Datatilsynet (Denmark) - 2018-7320-0166: Difference between revisions

From GDPRhub
Line 66: Line 66:
The decision below is a machine translation of the original. Please refer to the Danish original for more details.
The decision below is a machine translation of the original. Please refer to the Danish original for more details.


<pre>
<br />
Burda Nordic's recording of telephone conversations
Published 21-11-2019
Decision Private companies The Danish
Data Protection Agency expresses serious criticism that Burda Nordic's processing of personal data in connection with telephone conversations regarding the sale and marketing of publisher's magazines has been done without valid consent of the data subjects and that Burda Nordic has not complied with the publisher's obligation to provide information.
Journal number: 2019-431-0018Agency
Summary
In January 2019, the Danish Data Protectioninitiated a case of its own operation against Burda Nordic, as the Danish Data Protection Agency had become acquainted with Burda Nordic's recording of telephone conversations during the sale and marketing of Burda Nordic's magazines.
On November 21, the Data Inspectorate decided on the case. The audit found that Burda Nordic's processing of personal data in connection with recording telephone calls was done without a valid consent. In addition, the Data Inspectorate found that Burda Nordic did not comply with the publisher's disclosure obligation pursuant to Articles 13 and 14. of the Data Protection Regulation.
Burda Nordic has stated that the recordings are used solely to document contractual agreements. To this end, the Data Inspectorate noted that there must always be a real purpose for recording telephone calls, and that companies must therefore consider whether the pursued purpose can be achieved with less intrusive means, e.g. by sending order confirmations via email.
Decision The Danish
Data Protection Agency hereby returns to the case regarding Burda Nordic A / S 'processing of personal data in connection with telephone conversations regarding the sale and marketing of Burda Nordic's magazines.
The Data Inspectorate must note that the Authority can only decide on data protection law issues. Therefore, the Data Inspectorate has not decided on consumer law issues in connection with the case.
1. Decision
After reviewing the case, the Data Inspectorate finds that there are grounds for making serious criticism that Burda Nordic's processing of personal data has not been done in accordance with the rules inof the Data Protection1) Article 6 (Regulation. 1, as well as Articles 13 and 14.
Below is a detailed examination of the case and a justification for the Authority's decision.
2. Presentation of the case
After a number of specific inquiries, the Data Inspectorate became aware of the processing of personal data in connection with telephone conversations regarding the sale and marketing of Burda Nordic's magazines.
By letter dated 9 January 2019, the Data Inspectorate asked Burda Nordic a number of questions with a view to the Danish Data Protection Agency's handling of the case. On February 2, 2019, Burda Nordic submitted its comments to the Authority, including screenshots of consent declarations for the collection of personal data in connection with competitions.
It appears that recording of telephone calls in connection with inquiries from the sales agencies is done on the basis of the consent given by the data subject in connection with participation in a competition.
Burda Nordic processes information about potential new customers including know that lead agencies collect contact information through competitions where the registrants, as part of the competition conditions, agree that Burda Nordic must make inquiries by telephone, e-mail, letter and sms. Participation in the lead agencies' competitions requires that the registrants accept the competition conditions, including accepting that a number of partners must subsequently contact the registrants for the sale and marketing of their products.
It is also clear that the registrants - before accepting the terms of competition - can click in and see which partners can subsequently contact the registrants. In the list of partners it is possible to unsubscribe from individual companies. Thus, if the registrants do not actively unsubscribe from the companies, they agree to be contacted by all the competition partners according to the competition conditions. 
2.1. Burda Nordic's comments
Burda Nordic has stated in the case that, for example, the publishing and marketing of subscriptions to their magazines only processes non-sensitive personal information, including information about name, address, telephone number and e-mail address. The information is processed on the basis of Article 6 (2) of the Data Protection Regulation. 1 (a), on consent.
The consent is obtained through lead agencies who collect contact information on registered persons through competitions. When the registrants participate in the lead agency's competition and accept the terms of the competition, they consent to being contacted by Burda Nordic. It is stated in the consent declaration that Burda Nordic can contact the registered person regarding subscription to sewing and fashion magazines.
In addition, Burda Nordic has stated that they use external sales agencies to contact the registrants through the contact information purchased from the lead agencies. The external sales agencies contact potential customers by telephone on Burda Nordic's behalf in order to sell subscriptions to the publisher's magazines. Data processing agreements have been made with the sales agencies.
On recording telephone calls, Burda Nordic has stated that parts of the conversation between the sales agencies and the registered person are recorded and saved if a purchase agreement is made. Burda Nordic has stated that the registrants, when accepting the terms of competition, are informed that the conversation can be recorded.
The recording is used solely as evidence that an agreement has been made between the publisher and the data subject. Burda Nordic also sends an order confirmation to the registered person by mail. By extension, Burda Nordic has stated that an order confirmation by mail is not as good documentation of a contract as an audio recording, since an order confirmation, for example. can end up in a spam filter.
Regarding disclosure requirements, Burda Nordic states that the publisher buys contact information on potential customers through lead agencies and that it is the lead agencies that comply with the disclosure obligation pursuant to Article 14. of the Data Protection Regulation. Burda Nordic has stated in this connection that lead agencies are independently responsible for the collection of personal data. , and that the information is subsequently purchased by Burda Nordic, who becomes the data controller for the publisher's processing of personal data.
3. Justification for the Authority's decision
3.1. The basis for processing when recording telephone calls The Danish
Data Protection Agency initially observes that it is the Authority's practice that recording and storage of telephone calls should, as a starting point, be made on the basis of the consent of the persons being processed information in accordance with Article 6 (2) of the Data Protection Regulation. The Danish
Data Protection Agency has based its decision that, when recording the telephone calls in question, only non-sensitive personal data covered by Article 6 of the Data Protection Regulation are processed and that Burda Nordic processes information about the data subjects on the basis of Article 6 of the Data Protection Regulation. PCS. 1, point a.
Furthermore, the Data Protection Agency assumed that Burda Nordic process personal information on registered based on the consent form shown in competition in leadbureauers sweepstakes attached a copy of Annex 7, 8 and 9 to Burda Nordic consultation of 20 February 2019. The
conditions for a valid consent are set out in Article 4 (11) of the Data Protection Regulation. [2] and Article 7. In order to be valid, consent must be voluntary, specific and informed, and express an unambiguous expression of will.
A specific consent means that the consent must not be generally formulated or without precise indication of the purposes of processing personal data and what personal data will be processed. 
A consent must also be informed so that the data subject is aware of what consent is given. Thus, the data controller must provide the data subject with a number of information to ensure that the data subject can make his or her decision on an informed basis.
In addition, consent must be expressed in an unambiguous expression of will. Thus, the consent given must not cause doubt why silence or inaction is not sufficient to constitute an unambiguous expression.
After reviewing the case, the Data Inspectorate finds that the declaration of consent submitted does not meet the conditions of Article 4 (11) and Article 7 of the
Data Protection Regulation. In this connection, the Data Inspectorate emphasizes that inactivity, including already checked boxes, is not sufficient to constitute a unambiguous disclosure and such pre-ticked fields therefore do not meet the conditions of Article 4 (11) of theRegulation. The
Data ProtectionData Inspectorate further finds that the Statement of Consent, according to its wording, is considered only to deal with Burda Nordic's processing of personal data in connection with the telephone inquiry with the for the purpose of selling and marketing the publisher's titles. In the opinion of the Data Inspectorate, the consent declaration cannot be extended to other processing of personal data, including among other things. recording phone calls.
In view of the above, the Data Inspectorate finds serious criticism that Burda Nordic's processing of personal data has not taken place in accordance with Article 6 (2) of the Data Protection Regulation. 1 (a), since recording the telephone conversations with the data subjects in connection with sales has not been done with a valid consent.
3.1.2. Basic processing principles
In addition, the Data Inspectorate should note that Article 5 of the Data Protection Regulation contains a number of basic principles which data controllers must always adhere to when processing personal data.
Pursuant to Article 5 (1) of the Data Protection Regulation. 2. For the purposes of paragraph 1 (b), personal data shall be collected for explicit and legitimate purposes. Subsequent treatment must not be incompatible with these purposes ('purpose limitation').
Pursuant to Article 5 (2). 2. In accordance with paragraph 1 (c), personal data shall be sufficient, relevant and limited to what is necessary in relation to the purposes of processing the data ('data minimization').
Thus, there must always be a legitimate purpose for recording telephone calls, and companies must consider whether the pursued purpose can possibly be achieved with less intrusive means.
In view of the fact that recording of the interviews takes place solely to be able to document that an agreement has been concluded between the publisher and the customer in the event of a dispute regarding payment and that an order confirmation is also sent to the data subject by mail, is the Danish Data Inspectorate's opinion that documentation for Burda Nordic's conclusion of agreements can be made with less intervention which does not require processing of information in the form of recording telephone calls.
The Data Inspectorate points out that the basic conditions of Article 5, as described above, also apply, even if there was a valid processing secret in Article 6 (1) (a) of the Data Protection Regulation on consent.
3.2 The duty of disclosure
When collecting personal data on data subjects, data controllers must comply with the duty of disclosure pursuant to Articles 13 and 14.
of the Data Protection Regulation. Where personal data is collected from the data subject, it follows from Article 13 (1) of the Data Protection Regulation. 1 and 2, it is incumbent upon the data controller to provide registered information on a number of information. Where personal data has not been collected from the data subject, it follows from Article 14 (2) of the Regulation. 1-3 that it is the responsibility of the data controller to provide the data subject with a number of information.
It is the opinion of the Data Inspectorate that Burda Nordic has an independent obligation to fulfill the duty of disclosure pursuant to Articles 13 and 14. As a data subject, the Danish
Data Protection Authority has emphasized that there is no data processor relationship between the lead agencies and Burda Nordic. talk about the transfer of personal data between two independent data controllers. Burda Nordic is thus, in the opinion of the Authority, obliged to comply with the obligation to provide information pursuant to Article 14 of the Data Protection Regulation when the publisher collects personal data in connection with the procurement of leads.
The Data Inspectorate has also emphasized that Burda Nordic has not stated that the company fulfills the obligation to provide information when the sales agencies contact the data subjects by telephone and collect personal data through them. In the opinion of the Authority, Burda Nordic is obliged to comply with the duty of disclosure pursuant to Article 13 of the Data Protection Regulation and in this connection on its own initiative, inter alia, to inform that the conversation is being recorded. Thus, it is not sufficient to state that the conversation can be recorded if the conversation is actually recorded.
In view of the above, the Data Protection Authority finds serious criticism of Burda Nordic's failure to comply with Articles 13 and 14 of the
4. Insight
Data Protection Regulation.For the sake of good reason, the Data Protection Authority must note that data subjects are entitled to access to data pursuant to Article 15 of the Data Protection Regulation. personal information about themselves. The right of access also includes recorded telephone calls.
As a rule, registrants may require a written copy of the recording, ie a copy of the interview. However, the right of insight can also be fulfilled by Burda Nordic handing out the recording as an audio file. Such an audio file must be sent to the data subject in a commonly used standard format.
Burda Nordic has stated that registrants can gain insight into the audio recordings, including having a copy of the audio file forwarded if the customer pre-identifies himself by submitting an ID with a picture.
In this connection, the Data Inspectorate should note that, in accordance with Article 12 (1) of the Data Protection Regulation. 6, it follows that data controllers, if there is reasonable doubt as to the identity of a data subject making a request for access, may request additional information necessary to verify the data subject's identity. Article 12 (2) 6, requires the data controller to make a concrete assessment of whether there is reasonable doubt as to the identity of a data subject in connection with each request for access.a general procedure for ID validation prior to responding to objectiondoes not comply with Article 12.
Furthermore,requestsA request for additional information in order to identify a data subject must also be proportionate, in accordance with Article 5 (2) of the Regulation. Therefore, the data controller may not require more information than is necessary in the specific situation.
The Data Inspectorate recommends that Burda Nordic consider whether the image of a data subject is necessary to ensure the identity of the person in specific cases of doubt.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
[2] See preamble recital 32 of the Data Protection Regulation.


One citizen complained that a company asked him to submit, for example, a passport or driver's license before it would consider his request for deletion. The Data Inspectorate found that the general procedure for ID validation did not comply with the rules, since the data controller has a duty to make a concrete assessment of whether there is reasonable doubt about the identity of the natural person.


</pre>
<br />
Journal number: 2018-7320-0166
 
 
 
Summary
 
 
 
The Data Inspectorate has ruled in a case in which a UK citizen complained that Pandora A / S had asked him to submit a passport, driver's license or national identity card before Pandora would consider his request for deletion.
 
 
 
Pandora stated that, for security reasons, the company had established a general procedure for submitting credentials in connection with requests to exercise the rights of data subjects.
 
 
 
The Data Inspectorate found that Pandora's general procedure, which without exception required ID validation for processing requests for the exercise of data subjects' rights, did not comply with the Data Protection Regulation.
 
 
 
The Danish Data Protection Authority emphasized, among other things, that the data controller has a duty to make a concrete assessment of whether there is a reasonable doubt about the identity of the natural person when receiving requests for the exercise of data subjects' rights.
 
 
 
The case is the first case where the Danish Data Protection Agency has taken a decision as the lead supervisory authority under the "one-stop shop mechanism" in connection with cross-border processing of personal data.
 
 
 
Decision
 
 
 
The Data Inspectorate hereby returns to the case, whereupon, on May 30, 2018, the Complaints complained to The Information Commissioner's Office (ICO) that Pandora A / S (hereafter Pandora) has refused to delete his personal data in Pandora's systems / databases. In accordance with Article 56 of the Data Protection Regulation [1], the Data Inspectorate has been designated as the lead supervisory authority in the case.
 
 
 
1. Decision
 
 
 
After reviewing the case, the Data Inspectorate finds that there is reason to express criticism that Pandora's processing of personal data has not taken place in accordance with the rules of Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
 
 
 
The Data Inspectorate also finds grounds for issuing orders to Pandora to decide on and against complaints to decide whether the conditions for deletion pursuant to Article 17 of the Data Protection Regulation are met and, where appropriate, to delete the personal data processed on complaints. . The decision must be taken as soon as possible and no later than two weeks from today's date. The order is granted pursuant to Article 58 (2) of the Data Protection Regulation. 2 (c).
 
 
 
The Data Inspectorate points out that in accordance with section 41 (1) of the Data Protection Act [2]. Paragraph 2 (5) is punishable by failure to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Regulation. 2 (c).
 
 
 
Pandora must inform the Authority when a decision has been made.
 
 
 
The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
 
 
<br />
2. Case making
 
 
 
It appears from the case that on May 23, 2018, complaints contacted Pandora by requesting that it be deleted from the company's database.
 
 
 
In an email dated May 29, 2018, Pandora petitioned to file its request for deletion via the company’s online form.
 
 
 
Complainants then filled out the online form the same day, but due to technical issues, complainants took screenshots of the completed form and emailed the images of the completed form to Pandora.
 
 
 
On May 30, 2018, Pandora announced complaints that in order to use Pandora's processing of the deletion request - in accordance with the requirements of the online form on the website - he would have to submit credentials in the form of e.g. passport, driver's license or national identity card to enable the company to confirm his identity.
 
 
 
However, the complainant did not want to send a credential to Pandora, which is why Pandora did not respond to the complainant's request for deletion, as Pandora in his opinion could not confidently identify complaints without the credentials.
<br />
2.1. Pandora's remarks
 
 
 
Pandora has stated that the registrant fills out the form on Pandora's website, which is sent encrypted to Pandora, after which it is stored in Pandora's internal systems and handled and answered by a designated employee. Since the data subject can enter any email address in the form - including one that is not registered in Pandora's systems - the data subject will receive a confirmation email from Pandora immediately after submitting the request, with a link that the person must use to confirm the request.
 
 
 
Pandora has further stated that if the data subject enters an e-mail address that is not registered in the company's systems or if there are other uncertainties related to the request, Pandora's customer service department will contact the data subject for clarification.
 
 
 
Once the request is answered, Pandora confirms this to the data subject and the credentials attached to the form are deleted immediately after the request is processed. Thus, the identification is kept for no longer than 30 days, unless the request procedure is extended pursuant to Art. 12, par. Third
 
 
 
Pandora has emphasized that the data subject's credentials are used solely for identity purposes and that Pandora never asks for credentials in connection with requests that relate only to the data subject's desire to unsubscribe as a recipient of a Pandora newsletter (which he or she has signed up for).
<br />
Pandora has argued that ID validation is an important part of Pandora's "DSR procedure" (abbreviation for data subject rights procedure). In Pandora's view, the company is required to verify the data subject's identity before handling a DSR request from the person concerned. Pandora has among other things referred to recital 64 of the Data Protection Regulation, Data Protection Supervisor's Guide on the rights of data subjects, section 2.6 and report 1565 on the Data Protection Regulation, para. 4.2.2.4 (pp. 269 et seq.).
 
 
 
Pandora states that the company has approx. 9.7 million registered customers, and that Pandora does not have a unique identifier (such as a customer or ID number) for each individual customer that can be used to validate the customer's identity. Any personal information that Pandora has registered in the company's systems (eg name, address, e-mail address and telephone number) is according to Pandora easy to search for, for example. social media and to some extent publicly available. It is Pandora's assessment that a procedure where Pandora does not ask for credentials will pose a significant risk to Pandora's customers.
 
 
 
Pandora submits that, in Pandora's view, the company's procedure fulfills the requirement that the assessment of whether identification should be considered necessary must be specifically assessed in relation to the individual request. In that regard, Pandora submits that because Pandora's relationship with the company's customers is primarily an online relationship where the company does not know the natural person behind the request, the specific assessment in each case will therefore be the same. In Pandora's view, therefore, there will always be either reasonable doubt and a general risk, or there will never be any reasonable doubt or any general risk.
 
 
 
In light of this complexity, Pandora initially conducted a risk assessment of the company's existing setup and, on this basis, established a procedure that, in Pandora's opinion, both easily and safely safeguards the data subjects' rights, while at the same time Pandora fulfills the company's obligations under the Data Protection Regulation, including the requirements of Article 12 (2) 2 and 6, as well as the company's duty to secure the identity of the data subjects and not to unduly disclose or delete personal data.
 
 
 
Pandora submits that a more specific assessment is not possible in the present case because there is no specific information in the case that can be used as a valid basis for assuming that the data subject is the person he claims to be. be. Pandora submits that the request for identification in the specific case is necessary and, overall, proportionate.
 
 
 
Pandora also points out that, on December 4, 2018, the ICO ruled in a case materially identical to the present one. In that case, the ICO found no basis for criticizing the fact that Pandora had requested a customer to provide credentials in order to validate his or her identity prior to meeting the customer's request for deletion. The ICO considered that the request for credentials was proportionate.
 
 
 
2.2. The complainant's remarks
 
 
 
The complainant has generally stated that he did not want to supplement Pandora with additional personal information to respond to the request for deletion. Complaints also allege that Pandora could have contacted him via email or phone to confirm his identity.
 
 
 
3. Justification for the Danish Data Protection Agency's decision
 
 
 
It follows from Article 12 (1) of the Data Protection Regulation. 2, that the data controller must facilitate the exercise of the data subject's rights under, inter alia, Article 17 on deletion.
 
 
 
In accordance with Article 12 (1) of the Data Protection Regulation. 6, a data controller can, if there is reasonable doubt about the identity of the natural person making a request for e.g. deletion, request additional information needed to confirm the identity of the data subject.
 
 
 
Furthermore, it follows from the principles of the Data Protection Regulation for the processing of personal data that personal data include: must be sufficient, relevant and limited to what is necessary in relation to the purposes to which they are addressed, in accordance with Article 5 (2). 1 (c).
 
 
 
The Data Inspectorate also refers to the Article 29 Group's guidelines on the right to data portability WP242 rev.01 [3], page 14 f. the following is stated:
 
 
 
“There are no prescribed requirements in the Data Protection Regulation on how the data subject can be authenticated. (…) In addition, Article 12 (2) provides: 6, that if a data controller has reasoned about the identity of a data subject, he may request additional information to confirm the data subject's identity. (…) If information and data collected online are linked to pseudonyms or unique identifiers, data controllers may carry out appropriate procedures to enable a natural person to request data portability and receive information pertaining to him or her. In all cases, the data controller must establish a authentication procedure in order to be able to establish with certainty the identity of the data subject requesting his or her personal information or, more generally, exercising the rights granted by the Data Protection Regulation.
 
 
 
These procedures often already exist. The data subjects are often already authenticated by the data controller before entering into a contract or obtaining consent for processing. As a result, the personal data used to register the natural person at the processing can also be used as evidence to authenticate the data subject for portability purposes.
 
 
 
In these cases, a request for proof of the legal identity of the data subjects may be required, while verification may be relevant to assess the relationship between the information and the natural person, since such a connection does not concern the official or legal identity. In essence, the ability of the data controller to request additional information to identify a person's identity may not lead to exaggerated claims and to the collection of personal information that is not relevant or necessary to strengthen the connection between the natural person and the personal data requested. about.
 
 
 
In many cases, such confirmation procedures are already in place. For example, often usernames and passwords to allow natural persons access to data in email accounts, social network accounts and accounts for various other services, where natural persons choose to use some of these without disclosing their full name and identity. "
 
 
 
The Data Inspectorate assumes that Pandora always asks for credentials in connection with a request from a data subject who wishes to exercise his rights.
 
 
 
Following a review of the case, the Data Inspectorate is of the opinion that Pandora's general procedure, which without exception requires ID validation in connection with processing requests for the exercise of data subjects' rights, is not in accordance with Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
 
 
 
The Data Inspectorate has hereby emphasized that Article 12 (2) of the Data Protection Regulation. 6, implies that the data controller has a duty to make a concrete assessment of whether there is reasonable doubt as to the identity of the natural person in connection with the individual request for the exercise of the rights of the data subject. In this connection, the Data Inspectorate finds that the fact that online customer relationships do not mean that there will always be reasonable doubt about the identity of the natural person.
 
 
 
The Data Inspectorate has also emphasized that a request for additional information for the purpose of identifying the natural person must be proportionate, in accordance with Article 5 (2). Therefore, the data controller may not require more information than is necessary to identify the natural person. The Data Inspectorate finds that it does not comply with Article 12 (2). 2 that Pandora has organized a procedure whereby the data subject must provide more information than was originally collected in order to process a request for the exercise of the rights of the data subject.
 
 
 
The fact that Pandora has designed its systems in such a way that e.g. are not associated with unique identifiers to the data subjects, in the opinion of the Data Inspectorate can not lead to it being justified that in all cases Pandora requires the data subject to legitimize in order to exercise his rights under the regulation. In the opinion of the Data Inspectorate, Pandora's general ID validation procedure goes beyond what is required and unnecessarily complicates the data subject's ability to exercise his rights.
 
 
 
In view of the above, the Data Inspectorate thus finds a basis for criticizing the fact that Pandora's processing of personal data has not taken place in accordance with the rules in Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
 
 
 
The Data Inspectorate also finds grounds for issuing orders to Pandora to decide on and against complaints to decide whether the conditions for deletion pursuant to Article 17 of the Data Protection Regulation are met and, where appropriate, to delete the personal data processed on complaints. .
 
 
 
The Data Inspectorate notes that, when dealing with complaints, the Authority will always make a concrete assessment of the circumstances. In the opinion of the Data Inspectorate, a reference to a decision taken in another European country may not necessarily lead to a similar decision being made by the Authority.
 
 
 
 
 
 
 
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
 
 
 
[2] Law No 502 of 23 May 2018 laying down additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act).
 
 
 
[3] At its first meeting of 25 May 2018, the European Data Protection Council confirmed that this is also an expression of the Council's position.

Revision as of 08:12, 5 June 2020

Datatilsynet - 2018-7320-0166
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(c) GDPR

Article 12(6) GDPR

Article 17 GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 25.10.2019
Fine: none
Parties: Pandora Vs. anonymous
National Case Number: 2018-7320-0166
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Danish
Original Source: Datatilsynet (in DK)

Pandora's systemic practice to ask for identification before considering a data subject’s request is contrary to the principle of data minimisation.

English Summary

Facts

Citizen submitted a request for erasure of his personal data to the jewellery company Pandora SA according to Article 17 GDPR. The company asked him to submit his passport or driving license before considering examining his request.

Dispute

On which condition can the controller ask for an ID proof in order to respond to a deletion request?

Holding

The Datatilsynet noted that data controllers must carry out a concrete assessment on whether there is a reasonable doubt about the identity of a data subject. Pandora’s general practice to ask for identification without providing any exceptions did not comply with Articles 5(1)(c) and 12(6) GDPR. It ordered Pandora to carry out this assessment. Finally, it stressed that this is the first case where the Datatilsynet has taken a decision as the leading supervisory authority under the "one-stop shop mechanism" in connection with cross-border processing of personal data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Danish original for more details.


One citizen complained that a company asked him to submit, for example, a passport or driver's license before it would consider his request for deletion. The Data Inspectorate found that the general procedure for ID validation did not comply with the rules, since the data controller has a duty to make a concrete assessment of whether there is reasonable doubt about the identity of the natural person.


Journal number: 2018-7320-0166
 
Summary
 
The Data Inspectorate has ruled in a case in which a UK citizen complained that Pandora A / S had asked him to submit a passport, driver's license or national identity card before Pandora would consider his request for deletion.
 
Pandora stated that, for security reasons, the company had established a general procedure for submitting credentials in connection with requests to exercise the rights of data subjects.
 
The Data Inspectorate found that Pandora's general procedure, which without exception required ID validation for processing requests for the exercise of data subjects' rights, did not comply with the Data Protection Regulation.
 
The Danish Data Protection Authority emphasized, among other things, that the data controller has a duty to make a concrete assessment of whether there is a reasonable doubt about the identity of the natural person when receiving requests for the exercise of data subjects' rights.
 
The case is the first case where the Danish Data Protection Agency has taken a decision as the lead supervisory authority under the "one-stop shop mechanism" in connection with cross-border processing of personal data.
 
Decision
 
The Data Inspectorate hereby returns to the case, whereupon, on May 30, 2018, the Complaints complained to The Information Commissioner's Office (ICO) that Pandora A / S (hereafter Pandora) has refused to delete his personal data in Pandora's systems / databases. In accordance with Article 56 of the Data Protection Regulation [1], the Data Inspectorate has been designated as the lead supervisory authority in the case.
 
1. Decision
 
After reviewing the case, the Data Inspectorate finds that there is reason to express criticism that Pandora's processing of personal data has not taken place in accordance with the rules of Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
 
The Data Inspectorate also finds grounds for issuing orders to Pandora to decide on and against complaints to decide whether the conditions for deletion pursuant to Article 17 of the Data Protection Regulation are met and, where appropriate, to delete the personal data processed on complaints. . The decision must be taken as soon as possible and no later than two weeks from today's date. The order is granted pursuant to Article 58 (2) of the Data Protection Regulation. 2 (c).
 
The Data Inspectorate points out that in accordance with section 41 (1) of the Data Protection Act [2]. Paragraph 2 (5) is punishable by failure to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Regulation. 2 (c).
 
Pandora must inform the Authority when a decision has been made.
 
The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
 


2. Case making
 
It appears from the case that on May 23, 2018, complaints contacted Pandora by requesting that it be deleted from the company's database.
 
In an email dated May 29, 2018, Pandora petitioned to file its request for deletion via the company’s online form.
 
Complainants then filled out the online form the same day, but due to technical issues, complainants took screenshots of the completed form and emailed the images of the completed form to Pandora.
 
On May 30, 2018, Pandora announced complaints that in order to use Pandora's processing of the deletion request - in accordance with the requirements of the online form on the website - he would have to submit credentials in the form of e.g. passport, driver's license or national identity card to enable the company to confirm his identity.
 
However, the complainant did not want to send a credential to Pandora, which is why Pandora did not respond to the complainant's request for deletion, as Pandora in his opinion could not confidently identify complaints without the credentials.


2.1. Pandora's remarks
 
Pandora has stated that the registrant fills out the form on Pandora's website, which is sent encrypted to Pandora, after which it is stored in Pandora's internal systems and handled and answered by a designated employee. Since the data subject can enter any email address in the form - including one that is not registered in Pandora's systems - the data subject will receive a confirmation email from Pandora immediately after submitting the request, with a link that the person must use to confirm the request.
 
Pandora has further stated that if the data subject enters an e-mail address that is not registered in the company's systems or if there are other uncertainties related to the request, Pandora's customer service department will contact the data subject for clarification.
 
Once the request is answered, Pandora confirms this to the data subject and the credentials attached to the form are deleted immediately after the request is processed. Thus, the identification is kept for no longer than 30 days, unless the request procedure is extended pursuant to Art. 12, par. Third
 
Pandora has emphasized that the data subject's credentials are used solely for identity purposes and that Pandora never asks for credentials in connection with requests that relate only to the data subject's desire to unsubscribe as a recipient of a Pandora newsletter (which he or she has signed up for).


Pandora has argued that ID validation is an important part of Pandora's "DSR procedure" (abbreviation for data subject rights procedure). In Pandora's view, the company is required to verify the data subject's identity before handling a DSR request from the person concerned. Pandora has among other things referred to recital 64 of the Data Protection Regulation, Data Protection Supervisor's Guide on the rights of data subjects, section 2.6 and report 1565 on the Data Protection Regulation, para. 4.2.2.4 (pp. 269 et seq.).
 
Pandora states that the company has approx. 9.7 million registered customers, and that Pandora does not have a unique identifier (such as a customer or ID number) for each individual customer that can be used to validate the customer's identity. Any personal information that Pandora has registered in the company's systems (eg name, address, e-mail address and telephone number) is according to Pandora easy to search for, for example. social media and to some extent publicly available. It is Pandora's assessment that a procedure where Pandora does not ask for credentials will pose a significant risk to Pandora's customers.
 
Pandora submits that, in Pandora's view, the company's procedure fulfills the requirement that the assessment of whether identification should be considered necessary must be specifically assessed in relation to the individual request. In that regard, Pandora submits that because Pandora's relationship with the company's customers is primarily an online relationship where the company does not know the natural person behind the request, the specific assessment in each case will therefore be the same. In Pandora's view, therefore, there will always be either reasonable doubt and a general risk, or there will never be any reasonable doubt or any general risk.
 
In light of this complexity, Pandora initially conducted a risk assessment of the company's existing setup and, on this basis, established a procedure that, in Pandora's opinion, both easily and safely safeguards the data subjects' rights, while at the same time Pandora fulfills the company's obligations under the Data Protection Regulation, including the requirements of Article 12 (2) 2 and 6, as well as the company's duty to secure the identity of the data subjects and not to unduly disclose or delete personal data.
 
Pandora submits that a more specific assessment is not possible in the present case because there is no specific information in the case that can be used as a valid basis for assuming that the data subject is the person he claims to be. be. Pandora submits that the request for identification in the specific case is necessary and, overall, proportionate.
 
Pandora also points out that, on December 4, 2018, the ICO ruled in a case materially identical to the present one. In that case, the ICO found no basis for criticizing the fact that Pandora had requested a customer to provide credentials in order to validate his or her identity prior to meeting the customer's request for deletion. The ICO considered that the request for credentials was proportionate.
 
2.2. The complainant's remarks
 
The complainant has generally stated that he did not want to supplement Pandora with additional personal information to respond to the request for deletion. Complaints also allege that Pandora could have contacted him via email or phone to confirm his identity.
 
3. Justification for the Danish Data Protection Agency's decision
 
It follows from Article 12 (1) of the Data Protection Regulation. 2, that the data controller must facilitate the exercise of the data subject's rights under, inter alia, Article 17 on deletion.
 
In accordance with Article 12 (1) of the Data Protection Regulation. 6, a data controller can, if there is reasonable doubt about the identity of the natural person making a request for e.g. deletion, request additional information needed to confirm the identity of the data subject.
 
Furthermore, it follows from the principles of the Data Protection Regulation for the processing of personal data that personal data include: must be sufficient, relevant and limited to what is necessary in relation to the purposes to which they are addressed, in accordance with Article 5 (2). 1 (c).
 
The Data Inspectorate also refers to the Article 29 Group's guidelines on the right to data portability WP242 rev.01 [3], page 14 f. the following is stated:
 
“There are no prescribed requirements in the Data Protection Regulation on how the data subject can be authenticated. (…) In addition, Article 12 (2) provides: 6, that if a data controller has reasoned about the identity of a data subject, he may request additional information to confirm the data subject's identity. (…) If information and data collected online are linked to pseudonyms or unique identifiers, data controllers may carry out appropriate procedures to enable a natural person to request data portability and receive information pertaining to him or her. In all cases, the data controller must establish a authentication procedure in order to be able to establish with certainty the identity of the data subject requesting his or her personal information or, more generally, exercising the rights granted by the Data Protection Regulation.
 
These procedures often already exist. The data subjects are often already authenticated by the data controller before entering into a contract or obtaining consent for processing. As a result, the personal data used to register the natural person at the processing can also be used as evidence to authenticate the data subject for portability purposes.
 
In these cases, a request for proof of the legal identity of the data subjects may be required, while verification may be relevant to assess the relationship between the information and the natural person, since such a connection does not concern the official or legal identity. In essence, the ability of the data controller to request additional information to identify a person's identity may not lead to exaggerated claims and to the collection of personal information that is not relevant or necessary to strengthen the connection between the natural person and the personal data requested. about.
 
In many cases, such confirmation procedures are already in place. For example, often usernames and passwords to allow natural persons access to data in email accounts, social network accounts and accounts for various other services, where natural persons choose to use some of these without disclosing their full name and identity. "
 
The Data Inspectorate assumes that Pandora always asks for credentials in connection with a request from a data subject who wishes to exercise his rights.
 
Following a review of the case, the Data Inspectorate is of the opinion that Pandora's general procedure, which without exception requires ID validation in connection with processing requests for the exercise of data subjects' rights, is not in accordance with Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
 
The Data Inspectorate has hereby emphasized that Article 12 (2) of the Data Protection Regulation. 6, implies that the data controller has a duty to make a concrete assessment of whether there is reasonable doubt as to the identity of the natural person in connection with the individual request for the exercise of the rights of the data subject. In this connection, the Data Inspectorate finds that the fact that online customer relationships do not mean that there will always be reasonable doubt about the identity of the natural person.
 
The Data Inspectorate has also emphasized that a request for additional information for the purpose of identifying the natural person must be proportionate, in accordance with Article 5 (2). Therefore, the data controller may not require more information than is necessary to identify the natural person. The Data Inspectorate finds that it does not comply with Article 12 (2). 2 that Pandora has organized a procedure whereby the data subject must provide more information than was originally collected in order to process a request for the exercise of the rights of the data subject.
 
The fact that Pandora has designed its systems in such a way that e.g. are not associated with unique identifiers to the data subjects, in the opinion of the Data Inspectorate can not lead to it being justified that in all cases Pandora requires the data subject to legitimize in order to exercise his rights under the regulation. In the opinion of the Data Inspectorate, Pandora's general ID validation procedure goes beyond what is required and unnecessarily complicates the data subject's ability to exercise his rights.
 
In view of the above, the Data Inspectorate thus finds a basis for criticizing the fact that Pandora's processing of personal data has not taken place in accordance with the rules in Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
 
The Data Inspectorate also finds grounds for issuing orders to Pandora to decide on and against complaints to decide whether the conditions for deletion pursuant to Article 17 of the Data Protection Regulation are met and, where appropriate, to delete the personal data processed on complaints. .
 
The Data Inspectorate notes that, when dealing with complaints, the Authority will always make a concrete assessment of the circumstances. In the opinion of the Data Inspectorate, a reference to a decision taken in another European country may not necessarily lead to a similar decision being made by the Authority.
 


 
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
 
[2] Law No 502 of 23 May 2018 laying down additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act).
 
[3] At its first meeting of 25 May 2018, the European Data Protection Council confirmed that this is also an expression of the Council's position.