IMY (Sweden) - IMY-2022-9109

From GDPRhub
Revision as of 13:24, 29 April 2024 by Ec (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=IMY-2022-9109 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn-mag-interactive-ab.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sou...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IMY - IMY-2022-9109
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(2) GDPR
Article 12(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 22.05.2023
Published: 14.04.2024
Fine: n/a
Parties: MAG Interactive AB
National Case Number/Name: IMY-2022-9109
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: ec

The DPA issued a reprimand against a controller for requiring data subjects to log in to their game to request erasure and if they could not log in, asking data subjects to provide the usernames of three friends and three opponents in the game, which was unnecessary and disproportionate.

English Summary

Facts

A data subject in France requested the erasure of their personal data in the game QuizDuel by MAG Interactive AB (“controller”), a mobile gaming company based in Sweden. The data subject logged into the game via their Facebook account.

The controller replied with requesting additional information from the data subject for identification purposes, even though the data subject had provided their Facebook ID and email addresses in their request for erasure. The controller explained that neither the Facebook ID and the three email addresses the data subject provided in their erasure request resulted in any hits on a direct search in the controller’s system. The controller furthermore explained that the easiest way for the data subject to request erasure was by downloading the game again and request for erasure within the game.

The data subject responded that they longer have an account.

The controller then requested the following information to restore the data subject’s account and to enable the data subject to request the erasure of his personal data: (1) the username, (2) names of three friends, (3) names of three opponents and (4) an email address to link the account with.

The data subject replied and requested access to the information the controller had about them. The controller again informed the data subject it could not find the data subject’s account with the data subject’s Facebook ID and stated that the data subject could request access to personal data from within a game of the controller.

The data subject replied that they had played the game “QuizDual” on Facebook and did not have an account with the controller and therefore cannot request access from the account. The controller argued that the game never existed on Facebook but that the data subject may have logged in via a Facebook on a mobile application. However, as the data subject for the first time mentioned the game, the controller could use the game information to locate an account linked to one of the email addresses the data subject provided.

The data subject then received an email to confirm they wanted their account to be erased. The data subject replied and confirmed they owned the account and they wanted it erased. The controller then erased the account and informed the data subject of the erasure.

The data subject lodged a complaint against the controller at the French DPA. Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. The data subject asked to investigate whether the controller handled the data subject’s request for erasure correctly, whether the information that the controller requested was necessary to confirm the data subject’s identity and whether the controller sufficiently facilitated the exercise of the data subject’s rights in the GDPR.

The controller argued that it was difficult to locate the personal data of the data subject, as the account of the data subject was closed for a long time and neither the email address from which the request came and the Facebook ID was linked to any account with the controller. Moreover, since Facebook changed the way Facebook ID works for privacy reasons, the number that the controller received from Facebook is only linked to the controller and not linked to an individual’s Facebook account. The controller further argued that as the case turned into an access request, the controller asked that the request is made from within the data subject’s account for privacy reasons, as user data may contain chat logs.

This is also why the controller ensures accounts are password-protected with password recovery via a provided email address. However, it becomes difficult for the controller to take action on requests when data subjects have forgotten their login details and cannot recover their account via email. Therefore, the controller solved this by using information on the phone and operating system to help data subjects recover their account, which is why the controller asked to re-install the game. When the data subject refused to do this, the controller asked as a last resort for additional information (see the 4 points above) that the data subject should know and should be easy for the data subject to remember but is difficult for others to know to verify the identification of the data subject. The controller argued that this information they request also is not personally identifiable information and already in the controller’s register.

The controller also explained that it will soon release a new process to handle such requests in case of missing account information in an easier way by requesting less information from the data subject.

Holding

Firstly, regarding the information requested, the DPA assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller. The DPA, in light of the controller’s argumentation, held that the controller had reasonable grounds to doubt the identity of the data subject. The DPA also took into account that the controller had an obligation to ensure the identity of the data subject making a request to protect the data subject against someone else wrongly making requests in their name, leading to negative consequences for the data subject.

The DPA then continued and stated that even if the controller had reasonable grounds, it should carry out a proportionality assessment to justify the verification method used to not unnecessarily collect more personal data. The DPA found that at the time of the data subject’s erasure request, the controller only processed an email address linked to the data subject, the advertising ID of the data subject’s phone and the data subject’s username and password. The DPA therefore held that an erroneous deletion of the said data would not result in any major disadvantages or consequences for the data subject, and thus the requirements for identification could therefore be set relatively low. The DPA also stated that in the end, the controller was able to comply with the erasure request with only the email address linked to the user account. Thus, the DPA considered that asking for additional data in the form of the usernames of three friends and three opponents were neither necessary nor proportionate to confirm the identity of the data subject under Article 12(6) GDPR.

The DPA then examined whether requiring the data subject to log into their account and make their erasure request from within the game was compatible with Article 12(2) GDPR. The EDPB guidelines on right of access (01/2022) state that the controller may encourage the data subject to use a self-service tool, but that the controller must also deal with access requests that are not sent through the established communication channel. By requiring the data subject to log in to a game to send their requests, the controller did not facilitate in the data subject’s exercise of their right to erasure.

The DPA therefore held that the controller was in breach of Article 12(2) GDPR.

The DPA found that the infringements were minor pursuant to Recital 148, because (1) the infringements found date back relatively far in time and (2) the controller did fully comply with the data subject’s request for erasure. Thus, the DPA issued a reprimand to the controller for breaching Article 12(2) GDPR and Article 12(6) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(12)







                                                                      MAG Interactive AB








Diary number:
IMY-2022-9109 Decision after supervision according to Article 60 i

Date: data protection regulation - MAG
2023-05-22

                                Interactive AB





                                The Privacy Protection Authority's decision


                                The Swedish Privacy Protection Authority notes that MAG Interactive AB (556804-3524) at
                                handling of the request for erasure made by the complainant on January 31, 2021 has
                                processed personal data in violation of:

                                                                               1
                                    - Article 12.6 of the Data Protection Regulation by requesting information in the form of
                                         usernames of three friends and three opponents in the game QuizDuel when this
                                         not been necessary to confirm that appellant's identity as well

                                    - Article 12.2 of the Data Protection Regulation by, after the complainant requested
                                         deletion by email, also require the complainant to log into the game in order to
                                         send their request from within the game which has not facilitated the complainant
                                         exercising their right to erasure.


                                The Swedish Privacy Protection Authority gives MAG Interactive AB a reprimand according to article 58.2
                                b the data protection regulation for the established violation.




                                Account of the supervisory matter

                                Handling

                                The Swedish Privacy Protection Authority (IMY) has started supervision of MAG Interactive AB
                                (the company) due to a complaint, mainly to investigate whether the company has taken
                                received and handled the complainant's request for deletion in a correct manner, i.a. if
                                the company had reasonable grounds to doubt the identity of the complainant and in such cases whether they

                                information requested by the complainant has been necessary to confirm the complainant
                                identity and whether the company has facilitated the exercise of the complainant's rights i
                                sufficient extent (Articles 11, 12 and 17 of the Data Protection Regulation).

Mailing address:
Box 8114 The complaints have been handed over to IMY, in its capacity as the responsible supervisory authority according to
104 20 Stockholm article 56 of the data protection regulation. The handover has taken place from the supervisory authority
Website:

www.imy.se
E-mail:
imy@imy.se 1
                                 REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of
Telephone: natural persons with regard to the processing of personal data and on the free flow of such data and on
08-657 61 00 repeal of Directive 95/46/EC (General Data Protection Regulation). The Swedish Privacy Agency Diary number: IMY-2022-9109 2(12)
                               Date: 2023-05-22






                               in the country where the complainant has filed his complaint (France) in accordance with
                               the regulation's provisions on cooperation in cross-border processing.


                               The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies
                               cross-border treatment, IMY has used the mechanisms for cooperation
                               and uniformity found in Chapter VII of the Data Protection Regulation. Affected

                               supervisory authorities have been the data protection authorities of Denmark, France, Ireland,
                               Norway, Poland, Germany and Austria.


                               The complaint
                               The complaint essentially states the following.


                               On January 31, 2021, the complainant requested the deletion of his personal data in the game
                               QuizDuel, a game the appellant used through his Facebook account. The company then has
                               requested additional information from the appellant for identification purposes despite the fact that the appellant in his

                               request for deletion stated their Facebook ID and email addresses. To the complaint
                               the appellant has attached email correspondence between the appellant and the company of which
                               the following i.a. appears. On February 28, 2021, the company replied to the complainant that they have not

                               ability to locate the complainant's account using the complainant's Facebook ID and
                               that the appellant needs to open any of the MAG Interactive games to make one
                               request. The complainant has replied to this that he no longer has a MAG Interactive

                               account. On 11 March 2021, the company has i.a. requested the following information from the appellant i
                               purpose of restoring the complainant's account and thus enabling the complainant to request
                               deletion of their personal data: username, name of three friends, name of three
                               opponent and an email address to which he wants to connect the account.


                               What the company has stated
                               In statements from November 4 and 7, 2022, the company essentially stated the following.


                               Description of the course of events surrounding the handling of the complainant's request for
                               deletion

                               On January 31, 2021, the complainant contacted one of the company's support email addresses and

                               provided a Facebook ID and three email addresses and requested to be deleted. At this one
                               time, given the information the support received, the company did not receive any direct hits
                               typing in the company's system, neither on Facebook ID nor on any of the specified

                               the email addresses. The company's support responded on February 1, 2021 with instructions for
                               how the complainant can request deletion from the game. The appellant contacted us again on the 8th
                               February 2021 and said that he does not have the game left but wants to delete his data. The

                               On February 9, the company's support replied that the easiest way is to download the game again
                               and request deletion from within the game. On February 12, 2021, the appellant responded and
                               announced that she instead wanted to know what information the company has about her. From this

                               time the case was handled by the company as a request for access.

                               On February 13, 2021, the company's support responded that the complainant can request access from

                               the game. The complainant contacted again on 20 February 2021 and had problems to
                               use their Facebook account. The complainant asked again if the company can find him
                               account with his Facebook ID. On February 23, 2021, support replied that they did not
                               find any account with the Facebook ID the complainant specified but that he should be able to

                               start any of the company's games and request the personal data from within a game.

                               On February 27, 2021, the complainant asked if the company had really tried to search for him

                               Facebook ID. Support replied again on February 28, 2021 that they cannot find him
                               account on the Facebook ID she entered, but that she should be able to start any
                               Date: 2023-05-22






                               of their game and request access from within the game. On March 4, 2021, the appellant responded
                               that he played "QuizDuel" on Facebook and does not have an account with MAG Interactive.
                               She cannot therefore request access from there. This was probably a misunderstanding then

                               the game was never on Facebook but he may have logged in via a Facebook button
                               originally which was possible several years ago. It was the first time the appellant
                               mentioned which game it was for which made it much easier to look for them

                               tasks.

                               On March 11, 2021, support replied that they cannot find the complainant's account through his

                               Facebook ID but that they will try to help him get into his account so that he can
                               request access or delete their account. The support had then probably managed to locate one
                               account linked to one of the complainant's provided email addresses using the information

                               about the game. Support then sent the standard questions the company asks when they are supposed to
                               help users log into their account if they have forgotten their credentials.
                               The complainant never responded to that email and when enough time passed the company closed

                               the case.

                               On October 30, 2022, after the company's CTO received the case, the CTO located an account

                               who could be connected to the complainant and emailed the complainant for confirmation
                               that the account should be deleted. On November 6, 2022, the appellant responded and confirmed that
                               he owns the account and that the account should be deleted. November 7, 2022 was deleted

                               the complainant's account and the complainant was informed about it.

                               The company's processing of the complainant's personal data at the time of the complainant's

                               request

                               At the time of the complainant's request for deletion, the company was processing an email address
                               which is linked to the complainant and probably the advertisingId/vendorId from their phone,

                               the complainant's username and password. Otherwise, the company did not process any others of
                               the complainant's personal data as any chat history and ip number are
                               deleted long ago due to the company's retention policy.


                               Why the company claims to have had reasonable grounds to doubt the identity of the complainant


                               The complainant provided in his deletion request a Facebook ID and three email addresses and
                               wrote that he used one of the company's apps on Facebook.


                               The company's games are played on not on Facebook but on mobile phones and he did not specify
                               nor any surrounding information such as username, which game it was
                               or even that it was a game. The game which the appellant, according to later information, had played

                               is so old that you didn't get any hits on the other email addresses either.
                               Because the game to which the complainant's user account has been linked for a long time is also
                               closed makes it difficult to find with email address alone. Email addresses are public and one

                               providing an email address is therefore not proof of ownership. The email address that
                               the request came from was also not linked to any account with the company and neither
                               the Facebook ID entered. Regarding the other two email addresses, there was nothing

                               proof that it is the complainant's email addresses.

                               The Facebook ID the complainant provided is not registered with the company. Facebook has since

                               many years stopped using global user numbers for privacy reasons. In the service of
                               the company shut down many years ago where you could log in via your Facebook account
                               the company does not see the same number as the complainant indicates. The customer number the company received from the Swedish Data Protection Agency Diary number: IMY-2022-9109 4(12)
                                Date: 2023-05-22






                                Facebook is only connected to the company and cannot be linked to a person by the company
                                Facebook account.


                                Given the knowledge of which game it was about that the company eventually got, had
                                managed to find the account to which one email address was linked. The company then had
                                was able to send an email to that email address in order to confirm the complainant's identity. The

                                however, had played no role in this case when the case was changed on 13 February 2021
                                to an access request.


                                How the complainant would go about requesting erasure and subsequent access

                                Support initially suggested that the complainant request deletion directly from the game

                                because it is the easiest and safest way. It is normal for users to have
                                the game remains on the phone. In addition, the company's game helps with a reinstallation
                                the user to get back to the correct account. When support has difficulty finding an account

                                with the user's data it is therefore reasonable that they suggest a reinstallation to
                                get to the right account. Support can also delete information directly about ownership
                                the information can be substantiated. In the current case, the case turned to a request for

                                access and then the company normally wants the user to be logged into their account.
                                The company has stated that, just as for requests for deletion, proof is required
                                ownership of the account to request access, this for privacy reasons and in accordance

                                with the data protection regulation. Since user data may contain chat logs is
                                the handling of access requests a little more strict than when handling a request for
                                deletion of user data. The company therefore requires that the request be made from within

                                player's account.

                                Information that has been requested for the purpose of confirming identity


                                The game the appellant had played was a game with user accounts. In game with
                                user accounts often have chats for players to talk to each other. Of
                                for privacy reasons, it is important that anyone cannot read anyone else's chats.

                                The accounts are therefore password protected. Users can enter an email address for
                                password reset but not all users do it or they have changed their email address.


                                One issue all online services grapple with is how to handle the cases where users
                                forgot the login details and it is not possible to restore the account via email. A part
                                uses security questions, where users are allowed to fill in the name of their first pet or

                                similar. In the company's case, it is a bit more complicated, as the company partly does not want to ask
                                the users about more information than absolutely necessary, partly the game has that
                                the current case was about a user base built up since 2012 with 100 million

                                users who have not entered any such information. When users have forgotten
                                If the login details and the account cannot be restored via email, the company resolves it
                                in that the games make use of information on the phone and the operating system for

                                to help users back to the account which is why the support sometimes
                                asking users to install the game, which also appears to have been done by support in this case.


                                When it doesn't work or as in this case when the user doesn't want the support asks as
                                a last resort about information the player should know and should be easy
                                for one user to remember but difficult for others to know. This one

                                information is requested so that the company can ensure that it is the account holder
                                to whom they grant access to the account. The information that support requests in such cases
                                is as follows: The Swedish Privacy Agency Diary number: IMY-2022-9109 5(12)
                                Date: 2023-05-22






                                    - The registrant's username.
                                         A task that is assumed to be easy for most people to answer. However, it is also
                                         a task that is relatively easy for others to figure out.


                                    - Usernames of three of the registrant's in-game friends.
                                         Most people who play this game have some friends they have played with for years. The
                                         the task should also be easy to answer.


                                    - Usernames of three of the registrant's opponents in the game.
                                         This task is often a bit more difficult to provide but for users who

                                         mostly playing against random players and not adding friends is one
                                         required task.


                                Support also asked which email address the user wanted to link the account to.
                                This is so that the complainant can log in and request their user data from within
                                the game.


                                The data must normally be provided by email in the ongoing support dialogue. The
                                is not a requirement that one is right on all questions, but an assessment is made based on
                                how right/wrong the answer is. The company also does not ask for personally identifiable information

                                but only about usernames which are normally anonymous/pseudonymous and which already
                                can be found in the company's register. The only data that is personally identifiable information
                                is the email address the user wants to connect to the account. If the user can answer that well

                                that the company deems that the user actually owns the account, the support sets
                                the email address for recovery. The user can then set a new password and log in.


                                The company is continuously working on improving its support tools and will be coming soon
                                release a new version where this particular scenario can be handled and which should make it easier
                                for support to find users even with very limited information. The support

                                have instructions to delete the user's account directly about the email address on the account
                                matches the user's email address and otherwise help the user take
                                delete the account through the game. In this case, you can think of a third solution, that the company sends an email
                                out a link to the linked account and that the user confirms deletion via the link

                                to verify their identity. The company intends to add such an option.

                                The complainant's account has been deleted


                                The appellant's request for erasure has now been granted. The company has emailed
                                the complainant on 30 October 2022 both at the email address he used in the support matter

                                and the email address they found when searching. The company's CTO has asked the appellant to
                                reply from that email address. Answer received from the appellant on November 6, 2022 with
                                a confirmation that the appellant owns the account. The company's CTO has subsequently deleted

                                the complainant's account and informed the complainant of this.


                                Justification of the decision

                                Applicable regulations, etc.


                                According to Article 17.1, the data subject shall have the right to the personal data controller without
                                unnecessary delay have their personal data deleted and the personal data controller

                                shall be obliged to delete personal data about any of them without undue delay
                                prerequisites listed in the article exist, for example if the information is not

                                 Date: 2023-05-22






                                 are no longer necessary for the purposes for which they have been collected or consented to
                                 treatment is withdrawn.


                                 Article 11.1 states that if the purposes for which the personal data controller
                                 processes personal data does not require or no longer requires that the data subject

                                 is identified by the personal data controller, the personal data controller shall not
                                 be required to retain, acquire or process additional information in order to

                                 identify the data subject only for the purpose of complying with this regulation.


                                 According to Article 11.2, if the personal data controller, in the cases referred to in
                                 paragraph 1 of this article, can show that he is not in a position to identify it
                                 registered, the person in charge of personal data shall, if possible, inform the registered

                                 about this. In such cases, Articles 15–20 shall not apply, except when the registered for
                                 exercise of its rights in accordance with these Articles provides further

                                 information that makes identification possible.


                                 Article 12.6 states that, without prejudice to the application of Article 11, it may
                                 personal data controller, if he has reasonable grounds to doubt its identity

                                 natural person who submits a request under Articles 15-21, request that additional
                                 information necessary to confirm the identity of the data subject is provided.



                                 According to Article 12.2, the personal data controller must facilitate its exercise
                                 data subject's rights in accordance with Articles 15–22. In the cases referred to in article
                                 11.2 the personal data controller may not refuse to accommodate the data subject

                                 the request to exercise its rights under Articles 15-22, unless it
                                 personal data controller shows that he or she is not in a position to identify it

                                 registered.

                                                                                                               2
                                 In the European Data Protection Board's (EDPB) Guidelines 01/2022 on access is stated among
                                 other following.



                                    53. The European Data Protection Board calls on the data controllers to

                                    provide the most appropriate and user-friendly communication channels,
                                    in accordance with articles 12.2 and 25 of the data protection regulation, so that it

                                    Data subjects can make an effective request. If the data subject makes a request
                                    using a communication channel provided by it

                                    personal data controller, which is different from the one indicated as the one who
                                    is preferred, such request shall generally be deemed effective and it
                                    the personal data controller should process such a request accordingly (see

                                    examples below). The personal data controllers should take all reasonable steps to
                                    ensure that the exercise of data subjects' rights is facilitated (if the data subject

                                    for example, sending a request to an employee who is on leave can be done automatically
                                    notification of an alternative communication channel for the request to it
                                                                                 3
                                    registered be a reasonable effort).



                                 2EPPB, Guidelines 01/2022 on data subject rights – Right of access, Version 2.0 (EDPB's Guidelines 01/2022 on the right
                                 to access), finally adopted on 28 March 2023.
                                 3IMY's translation, original: The EDPB encourages controllers to provide the most appropriate and user-friendly
                                 communication channels, in line with Art. 12(2) and Art. 25 GDPR, to enable the data subject to make an effective
                                 request. Nevertheless, if a data subject makes a request using a communication channel provided by
                                 the controller28, which is different from the one indicated as the preferable one, such request shall be,
                                 in general, considered effective and the controller should handle such a request accordingly (see the
                                 examples below). The controllers should undertake all reasonable efforts to make sure that the Privacy Protection Agency Diary number: IMY-2022-9109 7(12)
                                   Date: 2023-05-22







                                       […]


                                       67. In cases where the person in charge of personal data requests or receives from the registered person

                                       additional information necessary to confirm the identity of the data subject
                                       the personal data controller must each time assess which information

                                       will enable it to confirm the identity of the data subject and
                                       possibly ask the requesting person additional questions or request that it

                                       data subjects provide additional identification data, if it is proportionate
                                       (see section 3.3). 4



                                       68. To allow the data subject to provide the additional information required to
                                       identify his or her personal data, the personal data controller shall

                                       inform the data subject of the type of additional information required to
                                       enable identification. Such additional information should not be more than that

                                       information originally needed for the authentication of the data subject. IN
                                       generally, the fact that the controller may request additional

                                       information to assess the identity of the data subject does not lead to excessive demands
                                       and to the collection of personal data that is not relevant or necessary to

                                       strengthen the connection between the individual and the personal data requested. 5


                                       […]


                                       70. If the personal data controller has reasonable grounds to doubt the requester

                                       the person's identity, it may, as stated above, request additional information for
                                       to confirm the identity of the data subject. However, the personal data controller must

                                       at the same time ensure that it does not collect more personal data than is necessary
                                       to enable authentication of the requesting person. Therefore it should

                                       personal data controller make a proportionality assessment, which must take
                                       consideration of the type of personal data being processed (e.g. special categories of

                                       information or not), the nature of the request, the context in which the request is made as well as
                                       any damage that may occur as a result of improper disclosure. At

                                       the assessment of proportionality should be remembered to avoid excessive

                                       data collection at the same time as an appropriate level of security during processing
                                       is ensured. 6





                                   exercise of data subject rights is facilitated (for example, when a data subject sends an access request
                                   to an employee who is on leave, an automatic message informing the data subject about an alternative
                                   communication channel for this request could be a reasonable effort).
                                   4IMY's translation, original: In cases where the controller requests or is provided by the data subject with additional
                                   information necessary to confirm the identity of the data subject, the controller shall, each time, assess what

                                   information will allow it to confirm the data subject's identity and possibly ask additional questions to the requester
                                   person or request the data subject to present some additional identification elements, if it is proportionate (see section
                                   3.3).
                                   5IMY's translation, original: In order to allow the data subject to provide the additional information required to
                                   identify his or her data, the controller should inform the data subject of the nature of the additional information
                                   required to allow identification. Such additional information should not be more than the information initially
                                   needed for the authentication of the data subject. In general, the fact that the controller may request
                                   additional information to assess the data subject's identity cannot lead to excessive demands and to
                                   the collection of personal data which are not relevant or necessary to strengthen the link between the

                                   6ndividual and the personal data requested.
                                    IMY's translation, original: As indicated above, if the controller has reasonable grounds for doubting the identity of
                                   the requesting person, it may request additional information to confirm the data subject's identity. However, the
                                   controller must at the same time ensure that it does not collect more personal data than is necessary to enable
                                   authentication of the requesting person. Therefore, the controller shall carry out a proportionality assessment, which
                                   must take into account the type of personal data being processed (e.g. special categories of data or not), the nature of
                                   the request, the context within which the request is being made, as well as any damage that could result from
                                   improper disclosure. When assessing proportionality, it should be remembered to avoid excessive data collection
                                   while ensuring an adequate level of processing security. Data Protection Agency Diary number: IMY-2022-9109 8(12)
                                Date: 2023-05-22






                                   […]


                                   138. The use of self-service tools should never limit the scope of

                                   personal data received. If it is not possible to provide all information according to
                                   Article 15 through the self-service tool, the remaining information must
                                   provided in another way. The controller may encourage it

                                   registered to use a self-service tool like that
                                   data controller has set up to handle requests for access. The
                                   however, it should be noted that the personal data controller must also manage

                                   access requests that are not sent through the established
                                   the communication channel. 7


                                The Swedish Privacy Authority's assessment


                                Based on the current complaint in the case, IMY has reviewed the company's
                                action in this individual case.


                                Has the company been able to identify the complainant?


                                The company has stated that based on the information in the complainant's request for deletion on 31
                                January 2021, the company was unable to identify the data subject. The information that
                                provided by the appellant in the request did not, according to the company's data, yield any hits at a

                                direct punching in the company's system, neither on that Facebook ID nor on any of them
                                email addresses provided by the complainant. The company's opinion further states that when the company
                                on March 4, 2021 received information about which game the complainant's request referred to they could

                                find an account that one of the complainant's provided email addresses was associated with. Against
                                background of this, IMY notes that the company could at least connect on March 4, 2021

                                the appellant's request for a user account and identification of the appellant was thereby
                                Possible. IMY therefore assesses that the appellant in accordance with what is prescribed in article
                                11.2 of the data protection regulation provided such additional information as does

                                the identification possible. The company has thus not shown that it was unable to
                                identify the data subject, and therefore could not refuse to accommodate it either

                                registered the request to exercise their rights under Article 12.2 i
                                data protection regulation.


                                Has the company acted in accordance with 12.6 of the data protection regulation when the company
                                requested current information from the complainant?


                                Has the company had reasonable grounds to doubt the identity of the complainant


                                It is only when the personal data controller has reasonable grounds to doubt the identity
                                with the person who made the request who receives additional information to confirm the identity

                                is requested. What constitutes "reasonable grounds" in Article 12.6 of the Data Protection Regulation should
                                assessed based on the circumstances of the individual case. The assessment of whether there is
                                reasonable grounds to doubt in an individual case the identity of the person making the request is made

                                normally in light of the information provided in connection with the request. The
                                applies especially in situations where the person in charge of personal data lacks further knowledge
                                about this person. However, the fact that an individual assessment is required does not preclude that


                                7IMY's translation, original: The use of self-service tools should never limit the scope of personal data received. If
                                not possible to give all the information under Art. 15 through the self-service tool, the remaining information needs
                                to be provided in a different manner. The controller may indeed encourage the data subject to use a
                                self-service tool that the controller has set in place for handling access requests. However, it should be
                                noted that the controller must also handle access requests that are not sent through the established
                                channel of communication. The Swedish Privacy Agency Diary number: IMY-2022-9109 9(12)
                                Date: 2023-05-22






                                routines are established for how the person in charge of personal data normally verifies it
                                data subject's identity.


                                From the appendix to the complaint, it appears that the complainant provided the following information when he
                                Requested deletion on January 31, 2021: Facebook ID and three email addresses and one
                                email address from which the email with the request was sent.


                                The company has stated that at the time of the complainant's request for deletion
                                did they process an email address associated with the complainant and probably also

                                advertisingId/vendorId from the complainant's phone, the complainant's username and
                                password.


                                The company has been given the opportunity to justify the individual assessment based on which it was made
                                the appellant's situation if they considered that they had reasonable grounds to doubt the appellant
                                identity when he made his request. The company has essentially stated the following.

                                The company's games are not played on Facebook but on mobile phones, why not Facebook IDs
                                contributed to the verification of the appellant's identity. Email addresses are public and an indication
                                of such is no evidence of ownership. The email address the request came from

                                nor linked to any account with the company nor the Facebook ID which
                                was specified. The appellant did not provide any surrounding information, such as
                                username, which game it applies to or even that it is a game. The game that

                                the appellant, according to later information, had played was so old that the company did not get either
                                any hits on the other email addresses provided in the request. Using
                                the information the company received on 4 March 2021 from the complainant about the game in question

                                the company found a user account linked to one of the complainant's provided email addresses.

                                In light of what the company stated and the information the complainant provided in his request
                                regarding deletion, IMY states that the company had reasonable grounds to doubt the identity of

                                the appellant. In the assessment, IMY also considers the fact that the obligation to
                                ensuring the identity of the person making the request also aims to protect
                                data subjects against someone else falsely making requests on their behalf, which may

                                lead to negative consequences for the data subject.

                                Has the information the company requested from the complainant been necessary to confirm

                                his identity?

                                Even if the personal data controller has reasonable grounds to doubt the identity of it

                                registered, the personal data controller shall not collect more personal data than what
                                which is necessary to enable identification of the requesting data subject. The
                                personal data controller must carry out a proportionality assessment and be able to

                                justify the verification method used.

                                The company has stated that the request was changed to an access request on March 4, 2021

                                and the company then demanded that the request be made from within the player's account. Then
                                user data may contain chat logs, the handling of the request for access is little
                                more strict than when handling a request for the deletion of user data has

                                the company stated. Regarding the necessity of the information they requested from it
                                complainant in order to confirm his identity, the company has essentially stated the following.
                                Usernames are requested as the task is assumed to be easy for most people to answer. The

                                is, however, a task that is relatively easy for others to figure out. Username of three
                                friends in the game are requested as most people who play this game have some friends
                                played for years with. That task should therefore be easy to answer. Username on

                                three opponents in the game is more difficult to provide but for people who play the most
                                Date: 2023-05-22






                                against random players and not adding friends it is a necessary task to
                                request in. It is not a requirement that the requester is right on all questions, but it is done
                                a judgment based on how right or wrong the answer is.


                                IMY notes that from the basis the company has submitted, consisting of
                                email correspondence between the appellant and the company, it appears that the appellant has not

                                waived its request for erasure. Of the email correspondence, especially the email that
                                was sent by the MAG Support Team on March 11, 2021, it is further stated that the current
                                the information was requested by the company in order for the complainant to gain access to the account i

                                purpose of requesting deletion. The company's claim that the complainant's request for deletion
                                had been changed to instead refer to a request for access, and that they requested
                                the data intended to identify the appellant only in the event of a request for access can

                                therefore be disregarded. The company has indeed requested more information from
                                the appellant in order to confirm the appellant's identity, but IMY assesses that it is clear
                                that it is still a request for erasure as the appellant wants it to be

                                accommodated. It also appears that the company has requested the relevant information in
                                in connection with the complainant's request for erasure.


                                Regarding the information requested by the company from the complainant, states IMY
                                following. Of the EDPB's guidelines on the right of access, i.a. that it
                                personal data controller must take that type into account in the proportionality assessment

                                of personal data processed (e.g. special categories of data or not),
                                the nature of the request, the context in which the request is made and any damage that may occur
                                arise as a result of improper disclosure. At the time of appellant's request

                                the company only processed an email address that is linked to the complainant as well
                                advertisingId/vendorId from their phone, the complainant's username and password. One
                                According to IMY, incorrect deletion of said data would not involve any major problems
                                disadvantages or consequences for the appellant. The requirements for identification could therefore

                                set relatively low. It has also been shown that correct answers to all questions are not
                                was required and that the complainant's identity could later be confirmed by another
                                identification method that required significantly fewer data. Confirmation that it is

                                the complainant's user account sent from the email address linked to the user account
                                was deemed sufficient to confirm the appellant's identity and accommodate the request
                                on November 7, 2022.


                                IMY therefore assesses that, taking into account the nature of the request, the type of personal data
                                that was processed and the identification method that was later used, that the data in

                                form of username of three friends and three opponents neither can be considered to have been
                                necessary or proportionate to confirm the identity of the complainant accordingly
                                with article 12.6 of the data protection regulation.


                                Has the company made it easier for the complainant to exercise his right to erasure according to article
                                12.2 of the data protection regulation?


                                The next question is whether it has been consistent with Article 12.2 of the Data Protection Regulation to
                                require the complainant to log into their account and make their request from within the game.


                                The company has essentially stated the following. If the user can answer so well that the company
                                assesses that the user owns the account, the support sets the email address for recovery.
                                The player can then set a new password and log in. Because the case in it
                                the current case had turned into a request for access, the company normally wants to

                                the user must be logged in to their account to exercise their request. The Swedish Privacy Protection Agency Diary number: IMY-2022-9109 11(12)
                                Date: 2023-05-22






                                As IMY noted in the section above, it is clear from the company's documentation
                                submitted that the appellant has not waived his request for deletion and that the company
                                has requested the relevant information in order for the complainant to access the account i

                                purpose of requesting deletion from within the game.

                                The EDPB's guidelines on access include, among other things, that the personal data controller can
                                encourage the data subject to use a self-service tool but that it

                                Data controllers also have to deal with requests for access that do not
                                sent via the established communication channel. By demanding from the appellant
                                whose request for deletion has been received by the company after answering questions

                                whose purpose was to confirm his identity, must log into a game to exit the game
                                send his request, the company has not made it easier for the complainant to exercise his right to
                                deletion. IMY thereby assesses that the company thereby acted in violation of Article 12.2 i
                                data protection regulation.


                                Has the complainant's request for erasure pursuant to Article 17 of the Data Protection Regulation
                                accommodated?

                                The complaint states that the complainant requested deletion on January 31, 2021 and that

                                it has not been satisfied at the time of the complaint. The company has stated that
                                the company on 7 November 2022, after email correspondence with the complainant on 30
                                October and November 6, 2022, have deleted the complainant's data and the complainant

                                have been informed of this. Since the appellant's request for erasure has now been granted
                                there is no reason to investigate the matter further in that part.


                                Choice of intervention

                                From articles 58.2 i and 83.2 of the data protection regulation, it appears that IMY has the authority
                                to impose administrative penalty fees in accordance with Article 83. Subject to

                                the circumstances of the individual case, administrative penalty fees must be imposed
                                in addition to or instead of the other measures referred to in Article 58.2, such as
                                injunctions and prohibitions. Furthermore, Article 83.2 states which factors must

                                taken into account when deciding whether administrative penalty charges are to be imposed and at
                                determining the size of the fee. If it is a question of a minor violation, IMY gets
                                as set out in recital 148 instead of imposing a penalty charge issue one

                                reprimand according to article 58.2 b. Consideration must be given to aggravating and mitigating circumstances
                                circumstances of the case, such as the nature, severity and duration of the infringement
                                as well as previous violations of relevance.


                                IMY notes the following relevant circumstances. The current supervision includes
                                MAG Interactive AB's handling of an individual complainant's request for deletion and the

                                the violations found are relatively far back in time (2021). MAG
                                Interactive AB has now also satisfied the complainant's request for deletion in full. Against
                                against this background, IMY finds that it is a question of such minor violations in it

                                meaning referred to in recital 148 which means that MAG Interactive AB must be given a
                                reprimand according to article 58.2 b of the data protection regulation for those found
                                the violations.

                                ________________________________________________

                                This decision has been taken by the special decision maker lawyer Evelin Palmér after

                                presentation by the lawyer Anna Mlynska.

                                Evelin Palmér, 2023-05-22 (This is an electronic signature) The Swedish Privacy Agency Diary number: IMY-2022-9109 12(12)
                                 Date: 2023-05-22






                                 How to appeal


                                 If you want to appeal the decision, you must write to IMY. State in the letter which decision you made
                                 appeals and the change you request. The appeal must have been received by IMY

                                 no later than three weeks from the day you received the decision. If the appeal has been received
                                 In due course, IMY forwards it to the Administrative Court in Stockholm for consideration.

                                 You can e-mail the appeal to IMY if it does not contain any privacy-sensitive information

                                 personal data or information that may be subject to confidentiality. The authority's
                                 contact details appear on the first page of the decision.