IMY (Sweden) - DI-2020-10549
IMY - DI-2020-10549 | |
---|---|
Authority: | IMY (Sweden) |
Jurisdiction: | Sweden |
Relevant Law: | Article 5(1)(c) GDPR Article 12(2) GDPR Article 12(6) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 31.03.2023 |
Published: | 14.04.2024 |
Fine: | n/a |
Parties: | CDON AB |
National Case Number/Name: | DI-2020-10549 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Swedish |
Original Source: | IMY (in SV) |
Initial Contributor: | ec |
The DPA issued a reprimand against a controller for unnecessarily using a burdensome identification verification method when data subjects requested erasure, such as asking data subjects to provide the order number and price of the last order.
English Summary
Facts
7 data subjects separately contacted CDON AB (“controller”), a Swedish company, and made an erasure request. The controller replied that in order to process the request, it needed information on date of birth, address, customer number information on recent purchases such as order number and information on payment method including the last four digits of the credit card number in case of card payment. Several data subjects argued they could not retrieve all the requested information as their purchases were so far back in time.
The data subjects lodged separate complaints against the controller in Finland (6) and Denmark (1). Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden.
The controller argued that the names and email addresses of the data subjects were not sufficient to ensure the data subject’s identity. It therefore requested additional information from the data subjects pursuant to Article 12(6) GDPR. The controller also stated it took the complaints very seriously and has since, reviewed and clarified the identification process so that data subjects only need to answer one of the two security questions, and offers data subject to contact customer service for investigation of alternative security questions to verify the customer’s identity in the case of the data subject being unwilling or unable to answer the questions.
Moreover, the controller stated that it deleted customer profiles automatically depending on the consumer law obligations in various countries, for example after three years in Sweden. The controller thereby confirmed that all of the data subjects’ personal data were deleted.
Holding
The DPA did not investigate two out of seven complaints. The controller could not verify the receiving or processing date of those erasure requests as several years had passed since the complaints were submitted to the Finish DPA. The DPA then noted it could not draw any firm conclusions as to what occurred in the two cases. Moreover, as the controller confirmed it did not process personal data of these two data subjects anymore, the DPA found no reason to investigate these two complaints further.
Regarding the remaining five complaints, the DPA first assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller, but must carry out a proportionality assessment first. The DPA held that randomly requiring data for identification purposes without assessing whether the data is necessary violates Article 12(6) GDPR and the principle of data minimisation under Article 5(1)(c) GDPR.
The DPA then examined whether the information requested was necessary to confirm the data subjects’ identity. The DPA found that the controller had not provided sufficient support to conclude that the additional information it requested was necessary to identify the data subjects ’identity. Therefore, the DPA concluded that the controller violated Article 5(1)(c) GDPR and Article 12(6).
Moreover, the DPA further stated that the controller used a burdensome verification method when requesting erasure without justification, by for example asking the data subjects to provide the order number and price of the last order when the last order was a long time ago. The DPA held that the controller did not facilitate the exercise of the data subjects’ rights, thereby violating Article 12(2) GDPR.
The DPA then examined the current practice of the controller for handling requests for erasure, since the controller had reviewed its procedures since 2018 when the complaints were received. The DPA found the existing procedure not disproportionate and thus not in violation with the GDPR.
The DPA then examined the current practice of the controller for handling requests for erasure, since the controller had reviewed its procedures since 2018 when the complaints were received. The DPA found the existing procedure not disproportionate and thus not in violation with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(11) CDON AB Södergatan 22, 6 tr, 211 34 Malmö Diary number: DI-2020-10549 Decision after supervision according to data protection regulation – CDON AB Date: 2023-03-31 The Privacy Protection Authority's decision The Swedish Data Protection Authority states that CDON AB has processed personal data contrary to: • articles 5.1 c and 12.6 of the data protection regulation by having requested additional information by the appellants in complaints 1-3 and 6-7 when requested to have their personal data deleted, without the processing being necessary for to confirm the identity of the complainants. • article 12.2 of the data protection regulation by using a onerous verification method against the appellants in complaints 1-3 and 6-7. The company has thus not made it sufficiently easy for the complainants to practice their right to erasure according to Article 17 of the Data Protection Regulation. IMY gives CDON AB a reprimand according to article 58.2 b of the data protection regulation for violation of articles 5.1 c, 12.6 and 12.2 of the data protection regulation. Account of the supervisory matter The handling IMY has initiated supervision regarding CDON AB (CDON or the company) due to seven complaint. The complaints have been handed over to IMY, as responsible supervisory authority according to Article 56 of the Data Protection Regulation. The handover has taken place from the supervisory authority in the countries where the complainants have filed their complaints (Finland and Denmark) in accordance with the regulation's provisions on cooperation at cross-border treatment. The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies complaints concerning cross-border treatment, IMY has used them Mailing address: Box 8114 mechanisms of cooperation and uniformity contained in Chapter VII i data protection regulation. Concerned regulatory authorities have been 104 20 Stockholm the data protection authorities in Denmark, Norway and Finland. Website: www.imy.se E-mail: imy@imy.se 1 Telephone: regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med directive 95/46/EC (General Data Protection Regulation). 08-657 61 00 Page 1 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 2(11) Date: 2023-03-31 The complaints Summary of complaints In summary, the following is apparent from the complaints. The appellants have requested that their personal data must be deleted. The company has replied that one request can only be handled if the individual submits information about date of birth, address, customer number, information about recent purchases such as order number and information about payment method including the last four digits of the credit card number when paying by card. Several of them complainants believe that their purchases are so far back in time that they could not retrieve all the requested data. The appellants dispute that all of the the requested data is necessary to confirm their identity and manage their requests. What the complainant and CDON have stated in their respective complaints Complaint 1 (Finland with national diary number 2529/182/2018) On 28 May 2018, the appellant submitted a request for the deletion of his personal data. The company has replied that a request can only be handled if it is the complainant comes in with date of birth, address, customer number, order number and depending on the payment method for the latest order, the following information: • on invoice: price and reference number • for card payment: the last four digits of the credit card number • for direct payment: reference number and receipt In summary, the appellant states that she cannot remember or find them the information requested by the company because the order was made 5–10 years ago. Complaint 2 (Finland with national diary number 2537/154/2018) On 25 May 2018, the appellant submitted a request for the deletion of his customer data. The company has replied that it requires information about the date of birth, customer number, order number and payment method for the most recent order. The appellant believes that it is unreasonable to have to answer these questions in order to be able to protect their rights. The complainant does not have the information requested by the company and has used the erasure request email that was associated with the complainant customer account. Complaint 3 (Finland with national diary number 2648/182/2018) On 31 May 2018, the complainant contacted the Finnish data protection authority after have requested access to and deletion of their data from the company. The company has the 29 May 2018 in response to the complainant's request stated that in order to verify the complainant as a customer, for security reasons, information about the complainant's address, customer number, order number from the last order and depending on the payment method for it last order the following information: • on invoice: price and reference number • for card payment: the last four digits of the credit card number • for direct payment: reference number and receipt The appellant states that it has been a long time since the appellant bought anything from the company and that the complainant does not have the information that the company requires. Furthermore, it is stated that the company does not seem to delete the data without getting answers to their detailed questions at one request for deletion. Page 2 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 3(11) Date: 2023-03-31 Complaint 4 (Finland with national diary number 2664/182/2018) On 31 May 2018, the complainant turned to the Finnish data protection authority after to have requested deletion from the company. It had been 5-10 years since the appellant ordered anything from the company. In order to have their data deleted, the complainant needs to provide data from their purchase which was carried out several years ago. The appellant also needs provide personal data that was not previously needed to complete a purchase. The company has in its response to the appellant informed that there is a right to access and that delete personal data but that the company has the right to retain certain personal data for accounting purposes. In order to meet a request, the company needs for security reasons get information about the complainant's date of birth, address, customer number, order number from last order and depending on the payment method of the last order following task: • on invoice: price and reference number • for card payment: the last four digits of the credit card number • for direct payment: reference number and receipt The company has stated that they cannot verify the date the complaint was received by the company or the date on which the company requested additional information from the complainant. Because the appellant has not been an active customer of CDON in the last two to five years CDON also confirms that the complainants' personal data has been deleted from CDON's system and that no information about the appellant remains. Complaint 5 (Finland with national diary number 2478/153/2018) The complainant has contacted the Finnish Data Protection Authority after requesting deletion of their data at the company. The company has informed the complainant that it there is a right to access and to delete personal data but that the company has the right to retain certain personal data for accounting purposes. To accommodate a request does the company need information about the complainant's date of birth, address, customer number, order number from the last order and depending on payment method for the last order following information: • on invoice: price and reference number • for card payment: the last four digits of the credit card number • for direct payment: reference number and receipt The appellant does not remember when an order was made from the company and how the purchase was made was paid. It has been over a year since anything was ordered. The company has stated that they cannot verify the date the complaint was received by the company or the date on which the company requested additional information from the complainant. Because the appellant has not been an active customer of CDON in the last two to five years CDON also confirms that the complainants' personal data has been deleted from CDON's system and that no information about the appellant remains. Complaint 6 (Finland with national diary number 2814/154/2018) The complainant has filed a complaint with the Finnish Data Protection Authority after a request for erasure with the company on 21 May 2018. The complainant states that the company makes it difficult to exercise the right to erasure by requesting information as a man should not have to save as a customer. The process contributes to the fact that it takes a long time to get personal data deleted. In its response to the complainant on 29 May 2018, the company demanded information about date of birth, address, customer number and one of the following: Page 3 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 4(11) Date: 2023-03-31 • order number from the last order, • depending on the payment method for the most recent order, the following information: o on invoice: price and reference number o for card payment: the last four digits of the credit card number o for direct payment: reference number and receipt Complaint 7 (Denmark with national diary number 2018-31-0638) The complainant states that he tried to delete his customer account online at cdon.dk by use a hyperlink http://cdon.dk/. The company responded to the complainant on 29 May 2018 and requested information about date of birth, address, customer number, order number from last order and payment method for the last order including those last four digits of the credit card number. The appellant states i.a. that the company requires more data when exercising the right to deletion than when creating the customer account. The complainant has used the same email address when requesting deletion as at the creation of the customer account with the company. What CDON AB has stated otherwise CDON AB has essentially stated the following. The complaints Of the complaints received, CDON has been able to identify six out of seven complainants against information in their systems. As regards these six complainants, CDON notes that they are personal data controller for the processing of personal data to which the complaints refer. Regarding the seventh complaint (2478/153/2018), the company has stated that the complainant could not be identified but that it is possible that the complainant has had a customer relationship with CDON under an email address other than the one provided therein complaints sent to the supervisory authority. In connection with the appellants requesting deletion, they have submitted to CDON name and email address. However, CDON has assessed that only these two data are not sufficient to ensure the identity of the complainants. CDON has, with the support of Article 12.6 in the data protection regulation, therefore requested supplementary information from all complaining. In addition to name and email address, CDON has requested the following information in order to ensure the identity of the complainants: • date of birth, • civil registration address, • customer number, • order number for last order, and • payment method for last order. In addition, the complainants have had to provide the following information about payment methods: • for invoice purchases: price and reference number, • in case of card payment: the last four digits of the card, • in the case of direct payment: reference or invoice number. Existing routines In this context, CDON takes the complaints received very seriously difficulties for data subjects to exercise their rights under the data protection regulation and has continuously worked to improve its procedures for identification upon request register extract or deletion. Since 2018, when the complaints were received, the identification process has been reviewed and clarified. Over the years, CDON has worked to improve handling and ensure a simple and secure process at Page 4 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 5(11) Date: 2023-03-31 requests for erasure. Customers who wish to request deletion or access are referred to to contact the company at kunddata@cdon.com. In connection with a registered contacts the company with a request for deletion, the company informs the registered person that the registrant's email will shortly be unregistered from CDON's newsletter (if such subscription is activated). To have their account deleted, request i the current situation CDON that the customer answers two security questions (one each from category 1 and 2) in order for CDON to be able to ensure that the person making contact is correct registered. Those registered may choose to answer a question from each security category of questions that CDON provides. This means that they registrants need to answer only one of the following security questions in category 1. According the control questions in category 1, customers must state date of birth, civil registration address or customer number at CDON.com. After that, the registrants only need to answer one of the following security questions in category 2. The control questions in category 2 are linked to latest order where the customer either states the order number or depending on the payment method enter one of the following information: on invoice; sum and OCR number, at card payment: the last four digits of the card and in case of direct payment; transaction id or invoice ID. In case a customer is unwilling or unable to answer the security questions requested the data subject is also offered the opportunity to contact customer service for follow-up and investigation of alternative security issues to try to find another way to verify the customer's identity. CDON believes that at least two more are necessary information in addition to name and e-mail address from customers according to the company's new routine for to be able to verify with sufficient certainty that it is the right person making one request. CDON's routine for identification and verification of the data subject does not mean that new information is collected about the data subject. CDON only requests to receive two different ones data verified against the data CDON already processes about it registered with a legal basis to be able to verify the identity of the registered. The company's thinning routines CDON has explained that they have a routine for thinning emails and another routine for thinning of personal data. CDON's routine for thinning emails means that all emails received in CDON's customer data box, i.e. kunddata@cdon.com, where customers become referred if they have requests for deletion or register extracts, are thinned and deleted after 14 months from the date the emails were received by CDON. Thinning of customer profiles on CDON is currently based on consumer law obligations in different countries for example after three years in Sweden. CDON thus confirms that all were complained about personal data deleted at CDON. Justification of decisions Applicable regulations In order for personal data processing to be compatible with the data protection regulation, it is required among other things, that the processing meets the requirements regarding the principles of processing of 3 personal data specified in Article 5 of the Data Protection Regulation, including the principle on data minimization (Article 5.1 c) and the principle of responsibility (Article 5.2). 2Since 22 January 2021, CDON only collects birth numbers (if the registered person chooses to supplement with that information in security question 1) and not the full social security number (dnr DI-2020-10549-18 p.2). 3 See the judgment of the European Court of Justice, Valsts eizumenu dienests, C-175/20, EU:C:2022:124, paragraph 50, with case law. Page 5 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 6(11) Date: 2023-03-31 According to Article 5.1 c of the data protection regulation, the personal data must be adequate, relevant and not too extensive in relation to the purposes for which they are processed (principle of task minimization). In accordance with the principle of responsibility stipulated in Article 5.2 of the Data Protection Regulation the personal data controller must be able to demonstrate that paragraph 1 of this article is complied with, i.e. has the burden of proof for this. 4 According to article 11.2 of the data protection regulation, if the person in charge of personal data, in the cases referred to in paragraph 1 of this article, can show that he is not in a position to identify the data subject, the personal data controller shall, if possible, inform it registered about this. In such cases, Articles 15–20 shall not apply, except when the registered for the exercise of their rights in accordance with these articles provides additional information that makes identification possible. According to article 12.2 of the data protection regulation, the personal data controller must facilitate the exercise of the data subject's rights in accordance with Articles 15-22. IN the cases referred to in Article 11.2 of the Data Protection Regulation receive it personal data controller does not refuse to comply with the data subject's request to exercise their rights under Articles 15-22, unless the data controller shows that he or she is unable to identify the data subject. Article 12.6 of the data protection regulation states that without prejudice to the application of article 11 of the data protection regulation, the personal data controller gets, if he has reasonable grounds to doubt the identity of the natural person submitting a request according to articles 15-21, request additional information necessary to confirm the data subject's identity is provided. In the European Data Protection Board (EDPB) guidelines 01/2022 on the right of access states the following. If the personal data controller has reasonable grounds to doubt the requester the person's identity, he may, as stated above, request additional information for to confirm the identity of the data subject. However, the personal data controller must at the same time ensure that it does not collect more personal data than is necessary to enable identification of the requesting person. Therefore it should personal data controller make a proportionality assessment, which must take consideration of the type of personal data being processed (e.g. special categories of information or not), the nature of the request, the context in which the request is made as well as any damage that may occur as a result of improper disclosure. At assessment of proportionality, excessive data collection should be avoided while ensuring an appropriate level of security during treatment. 6 The data controller should implement an authentication procedure (control of the identity of the data subject) to be certain of the identity of the persons who request access to their data, and ensure the security of processing one 4 See the judgment of the European Court of Justice Valsts eizumenu dienests, C-175/20, EU:C:2022:124, paragraphs 77 and 81. 5Guidelines 01/2022 on data subject rights - Right of access Version 2.0 Adopted on 28 March 2023 (EDPB's Guidelines 01/2022 on the right of access). 6 EDPB Guidelines 01/2022, paragraph 70, IMY's translation; original: "As indicated above, if the controller has reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm the data subject's identity. However, the controller must at the same time ensure that it does not collect more personnel data than is necessary to enable authentication of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of the request, the context within which the request is being made, as well as any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection while ensuring an adequate level of processing security.“ Page 6 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 7(11) Date: 2023-03-31 request for access in accordance with Article 32, for example a secure channel for those registered to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the principle about task minimization. If the personal data controller introduces measures aimed at to identify the data subject that is burdensome it must in an appropriate way justify this and ensure compliance with all fundamental principles, including data minimization and the obligation to facilitate the exercise of those data subject's rights (Article 12.2 of the Data Protection Ordinance). 7 The Swedish Privacy Authority's assessment The complaints According to article 57.1 f of the data protection regulation, IMY must process complaints and where this is the case appropriately investigate the matter to which the complaint relates. The case includes seven complaints. IMY has requested that CDON comment on what information the company has requested, the necessity of each individual data, date of when the request for erasure was received i respective complaint, date of when the company requested supplementary information in order to confirm the identity in each complaint and whether the complainants contacted the company after May 25, 2018. Of complaints 4 (Finland with national diary number 2664/182/2018) and 5 (Finland with national diary number 2478/153/2018) no date appears for when the appellants made a request for deletion with the company or when the company requested it the supplementary information. The company has stated that they have deleted the complainant's personal data in the two individual complaints in accordance with its routine and cannot verify the date of when the request in the respective complaint was received or handled. IMY finds no reason to doubt that CDON has lacked the opportunity to find any information about the complainants and their requests for erasure. It has been several years since the complaints were submitted to the Finnish Data Protection Authority. IMY states that it is not possible to draw any safe conclusions from what has occurred in the case of the two complainants based on what has been possible to investigate in the complaints. The has, among other things, especially in light of the fact that the appellants' requests are attributable to the time in close connection with the data protection regulation starting to apply, has not been possible to investigate whether these two complaints are covered by the data protection regulation. CDON has further confirmed that no personal data on these two appellants anymore processed by the company. Against this background, IMY finds that the substantive issue in the two the complaints are investigated to the extent that is appropriate according to Article 57.1 f i data protection regulation. IMY therefore finds no reason to investigate these two complaints further. IMY has consequently based on the remaining five current complaints in the case partly examined the company's actions in these individual cases, partly about the company's current routine is compatible with the data protection regulation. 7EDPB's Guidelines 01/2022, point 71, IMY's translation, original; “The controller should implement an authentication procedure in order to be certain of the identity of the persons requesting access to their data, and ensure security of the processing throughout the process of handling an access request in accordance with Art. 32 GDPR, including for instance a secure channel for the data subjects to provide additional information. The method used for authentication should be relevant, appropriate, proportionate and respect the data minimization principle. If the controller imposes measures aimed at authenticating the data subject which are burdensome, it needs to adequately justify this and ensure compliance with all fundamental principles, including data minimization and the obligation to facilitate the exercise of data subjects' rights (Art. 12(2) GDPR). Page 7 of 11 The Swedish Privacy Agency Diary number: DI-2020-10549 8(11) Date: 2023-03-31 General starting points It can be stated that the personal data controller, in order to identify a registered person, may request additional information that is necessary, about the personal data controller have reasonable grounds to doubt the identity of the person making the request. The Data Protection Regulation does not explicitly regulate which data may be requested or how the additional information is to be collected. The personal data controller must make a proportionality assessment to determine what is appropriate with respect to the regulation's requirements regarding security, among other things, but also in light of the requirement in Article 12.2 of the Data Protection Regulation, according to which it personal data controller shall facilitate the exercise of the data subject's rights. To casually require information for identification without regard to whether the information is necessary as described in article 12.6 of the data protection regulation contravenes according to IMY against both this provision and also against the principle of data minimization i Article 5.1 c of the data protection regulation. As follows from the wording of these regulations and as confirmed by the EDPB's guideline 01/2022 on the right of access, the personal data controller must implement a proportionality assessment and be able to justify the verification method used. To avoid excessive data collection, a request for additional information be proportionate in relation to the type of data being processed and 8 the damage that may occur. This is also confirmed by the guidelines. Has there been a breach of the data protection regulation regarding what presented in the complaints in this case? The question is about the information that the company required to meet the requests in them the individual cases where the data protection regulation is applicable (i.e. complaints 1-3 and 6-7) have been necessary to identify the respective appellants and thus in accordance with data protection regulation. The information that the company has requested in the individual complaints, in addition to name and e-mail, has been date of birth, civil registration address, customer number, order number and payment method for the last order, as well as, depending on the payment method, price and reference number when paying invoices, the last four digits of the card when paying by card, reference or invoice number for direct payment. The company has been given the opportunity to justify the manner in which the respective information was requested been necessary to identify the appellants in the individual cases. The company has without explain in more detail the necessity of the respective requested information, replied that it had not been enough name and email to identify the complainants and verify that it is the right person making a request. According to IMY, the company's statement does not sufficient support to establish that all of the other current information has been necessary to identify the data subjects in accordance with Article 12.6 i the data protection regulation and the principle of data minimization in Article 5.1 c i data protection regulation. It is CDON, in the capacity of personal data controller, who must be able to demonstrate that the processing is carried out in accordance with the regulation (Article 5.2 i data protection regulation). IMY believes that CDON has not done this. IMY states thus that CDON AB processed personal data in violation of article 5.1 c and 12.6 i data protection regulation. In this case, the complainants have had to come in with relatively many personal data in order to be able to exercise their right to deletion, i.a. order number and price for latest order and reference number for invoice purchases together with additional 8EDPB's Guidelines 01/2022, General considerations on the assessment of the data subject's request, pages 2-3. Page 8 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 9(11) Date: 2023-03-31 tasks. In any case, it had been a long time since the appellant had shopped at CDON. This has meant that the appellants have not been able to exercise their right to erasure according to Article 17 of the data protection regulation without having to make an effort to look for in some cases old information and in any case a lot of information. By using without justification opts out of such a burdensome verification method when requesting deletion, the company has thus not facilitating the exercise of the data subjects' rights in the manner required according to article 12.2 of the data protection regulation. CDON AB has thus processed personal data in violation of Article 12.2 of the data protection regulation. Is the company's current routine compatible with the data protection regulation? The investigation shows that the company has continuously reviewed its routines for the handling of requests for deletion since 2018, when all current complaints i the case was received. The general routines that have been reviewed are those that have been in force since 22 January 2021 up to and including the date of IMY's decision in the current case. To ensure the identity of the data subject requesting deletion, it needs registrants now answer two questions (one question in category 1 and one question in category 2) such as date of birth and order number. In category 1, registrants need since January 22, 2021 do not state the social security number but only the date of birth about it registrants choose to supplement with that information. It is not new personal data which is requested to confirm the identity of the data subject without two different data in order to compare them against data that the company already processes about the data subject in order to verify the registrant. That CDON verifies the identity of the data subject before deletion of personal data takes place is also a protection for the data subject who should not have to have their personal data deleted by mistake. The company also offers a alternative route for the data subject who cannot or does not want to answer the security questions namely to contact customer service to find another way to verify it data subject's identity. For a customer who has not placed an order there is thus the option to contact customer service instead. Against this background, IMY finds that CDON's existing routine is not disproportionate and thus not in violation of the data protection regulation, provided that the company only collects the information that appears from the routine in situations where there is reason to doubt the identity of the data subject and that then only the information that is necessary to identify the data subject is requested. Choice of intervention From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has power to impose administrative penalty charges in accordance with Article 83. Depending on the circumstances of the individual case, administrative penalty fees are imposed in addition to or instead of the other measures referred to in article 58.2 of the data protection regulation, such as injunctions and prohibitions. Further it appears from article 83.2 of the data protection regulation which factors must be taken into account decisions on administrative penalty charges must be imposed and upon determination of the amount of the fee. If it is a question of a minor violation, IMY receives according to what set out in recital 148 instead of imposing a penalty charge issue a reprimand under article 58.2 b of the data protection regulation. Consideration shall be given to aggravating and mitigating circumstances of the case, such as the nature of the violation, degree of severity and duration as well as previous violations of relevance. IMY notes the following relevant circumstances. The current supervision includes CDON AB's handling of five individual appellant's requests in the situation which the complaints concern. Page 9 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 10(11) Date: 2023-03-31 The company has taken measures to make it easier for registered users to exercise their rights rights in accordance with the data protection regulation and changed its procedures so that they are compatible with the data protection regulation. Some measures had already been taken before this supervisory case was initiated. Furthermore, the observed violations occurred relatively far back in time. The company has not previously received any corrective action for breach of data protection regulations. Against this background, IMY finds that it is a question of such a minor violation in the sense referred to in recital 148 and that CDON AB should be given a reprimand according to Article 58.2 b of the data protection regulation for the violations found. This decision has been taken by the unit manager Catharina Fernquist after a presentation by lawyer Salli Fanaei.Catharina Fernquist, 2023-03-31 (This is an electronic signature) Copy to The data protection officer Page 10 of 11 The Swedish Privacy Agency Diary number: DI-2020-10549 11(11) Date: 2023-03-31 How to appeal If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in the letter which decision you are appealing and the change you are requesting. The appeal shall have been received by the Privacy Protection Authority no later than three weeks from the day you received it part of the decision. If the appeal has been received in time send The Privacy Protection Authority forwards it to the Administrative Court in Stockholm examination. You can e-mail the appeal to the Privacy Protection Authority if it does not contain any privacy-sensitive personal data or information that may be covered by secrecy. The authority's contact details appear on the first page of the decision. Page 11 of 11