type introduced in the system, access/deletion for this type of cases.) Last Public Reply Date - this is the Last message sent by Groupon to the customer, due to the following complaint/second request that followed the data deletion process, the conversation was continued within the first request. Stage and Completed Sub-Tasks - Completed means the status of the request was set to completed due to the data subjects Data Deletion, completed Sub-Tasks 4/4 means that the system got 4 confirmations from 4 tasks assigned to our system categories used - one for data bases and second 9 was communications systems, 4 subtasks means that the access request and deletion request were handled in the same request.” 21.Regarding the entry labelled ‘JWXDYL’, Groupon explained as follows: “The second request was a follow-up question from the data subject and was sent to us because the automatic system response suggested that we may hold some personal data even after the deletion - this is true because depending on the legal obligations on specific markets, this data is however anonymized, if held at all.” 22.Groupon advised the DPC that OneTrust was its data privacy requests software provider at the time, and that Groupon changed its data privacy requests software provider from OneTrust to Transcend in October 2021. Groupon further advised that the system logs were exported from its OneTrust system prior to this changeover and that “we are not able to recover any more details from the requests, because…the system we used was decommissioned, and even then, the request related files were recoverable within the system for about 6 months after that they were also permanently deleted.”. As such, the DPC understood from Groupon that the exported system logs constituted the totality of the data Groupon continued to hold about the Complainant and that any other data had already been permanently deleted. Groupon also provided the DPC with a file containing system screenshots from its Transcend system which displayed no search results against the Complainant’s details. 23.The DPC subsequently provided the Complainant with a copy of the Excel file together with Groupon’s explanations and asked the Complainant whether they were now satisfied with the explanations provided. In response, the Complainant stated that they remained unsatisfied and repeated their previous request that the DPC “please explain how it ensures or has ensured that Groupon actually and verifiably deletes or has deleted my data completely and irretrievably from all systems and media (e.g. also from possible backups)." 10Section 109(2) of the Act 24.Under section 109(2) of the Act, the DPC may, where it considers that there is a reasonable likelihood of the parties reaching, within a reasonable time, an amicable resolution of the subject matter of a complaint, take such steps as it considers appropriate to arrange or facilitate such a resolution. The DPC engaged with both parties to attempt to achieve an amicable resolution of the Complaint. However, these attempts were ultimately unsuccessful. 25.The DPC advised Groupon via correspondence dated 19 September 2023 that it had been unable to facilitate the amicable resolution of the Complaint. 26.Prior to its preparation of this Decision, the DPC prepared a Preliminary Draft Decision for the purposes of facilitating the parties in exercising their respective rights to be heard in relation to this Decision. The DPC then prepared a Draft Decision, which was transmitted to the supervisory authorities concerned pursuant to Article 60(3) GDPR. Notification of the Preliminary Draft Decision to Groupon 27.The DPC provided Groupon with a copy of its Preliminary Draft Decision on 13 December 2023 and invited submissions from Groupon. 28.By correspondence dated 21 December 2023, Groupon confirmed that it had no submissions to make and that it considered the decision to be fair in the circumstances. Notification of the Preliminary Draft Decision to the Complainant 29.The DPC provided the Complainant (via the BW DPA) with a copy of its Preliminary Draft Decision on 28 December 2023 and invited submissions from the Complainant. The BW DPA issued the Complainant with the Preliminary Draft Decision on 2 February 2024. 30.By correspondence dated 5 February 2024, the Complainant provided their submissions on the Preliminary Draft Decision. 11 31.The DPC has carefully considered the submissions of the Complainant in making this Decision. The DPC’s consideration of these submissions is set out at paragraphs 55-58 below. Transmission of the Draft Decision to the Supervisory Authorities Concerned 32.The DPC transmitted the Draft Decision to the supervisory authorities concerned in accordance with Article 60(3) GDPR on 8 February 2024. The DPC did not receive any relevant and reasoned objections under Article 60(4) GDPR. 33.Given that no relevant and reasoned objections were received from any of the supervisory authorities concerned within a period of four weeks, after having been consulted on 8 February 2024, the DPC did not revise the Draft Decision. Issues Under Investigation and Applicable Law 34.The objective of the investigation of the Complaint by the DPC was to ascertain whether Groupon had responded to the Complainant’s access and erasure requests in a manner compliant with the GDRR. 35.The Complaint initially concerned Groupon’s requirement that the Complainant upload an ID document in order to exercise their rights of access and erasure, However, on 17 April 2019 following the commencement of the DPC’s investigation and as explained at paragraphs 5 and 6 above, the Complainant subsequently submitted new access and erasure requests. These new requests were, in effect, re-submissions of the original requests. Although the Complainant was provided with access to their data at that point, the Complainant did not accept that their data were fully deleted thereafter. Accordingly, the scope of the DPC’s investigation concerned Groupon’s facilitation of the Complainant’s access and erasure requests as a whole, including both the original and ‘re-submitted’ access and erasure requests, as well as Groupon’s ID requirements in relation to the original requests. 36.Following the conclusion of its investigation, the DPC identified the following issues to be considered in this Decision: 12 a. Whether Groupon’s request for ID in order to verify the Complainant for the purposes of their original access and erasure requests was compliant with the GDPR. b. Whether Groupon had appropriately demonstrated that the Complainant’s personal data were fully deleted in response to the erasure request. c. Whether Groupon was obliged to identify the specific information contained within and constituting the retained data. 37.For the purposes of its investigation and assessment of the Complaint, the DPC has considered the following Articles of the GDPR: a. Article 15, which provides for a data subject’s right of access. b. Article 17, which provides for a data subject’s right of erasure. Article 17(3) sets out the circumstances where further retention of personal data will be lawful notwithstanding the receipt of an erasure request. c. Article 5(1)(c), which provides for the principle of data minimisation. d. Article 6(1), which provides that processing shall be lawful only if and to the extent that at least one of the lawful bases provided for under Articles 6(1)(a)-(f) applies. e. Article 12(2), which obliges controllers to “facilitate the exercise of data subject rights…” f. Article 12(6), which provides (without prejudice to Article 11) that “where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.” Analysis and Findings Issue 1: Whether Groupon’s request for ID in order to verify the identity of the Complainant for the purposes of their original access and erasure requests was compliant with the GDPR. 38.As noted at paragraph 37(f) above, Article 12(6) GDPR provides that a controller may only request additional information where it has reasonable doubts concerning the identity of the person making a request. Article 12(6) further provides that, in such circumstances, controllers may only request additional information that is “necessary to confirm the identity of the data subject”. It follows 13 from this that a controller must be able to demonstrate its reasonable doubts and further demonstrate how the type of additional information requested is necessary in order to overcome those doubts. 39.The EDPB’s ‘Guidelines 01/2022 on data subject rights – Right of access’ (Access 1 Guidelines) explain how any request by a controller for additional information in order to confirm a data subject’s identity must be necessary, proportionate and consistent with the principle of data minimisation under Article 5(1)(c) GDPR. For example, paragraphs 67 and 68 state as follows: “In cases where the controller requests or is provided by the data subject with additional information necessary to confirm the identity of the data subject, the controller shall, each time, assess what information will allow it to confirm the data subject’s identity and possibly ask additional questions to the requesting person or request the data subject to present some additional identification elements, if it is proportionate (see section 3.3). In order to allow the data subject to provide the additional information required to identify his or her data, the controller should inform the data subject of the nature of the additional information required to allow identification. Such additional information should not be more than the information initially needed for the authentication of the data subject. In general, the fact that the controller may request additional information to assess the data subject’s identity cannot lead to excessive demands and to the collection of personal data which are not relevant or necessary to strengthen the link between the individual and the personal data 2 requested.” 40.The Access Guidelines further explain that a proportionality assessment should be carried out regarding the identification of the requesting person: “…if the controller has reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm the data subject’s identity. However, the controller must at the same time ensure that it does not collect more personal data than is necessary to enable authentication of the requesting person. Therefore, the controller shall carry 1 2EDPB Guidelines 01/2022 on data subject rights – Right of access, Version 2.0, Adopted 28 March 2023. Ibid, paras 67-68. 14 out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.” 3 41.Significantly, the Access Guidelines note the heightened risk involved where an identity document is requested, and state that such a form of identification “should be considered inappropriate, unless it is necessary, suitable, and in line with national law” and that “[i]n such cases the controllers should have systems in place that ensure a level of security appropriate to mitigate the higher risks for the rights 4 and freedoms of the data subject to receive such data.” 42.In this case, Groupon initially required the Complainant to submit a copy of their photographic ID in order to process their access and erasure requests. The DPC further understands that the provision of a copy of such data was not a requirement at account opening stage and, therefore, Groupon had no means to check the veracity of any such information that the Complainant may have submitted. 43.Having regard to the above, the DPC determines that Groupon infringed Article 5(1)(c), by its failure to adhere to the principle of data minimisation. In particular, this infringement occurred when Groupon initially required submission of a copy of the Complainant’s photographic ID in order to verify account ownership for the purposes of processingtheir access and erasure requests, in circumstances where no such verification appeared to have been obtained or required in order to initially open an account. It is also clear that a less data-driven means of verification (namely, by way of the email address associated with the account) was available to Groupon, and this is reflected in Groupon’ssubsequent change to its procedures in October 2018, whereby the requirement to submit photographic ID was discontinued. 44.In addition Groupon has not demonstrated or indicated that it had reasonable doubts as to the Complainant’s identity, such as would have justified it in requesting the provision of additional information to confirm their identity (in the form of photographic ID) under Article 12(6) GDPR. The fact that Groupon 3 4Ibid, para 70. Ibid, para 74. 15 ultimately gave effect to the erasure request in the absence of the submission of a copy of photographic ID demonstrates that no such reasonable doubts concerning the identity of the Complainant existed. As such, the DPC determines that the request for additional identification was an infringement of Article 12(2) GDPR. 45.In summary, Groupon should not have requested that the Complainant provide photographic ID when they submitted their access and erasure requests without establishing that there was a reasonable doubt concerning their identity or whether the requested document was relevant and proportionate. 46.It follows from the above that Groupon failed to comply with the Complainant’s initial access and erasure requests at the time they were made without a lawful basis for not complying. Therefore, the DPC determines that Groupon infringed the Complainant’s right to access under Articles 15(1) and 15(3) GDPR and the Complainant’s right to erasure under Article 17(1) GDPR. As outlined at paragraph 43 above, the requirement in place at the time for a requesting data subject to provide photographic ID in order to give effect to the request is adjudged to be inconsistent with the principle of data minimisation as set out in Article 5(1)(c) GDPR. As such, it was not valid for Groupon to seek to rely on this requirement as a basis on which not to comply with the Complainant’s initial requests for access to and erasure of their personal data. 47.In addition, the DPC determines that Groupon infringed Article 6(1) GDPR by continuing to process the Complainant’s personal data following receipt of their initial request for erasure. The validity of each of the Complainant’s requests has not been disputed, and Groupon’s request for verification is adjudged to have been inconsistent with the principle of data minimisation pursuant to Article 5(1)(c) GDPR, as outlined above at paragraph 43. As such, Groupon’s requirement for a copy of photographic ID was invalid and the request for erasure should have been complied with when received, subject to the Complainant’s account ownership being verified by other, more appropriate means. 48.For the reasons set out at paragraphs 38-47 above, the DPC finds that Groupon: a. infringed Article 5(1)(c) GDPR by having initially required the Complainant to provide a copy of their ID in order to verify their identity for the purposes of their access and erasure requests, in 16 circumstances where no such verification appeared to have been obtained or required in order to initially open an account and a less data-driven means of verification (namely, by wayof the email address associated with the account) was available to Groupon; b. infringed Article 12(2) GDPR by initially requesting additional information as to the Complainant’s identity at the time they made their access and erasure requests, in circumstances where it has not demonstrated that reasonable doubts existed concerning the Complainant’s identity that would have necessitated the application of Article 12(6) of the GDPR; c. infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to comply with the Complainant’s initial access and erasure requests at the time they were made without a lawful basis for not complying, in circumstances where Groupon’s request (as a prerequisite to responding to the initial access and erasure requests) for photographic ID has been found to be an infringement of Article 5(1)(c) GDPR; and d. infringed Article 6(1) GDPR by continuing to process the Complainant’s personal data following receipt of their initial request for erasure. Issue 2: Whether Groupon has appropriately demonstrated that the Complainant’s personal data were fully deleted in response to the erasure request 49.As set out at paragraphs 19-21 above, Groupon provided both the DPC and the Complainant with an Excel file containing exported system logs relating to the Complainant’s requests, as well as an explanatory note to assist both the Complainant and the DPC in understanding the technical information contained in the file. The DPC carefully considered the information contained within the Excel file and noted that the data related solely to administrative and technical details about the Complainant’s requests and that those details themselves were consistent with Groupon’s position that the remainder of the Complainant’s personal data had been fully deleted (in particular the entries for ‘Completed Date’ and ‘Stage and Completed Sub-Tasks’ as described at paragraph 20 above). 1750.Although the Complainant was not satisfied with these explanations when they were put to them, the DPC notes that no evidence was provided by the Complainant to suggest that, at this time, Groupon had failed to fully delete the Complainant’s personal data (save for the limited administrative data relating to the Complainant’s request and the Complaint, as contained within the Excel file). There are obvious logical difficulties in proving the non-existence of personal data in the absence of evidence or any reasonable doubts being proffered to the contrary. Although the Complainant clearly held concerns that their data may not have been fully deleted, the DPC found Groupon’s evidence and explanations to be more persuasive. 51.As set out at paragraph 22 above, Groupon also provided the DPC with a further file containing system screenshots from its Transcend system (which replaced its previous OneTrust system in October 2021) which displayed no search results against the Complainant’s details. This was also consistent with Groupon’s position that the remainder of the Complainant’s personal data had been fully deleted. 52.The DPC was also satisfied that the data contained within the Excel file, insofar as they constituted personal data, appeared to have been retained by Groupon solely for record-keeping purposes in order to maintain a proper record of the fact that those requests had been addressed. As such, it is the DPC’s view that the retention of such data was appropriate for the purposes of demonstrating Groupon’s compliance with the GDPR, as required pursuant to Articles 5(2) and 24(1) GDPR. 53.The DPC considered the information and explanations provided by Groupon to be sufficiently comprehensive. It is the DPC’s view that, in the absence of evidence to support the existence of any further data being retained, the information and explanations provided by Groupon ought to have allayed any reasonable concerns the Complainant may have had regarding the permanent deletion of their data. 54.Having carefully considered the evidence provided by Groupon as referred to above, and noting also Groupon’s efforts to demonstrate compliance with its accountability obligations despite the length of time that had now passed since the data was confirmed (by Groupon) to have been deleted, it is the DPC’s view that it is reasonable for it to conclude that, save for the limited administrative data contained within the exported system logs, the Complainant’s personal data had been fully deleted. 1855.In their submissions on the Preliminary Draft Decision, the Complainant indicated their dissatisfaction with the DPC’s (then-provisional) conclusions set out above regarding Groupon’s evidence and explanations as to the erasure of their personal data. In summary, the Complainant was of the view that the DPC was required to “carry out appropriate in-depth checks (e.g. find out where [the Complainant’s] personal data has been stored, copied, backed up, archived by Groupon) and ensure that the personal data in question has indeed been completely and irretrievably deleted from all systems and media instead of believing Groupon's Excel file and screenshots.” 56.In an effort to assuage the Complainant’s doubts as expressed in their submissions, the DPC decided, on an exceptional basis, to subsequently carry out an examination of Groupon’s databases to further test Groupon’s evidence as to the full erasure of the Complainant’s personal data. 57.During this exercise, on 7 February 2024, the DPC examined Groupon’s (i) “Cyclops” Customer Database, which consisted of a US version and an International version (the latter broken down into an extensive list of countries where Groupon’s customers are located); (ii) Customer Mailing Database, which consisted of a US version and a single International version; (iii) Merchant Database, which consisted of a single International version; and (iv) One Trust Request Log, which the DPC noted corresponded with the exported system logs referred to at paragraphs 19-22 above. 58.This examination involved entering the Complainant’s details into each of the databases mentioned above, which included, where applicable, the US and International versions as well as each of the various countries listed on the International version of the “Cyclops” Customer Database. On each occasion, no results were returned save for in relation to the Customer Mailing Database, which returned just two results consisting solely of the two emails exchanged between the DPC and Groupon earlier that day to arrange the time for the examination (and which included the Complainant’s first name and surname in the ‘Subject’ field for the purposes of identifying the complaint). In light of these results, the DPC was further satisfied that Groupon had appropriately demonstrated the permanent deletion of the Complainant’s personal data (save for the limited administrative data contained within the Excel file of exported system logs, and the first name and surname of the Complainant as contained within the ‘Subject’ field of the two 19 emails exchanged between the DPC and Groupon) as per their erasure request. For the avoidance of doubt, Groupon also confirmed directly to the DPC officers who carried out the examination that Groupon did not retain any personal data belonging to the Complainant. 59.Based on the facts and analysis set out at paragraphs 49-54 above, the DPC concludes that Groupon has appropriately demonstrated that the Complainant’s personal data (save for the limited administrative data contained within the Excel file of exported system logs, and the first name and surname of the Complainant as contained within the ‘Subject’ field of the two emails exchanged between the DPC and Groupon) were fully deleted in response to the erasure request. This conclusion is further bolstered by the results of the DPC’s examination as described at paragraphs 56-58 above. Accordingly, the DPC finds that no infringement of GDPR by Groupon has occurred in respect of this issue. Decision on Infringements of GDPR 60.Following the investigation of the Complaint against Groupon, the DPC finds that in the circumstances of this Complainant’s case, Groupon infringed the GDPR as follows: For the reasons set out at paragraphs 38-43 above, the DPC finds that Groupon infringed Article 5(1)(c) GDPR by having initially required the Complainant to provide a copy of their ID in order to verify their identity for the purposes of their access and erasure requests, in circumstances where no such verification appeared to have been obtained or required in order to initially open an account and a less data-driven means of verification (namely, by way of the email address associated with the account) was available to Groupon; For the reasons set out at paragraph 44 above, the DPC finds that Groupon infringed Article 12(2) GDPR by initially requesting additional information as to the Complainant’s identity at the time they made their access and erasure requests, in circumstances where it has not demonstrated that reasonable doubts existed concerning the Complainant’s identity that would have necessitated that application of Article 12(6) of the GDPR; 20 For the reasons set out at paragraph 46 above, the DPC finds that Groupon infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to comply with the Complainant’s initial access and erasure requests at the time they were made without a lawful basis for not complying, in circumstances where Groupon’s request (as a prerequisite to responding to the initial access and erasure requests) for photographic ID has been found to be an infringement of Article 5(1)(c) GDPR; and For the reasons set out at paragraph 47 above, the DPC finds that Groupon infringed Article 6(1) GDPR by continuing to process the Complainant’s personal data following receipt of their initial request for erasure. Remedial Measures by Groupon 61.In respect of these infringements, it is noted that Groupon no longer requires photographic ID in order to verify a data subject’s identity for the purposes of exercising their data subject rights under GDPR. This process was terminated in October 2018. Groupon’s procedure for facilitating the exercise of data subject rights now relies on email authentication instead. Judicial Remedies With Respect to Decision of the DPC 62.In accordance with Article 78 GDPR, both Groupon and the Complainant have a right to an effective judicial remedy against a legally binding decision of a supervisory authority. Pursuant to section 150(5) of the Act , an appeal to the Irish Circuit Court or the Irish High Court may be taken by a data subject or any other person (this includes a data controller) affected by a legally binding decision of the DPC within 28 days of receipt of notification of such decision. An appeal may also be taken by a data controller within 28 days of notification; under section 150(1) against the issuing of an enforcement notice and/or information notice by the DPC against the data controller; and under section 142, against any imposition upon it of an administrative fine by the DPC. Decision on Corrective Powers Infringements of Articles 5(1)(c), 6(1), 12(2), 15(1), 15(3) and 17(1) GDPR 21 63.In deciding on the corrective powers that are to be exercised in respect of the infringements of the GDPR outlined above, I have had due regard to the Commission's power to impose administrative fines pursuant to section 141 of the Act. In particular, I have considered the criteria set out in Article 83(2) (a)-(k) of the GDPR. When imposing corrective powers, I am obliged to select the measures that are effective, proportionate and dissuasive in response to the· particular infringements. The assessment of what is effective, proportionate and dissuasive must be made in the context of the objective pursued by the corrective measures, for example re-establishing compliance with the GDPR or punishing unlawful behaviour (or both) . I find that an administrative fine would not be necessary, proportionate or dissuasive in the particular circumstances in relation to the infringements of the Articles of the GDPR as set out above. 64.In light of the extent of these infringements, the DPC hereby issues a reprimand to Groupon, pursuant to Article 58(2)(b) of the GDPR. Signed: _____________________________ Tony Delaney Deputy Commissioner On behalf of the Data Protection Commission 5 See the Article 29 Data Protection Working Party 'Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679’, at page 11. 22