DPC (Ireland) - Groupon Ireland Operations Limited

From GDPRhub
Revision as of 09:42, 19 June 2024 by Lm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - Groupon Ireland Operations Limited
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 12(2) GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 17(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 19.06.2018
Decided: 08.03.2024
Published:
Fine: n/a
Parties: Groupon Ireland
National Case Number/Name: Groupon Ireland Operations Limited
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: DPC (in EN)
Initial Contributor: lm

The DPA found that Groupon lacked a legal basis for requiring a data subject’s ID in order to fulfill access and erasure requests, and thus violated data minimisation obligations.

English Summary

Facts

On 11 June 2018, a data subject made an access request and an erasure request to Groupon (the controller) via email. The controller directed the data subject to its online portal, which required the complainant to upload a photo of their ID to verify their identity.

The data subject considered this an obstacle to exercising their GDPR rights and submitted a complaint to the Baden-Württemberg DPA on 19 June 2018. The BW DPA transferred it to the Irish Data Protection Commission (DPC), which it considered to be the leading supervisory authority in this case.

The controller subsequently facilitated the complainant’s requests without requiring verification of identity. Still, the data subject was concerned that their data had not been fully deleted.

The DPC considered two main issues:

  1. Was the controller’s request for ID to verify the data subject’s identity compliant with the GDPR?
  2. Did the controller appropriately demonstrate that the complainant’s personal data was fully deleted in response to the erasure request?

Holding

The DPC found that the controller infringed Articles 5(1)(c), 6(1),12(2), 15(1) and (3) and 17(1) GDPR with regard to its request for an ID to verify the data subject’s identity. It issued a reprimand with no monetary penalty.

The DPC found that the controller infringed Article 12(2) GDPR when it requested additional information as to the data subject’s identity. Under Article 12(6) GDPR, a controller may only request additional information where it has reasonable doubts concerning the identity of a person making the request. The controller did not demonstrate such doubts here.

Furthermore, requiring the complainant to provide a copy of their ID to verify their identity for access and erasure requests was a violation of Article 5(1)(c) GDPR. Data minimisation obligations require any requests for additional information to be necessary, proportionate and consistent. In this case, no such verification was required to initially open an account; thus, the controller would have been unable to cross-check the identities claimed. In additional, the controller could have used a less-data driven means to verify the data subject’s identity. Indeed, in October 2018, the controller amended its procedures and to no longer require photo ID in these circumstances.

In addition, the controller violated Articles 15(1) and (3) as well as 17(1) GDPR by failing to comply with the data subject’s initial access or erasure requests when initially made without a lawful basis for not complying.

The DPC also determined that the controller infringed Article 6(1) GDPR by continuing to process the complainant’s personal data following receipt of their initial request for erasure.

Finally, the DPC found no infringement concerning whether the controller had appropriated demonstrated that the data subject’s personal data was fully deleted.

The DPC issued a reprimand with no monetary penalty. In doing so, it considered that the controller no longer required photographic ID to verify a data subject’s identity for the purpose of exercising rights under the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DPC Complaint Ref:

IMI Ref:


Complaint Received From: Baden-Wurttemburg DPA

Date Of Decision: 8 March 2024


Complainant:


Data Controller: Groupon International Limited

Re:     v Groupon International Limited



                                       DECISION


This is a Decision of the Data Protection Commission of Ireland (“DPC”) in relation to
DPC complaint reference,                  (hereinafter referred to as the “Complaint”),
submitted by      (“Complainant”) against Groupon International Limited (“Groupon”) to

the Baden-Wurttemburg Data Protection Authority (“BW DPA”). As the subject matter of
the Complaint was determined to be cross-border in nature, the Complaint was
subsequently transferred to the DPC, as the Lead Supervisory Authority (“LSA”) for

Groupon.

This Decision is made pursuant to the powers conferred on the DPC by section 113(2)(a)

of the Data Protection Act 2018 (“Act”) and Article 60 of the General Data Protection
Regulation (“GDPR”).


Communication of Draft Decision to “supervisory authorities concerned”

In accordance with Article 60(3) GDPR, the DPC is obliged to communicate the relevant

information and submit a draft decision, in relation to a complaint regarding cross border
processing, to the supervisory authorities concerned for their opinion and to take due
account of their views.


In accordance with its obligation, the DPC transmitted a Draft Decision in relation to the
matter to the “supervisory authorities concerned”. As Groupon offers services across the


                                            1EU, and therefore the processing is likely to substantially affect data subjects in every EU
member state, the DPC in its role as lead supervisory authority identified that each
supervisory authority is a supervisory authority concerned as defined in Article 4(22) of

the GDPR. On this basis, the Draft Decision of the DPC in relation to the Complaint was
transmitted to each supervisory authority in the EU and EEA for their opinion.

Background to the Complaint


   1. On 11 June 2018, the Complainant contacted Groupon by email requesting access
       to their personal data and the subsequent erasure of those personal data. The

       Complainant sent this email to a number of different channels within Groupon. The
       Complainant also telephoned Groupon on 13 and 14 June 2018 in relation to their
       access and erasure requests.


   2. In response, the Complainant was directed to submit their requests via Groupon’s
       online portal, which required the Complainant to upload a copy of an ID document

       in order to verify their identity.

   3. The Complainant considered this requirement to be excessive and an obstacle to
       the exercise of their rights. The Complainant also noted that no such requirements

       were in place in order to register or create an account with Groupon. Accordingly,
       on 19 June 2018, the Complainant submitted a Complaint to the BW DPA. The
       Complaint at this point was solely in relation to the Complainant’s concerns about

       being asked to upload a copy of an ID document. In the circumstances where the
       DPC was deemed to be the competent authority for the purpose of Article 56(1)
       GDPR, the BW DPA subsequently transferred the Complaint to the DPC.


Complaint Handling and Investigation by the DPC


   4. On 1 February 2019, the DPC wrote to Groupon formally commencing its
       investigation and requesting that Groupon address the concerns raised.


   5. In response, Groupon explained that it had since changed its verification
       requirements in October 2018 so that photo ID is no longer required, and that it
       now authenticates data subject rights requests on the basis of the associated email
       address in order to ensure the request is valid in accordance with GDPR

       requirements. Groupon invited the Complainant to submit another request which
       Groupon would process in accordance with this new system.


                                            26. The Complainant subsequently submitted a new access and erasure request on
   17 April 2019 both via email and via Groupon’s portal. In response to the erasure

   request, Groupon advised the Complainant as follows:

          “After the deletion of your personal information, we will only store your
          personal information when it is necessary to continue to operate our

          business effectively, including your transactions for financial reporting or
          fraud prevention purposes until they are no longer necessary to comply with
          our legal obligations, settle disputes and enforce our agreements.


          If you have previously purchased through Groupon, the data may include
          your customer number, name, e-mail address, billing address, delivery

          address, payment details, purchased items, and invoice amount.

          These data are stored on a completely separate system and used only for

          ongoing fraud prevention purposes. The data stored on this system is kept
          for a strictly limited period of time (two years) and then deleted. In particular,
          for purposes of fraud prevention, we store information about transactions

          made through Groupon to ensure that your account has not been exposed
          to fraud. It is also in the customer's interest that we can analyze traffic
          patterns on our platform to prevent fraudulent activity. In accordance with

          Article 21 GDPR, we have a reasonable and legitimate interest in the fight
          against fraud in order to retain personal data for this strictly limited purpose.”


7. The access request was completed by Groupon on 10 May 2019. Groupon availed
   of the two month extension provided by Article 12(3) GDPR in order to complete
   the erasure request. The erasure request was completed on 5 June 2019. The

   Complainant received confirmation of the completion of the erasure request on 11
   June 2019. In that confirmation, Groupon stated as follows:


          “Hello,

          Regarding your request to deletion TYIQZV from 04/17/2019, we hereby
          inform you that we have deleted all personal data concerning the e-mail

          address [Complainant’s email address], subject to the following legal
          requirements:



                                        3          - The storage of personal data in our systems is necessary for us to fulfil
          our legal obligations (e.g. personal data in invoices for financial reporting
          purposes).
          - The storage of personal data is necessary for us to establish, assert and/or

          defend legal claims.
          - The storage of personal data in our systems is necessary for the limited
          purpose of ongoing fraud prevention. This personal information is stored in

          a separate system that is accessible for limited purposes only.

          In the confidence that this response will fulfil your request, we will consider

          it closed. If you require further information, you can submit a new request
          via the Groupon Privacy Portal.


          Thank you,
          Groupon Privacy Team”


8. In response to this confirmation notification, the Complainant wrote to Groupon
   again asking for confirmation as to whether all their personal data had been
   deleted completely. In the event that this was not the case, the Complainant asked

   for further information about the data retained, and about where, how long and by
   whom the data are stored:


          “Hello Groupon Privacy Team,

          From your message/reply I can not clearly see whether all pesonal data

          concerning my e-mail address [Complainant’s email address] have been
          deleted completely.
          Therefore the question: Have all my personal data been deleted

          completely? Yes or no?

          If the answer to my question is "no", I would like to know:
          - Which data are concerned?

          - Who stores and/or processes this data?
          - Where is this data stored? (Which location? Which country?)
          - How long is this data stored? (Please specify the exact date on which the

          final deletion will take place.)
          - I would like to get a precise explanation for this.



                                         4          Kind regards,”

9. A copy of the Complainant’s correspondence above was forwarded to the DPC for

   further investigation, and the DPC duly followed up with Groupon in relation to the
   concerns raised and requested that Groupon identify to the Complainant the
   specific information it had retained. In response, Groupon stated as follows:


          “…we are unfortunately not in a position to advise the data subject the
          precise information that has been retained in relation to his account. Our
          policy is not to disclose data that we retain for fraud prevention purposes,

          and to give priority to preventing fraud in order to protect our business and
          the best interests all of our customers. We have already advised the data
          subject of the data that we may retain for the purposes of fraud prevention.

          This is in accordance with our policy and relevant GDPR requirements.

          I confirm that the information is retained as per policy in its original form.”


   At this point, the DPC noted that the unspecified personal data that Groupon
   continued to retain about the Complainant was for the purposes of fraud prevention

   (“retained data”) and that, as set out in Groupon’s response to the erasure request
   of 17 April 2019 (see paragraph 6 above), these data would be retained for a period
   of 2 years.


10.The DPC provided Groupon’s response above to the Complainant for their views.
   The Complainant was not satisfied with the response and queried whether the

   retained data had been or would be transferred to any third parties prior to its
   deletion, where any such third parties are located, and the appropriate measures
   applied by Groupon to any transfers of the retained data to third countries. The

   Complainant also noted that the last transaction they had carried out with Groupon
   was almost three years ago, and wanted to know the exact date on which the
   retained data would be deleted.


11.Groupon provided a substantive response addressing the Complainant’s queries
   in relation to third party transfers, which included a list of third parties to whom their

   data had been transferred and confirmation that each of those third parties had
   been informed of the Complainant’s erasure request.




                                         512.In relation to the Complainant’s query about the exact date their data would be
   deleted, Groupon stated that it was not possible to provide a specific date and nor
   was it possible to inform customers as to when their data has been deleted. The
   Complainant was dissatisfied at this response, stating that “I cannot discern when

   the two years indicated by Groupon will have expired and how I can/will then find
   out that my data has indeed been irrevocably deleted”.


13.The DPC subsequently put the Complainant’s outstanding concerns to Groupon.
   In response, Groupon stated as follows:


          “I confirm that [the Complainant’s] data was deleted from our systems,
          effective 30 August 2018, two years after the last transaction on his account.
          This was in accordance with our Records Retention Policy as advised in

          previous responses to this complaint. Please note that it is not our practice,
          nor indeed industry standard practice, to inform all customers when their
          data has been deleted in accordance with policy. We believe it is not a

          GDPR requirement to do so, while we endeavour at all times to provide
          information as necessary to comply with GDPR requirements and in the
          interests of transparency.


14.This response created some confusion for the Complainant, who noted that
   Groupon had previously provided them with confirmation following their deletion

   request (see paragraph 7 above) that certain data (i.e. the retained data) were
   being retained by Groupon. The DPC subsequently raised these inconsistencies
   with Groupon and requested that it clarify the position.


15.Groupon then carried out an internal investigation into the matter and, by way of
   clarification, provided the DPC with a full timeline of the actions taken by Groupon

   in relation to the Complainant’s account and its responses provided to the
   Complainant. In this regard, Groupon stated as follows:

       “Groupon wishes to highlight the following relevant facts to the DPC from the

       table below, which we hope will rectify any confusion about our handling of the
       Data Subject's erasure request:


         The Data Subject made his last purchase with Groupon on 30 August 2016.




                                         6  Information about the Data Subject's purchases with Groupon was retained
   for the purposes of fraud prevention for two years and then deleted, in line
   with Groupon's records retention policy.

  Our standard response to a deletion request informs data subjects that
   information may be retained for fraud prevention purposes, but this only
   applies where a purchase was made less than two years before the date a

   deletion request was received.
  Here, the information held on Groupon's fraud database in respect of the
   Data Subject's last purchase was deleted by 30 August 2018 - two years

   after his last purchase on the site. However at this time, Groupon still held
   personal data in respect of the Data Subject including his account
   registration information and purchase details within it’s main database.

  On 17 April 2019 [the Complainant] submitted an access request and
   request for deletion of data to Groupon’s customer service through email
   (info@groupon.de) and through the Groupon Privacy Portal (copy attached

   as Document 1). Groupon responded to that access request on 10 May
   2019 (copy attached as Document 2) in which Groupon confirmed the
   information it held about the Data Subject. Note that at this date (i.e. 10 May

   2019), the information held on the Data Subject on Groupon's fraud
   database had already been deleted in accordance with Groupon's records
   retention policy, as noted immediately above.

  The Data Subject's request for deletion of all remaining personal data held
   by Groupon was initiated within Groupon on 10 May 2019. Groupon went
   on to delete all account registration information, purchase history,

   communications with customer service and other relevant information (i.e.
   the remaining personal data held by Groupon about the Data Subject) in
   satisfaction of that request by 5 June 2019.

  On 5 June 2019, the Data Subject was notified that his deletion request was
   completed (copy attached as Document 3), which included Groupon's
   standard response sent to data subjects when a request is completed and

   includes information to indicate that information could be retained under
   certain circumstances.
  Regrettably, a lack of further investigation on our part created some

   confusion for the Data Subject who went on to request what, if any,
   information about him had been retained on Groupon's systems (copy
   attached as Document 4). Further, this fact was not communicated to the

   DPC in subsequent exchanges with the DPC between 21 June 2019 and


                                  7          17 January 2020, resulting in further confusion and uncertainty, for which
          we sincerely apologise.
         We have checked our records and can confirm that the response provided

          by Groupon's (then) DPO on 1 July 2019 and 15 August 2019 did not
          correctly reflect the situation. Those communications should have instead
          confirmed that no personal data about the Data Subject was retained in any

          of Groupon’s databases, including the fraud database. From the point at
          which the erasure request was satisfied on 5 June 2019, the only
          information held about the Data Subject by Groupon was any information
          held in the context of handling this complaint, Groupon's exchanges with

          the Data Subject and the DPC, and information related to his access and
          deletion requests within the Privacy Portal.


       Taking all of this into account, I can confirm that Groupon no longer processes
       any data relating to the Data Subject (other than in the context of handling the
       access and deletion request and this complaint)”.


16.In summary, in light of this information, the DPC understood that the retained data
   had in fact been deleted on 30 August 2018 (two years from the date of the

   Complainant’s last purchase on their account) and that the confusion seemed to
   stem from the fact that Groupon had included a generic or standard confirmation
   response to the Complainant’s erasure request which suggested that further data

   had been retained. As clarified by Groupon however, this was not correct and all
   personal data it held about the Complainant were fully deleted at the time the
   erasure request was completed on 5 June 2019 (save for “any information held in

   the context of handling this complaint, Groupon's exchanges with the Data Subject
   and the DPC, and information related to his access and deletion requests within
   the Privacy Portal”).


17.A substantive response detailing the explanations above was subsequently
   provided to the Complainant (via the DPC) by Groupon. However, the Complainant

   did not accept Groupon’s confirmation that their personal data had been fully
   deleted and stated that “[d]ata are only deleted when they are actually and
   irretrievably deleted”. The Complainant therefore further stated as follows:


       “I hereby reiterate my demand and expect it to be fulfilled in a timely manner:




                                         8         Groupon and the Irish DPC may please confirm the complete and
          irretrievable deletion of my data from all systems and media.
         The Irish DPC shall please explain how it ensures or has ensured that

          Groupon actually and verifiably deletes or has deleted my data completely
          and irretrievably from all systems and media (e.g. also from possible
          backups).”


18.The DPC then put the Complainant’s outstanding concerns above to Groupon and
   specifically sought appropriate documentary evidence (e.g. erasure logs, relevant

   screenshots, etc.) to demonstrate that all of the Complainant’s personal data had
   been permanently deleted.


19.In response, Groupon provided the DPC with a zip folder containing an Excel file
   of exported system logs relating to the Complainant’s requests, as well as an
   explanatory note to assist both the Complainant and the DPC in understanding the

   technical information contained in the file.

20.Two requests were recorded in the Excel file, labelled ‘TYIQZV’ and ‘JWXDYL’.
   Regarding the contents of the Excel file, Groupon explained the column headings

   and the details contained within the entry labelled ‘TYIQZV’ as follows:

       “Deadline and extension - The Deadline was extended because request
       included both Data Access as well as Deletion afterwards and possible

       technical issues.
       Completed date - this is the Date the full data deletion was confirmed to the
       customer.

       Request Type is set to "deletion" as this was the last request type chosen as
       it was changed during processing, (later a because of the occurring need there
       was a [sic] additional type introduced in the system, access/deletion for this

       type of cases.)
       Last Public Reply Date - this is the Last message sent by Groupon to the
       customer, due to the following complaint/second request that followed the data

       deletion process, the conversation was continued within the first request.
       Stage and Completed Sub-Tasks - Completed means the status of the
       request was set to completed due to the data subjects Data Deletion,

       completed Sub-Tasks 4/4 means that the system got 4 confirmations from 4
       tasks assigned to our system categories used - one for data bases and second



                                        9       was communications systems, 4 subtasks means that the access request and
       deletion request were handled in the same request.”

21.Regarding the entry labelled ‘JWXDYL’, Groupon explained as follows:


       “The second request was a follow-up question from the data subject and was
       sent to us because the automatic system response suggested that we may hold

       some personal data even after the deletion - this is true because depending on
       the legal obligations on specific markets, this data is however anonymized, if
       held at all.”


22.Groupon advised the DPC that OneTrust was its data privacy requests software
   provider at the time, and that Groupon changed its data privacy requests software

   provider from OneTrust to Transcend in October 2021. Groupon further advised
   that the system logs were exported from its OneTrust system prior to this
   changeover and that “we are not able to recover any more details from the

   requests, because…the system we used was decommissioned, and even then,
   the request related files were recoverable within the system for about 6 months
   after that they were also permanently deleted.”. As such, the DPC understood from
   Groupon that the exported system logs constituted the totality of the data Groupon

   continued to hold about the Complainant and that any other data had already been
   permanently deleted. Groupon also provided the DPC with a file containing system
   screenshots from its Transcend system which displayed no search results against

   the Complainant’s details.

23.The DPC subsequently provided the Complainant with a copy of the Excel file

   together with Groupon’s explanations and asked the Complainant whether they
   were now satisfied with the explanations provided. In response, the Complainant
   stated that they remained unsatisfied and repeated their previous request that the

   DPC “please explain how it ensures or has ensured that Groupon actually and
   verifiably deletes or has deleted my data completely and irretrievably from all
   systems and media (e.g. also from possible backups)."










                                        10Section 109(2) of the Act

   24.Under section 109(2) of the Act, the DPC may, where it considers that there is a
       reasonable likelihood of the parties reaching, within a reasonable time, an

       amicable resolution of the subject matter of a complaint, take such steps as it
       considers appropriate to arrange or facilitate such a resolution. The DPC engaged
       with both parties to attempt to achieve an amicable resolution of the Complaint.

       However, these attempts were ultimately unsuccessful.

   25.The DPC advised Groupon via correspondence dated 19 September 2023 that it

       had been unable to facilitate the amicable resolution of the Complaint.

   26.Prior to its preparation of this Decision, the DPC prepared a Preliminary Draft
       Decision for the purposes of facilitating the parties in exercising their respective

       rights to be heard in relation to this Decision. The DPC then prepared a Draft
       Decision, which was transmitted to the supervisory authorities concerned pursuant
       to Article 60(3) GDPR.


Notification of the Preliminary Draft Decision to Groupon


   27.The DPC provided Groupon with a copy of its Preliminary Draft Decision on 13
       December 2023 and invited submissions from Groupon.


   28.By correspondence dated 21 December 2023, Groupon confirmed that it had no
       submissions to make and that it considered the decision to be fair in the
       circumstances.


Notification of the Preliminary Draft Decision to the Complainant


   29.The DPC provided the Complainant (via the BW DPA) with a copy of its Preliminary
       Draft Decision on 28 December 2023 and invited submissions from the
       Complainant. The BW DPA issued the Complainant with the Preliminary Draft

       Decision on 2 February 2024.

   30.By correspondence dated 5 February 2024, the Complainant provided their
       submissions on the Preliminary Draft Decision.





                                           11   31.The DPC has carefully considered the submissions of the Complainant in making
       this Decision. The DPC’s consideration of these submissions is set out at
       paragraphs 55-58 below.


Transmission of the Draft Decision to the Supervisory Authorities Concerned

   32.The DPC transmitted the Draft Decision to the supervisory authorities concerned

       in accordance with Article 60(3) GDPR on 8 February 2024. The DPC did not
       receive any relevant and reasoned objections under Article 60(4) GDPR.


   33.Given that no relevant and reasoned objections were received from any of the
       supervisory authorities concerned within a period of four weeks, after having been
       consulted on 8 February 2024, the DPC did not revise the Draft Decision.


Issues Under Investigation and Applicable Law


   34.The objective of the investigation of the Complaint by the DPC was to ascertain
       whether Groupon had responded to the Complainant’s access and erasure
       requests in a manner compliant with the GDRR.


   35.The Complaint initially concerned Groupon’s requirement that the Complainant
       upload an ID document in order to exercise their rights of access and erasure,

       However, on 17 April 2019 following the commencement of the DPC’s investigation
       and as explained at paragraphs 5 and 6 above, the Complainant subsequently
       submitted new access and erasure requests. These new requests were, in effect,

       re-submissions of the original requests. Although the Complainant was provided
       with access to their data at that point, the Complainant did not accept that their
       data were fully deleted thereafter. Accordingly, the scope of the DPC’s

       investigation concerned Groupon’s facilitation of the Complainant’s access and
       erasure requests as a whole, including both the original and ‘re-submitted’ access
       and erasure requests, as well as Groupon’s ID requirements in relation to the

       original requests.

   36.Following the conclusion of its investigation, the DPC identified the following issues

       to be considered in this Decision:





                                           12          a. Whether Groupon’s request for ID in order to verify the Complainant for the
              purposes of their original access and erasure requests was compliant with
              the GDPR.

          b. Whether Groupon had appropriately demonstrated that the Complainant’s
              personal data were fully deleted in response to the erasure request.
          c. Whether Groupon was obliged to identify the specific information contained
              within and constituting the retained data.


   37.For the purposes of its investigation and assessment of the Complaint, the DPC
       has considered the following Articles of the GDPR:


          a. Article 15, which provides for a data subject’s right of access.
          b. Article 17, which provides for a data subject’s right of erasure. Article 17(3)

              sets out the circumstances where further retention of personal data will be
              lawful notwithstanding the receipt of an erasure request.
          c. Article 5(1)(c), which provides for the principle of data minimisation.

          d. Article 6(1), which provides that processing shall be lawful only if and to the
              extent that at least one of the lawful bases provided for under Articles
              6(1)(a)-(f) applies.

          e. Article 12(2), which obliges controllers to “facilitate the exercise of data
              subject rights…”
          f. Article 12(6), which provides (without prejudice to Article 11) that “where the

              controller has reasonable doubts concerning the identity of the natural
              person making the request referred to in Articles 15 to 21, the controller may
              request the provision of additional information necessary to confirm the

              identity of the data subject.”

Analysis and Findings

Issue 1: Whether Groupon’s request for ID in order to verify the identity of the

Complainant for the purposes of their original access and erasure requests was
compliant with the GDPR.


   38.As noted at paragraph 37(f) above, Article 12(6) GDPR provides that a controller
       may only request additional information where it has reasonable doubts
       concerning the identity of the person making a request. Article 12(6) further
       provides that, in such circumstances, controllers may only request additional

       information that is “necessary to confirm the identity of the data subject”. It follows


                                            13       from this that a controller must be able to demonstrate its reasonable doubts and
       further demonstrate how the type of additional information requested is necessary

       in order to overcome those doubts.

    39.The EDPB’s ‘Guidelines 01/2022 on data subject rights – Right of access’ (Access
                    1
       Guidelines) explain how any request by a controller for additional information in
       order to confirm a data subject’s identity must be necessary, proportionate and

       consistent with the principle of data minimisation under Article 5(1)(c) GDPR. For
       example, paragraphs 67 and 68 state as follows:


              “In cases where the controller requests or is provided by the data subject
              with additional information necessary to confirm the identity of the data
              subject, the controller shall, each time, assess what information will allow it

              to confirm the data subject’s identity and possibly ask additional questions
              to the requesting person or request the data subject to present some

              additional identification elements, if it is proportionate (see section 3.3).

              In order to allow the data subject to provide the additional information

              required to identify his or her data, the controller should inform the data
              subject of the nature of the additional information required to allow
              identification. Such additional information should not be more than the

              information initially needed for the authentication of the data subject. In
              general, the fact that the controller may request additional information to

              assess the data subject’s identity cannot lead to excessive demands and to
              the collection of personal data which are not relevant or necessary to
              strengthen the link between the individual and the personal data
                          2
              requested.”


    40.The Access Guidelines further explain that a proportionality assessment should be
       carried out regarding the identification of the requesting person:


              “…if the controller has reasonable grounds for doubting the identity of the
              requesting person, it may request additional information to confirm the data
              subject’s identity. However, the controller must at the same time ensure that

              it does not collect more personal data than is necessary to enable
              authentication of the requesting person. Therefore, the controller shall carry

1
2EDPB Guidelines 01/2022 on data subject rights – Right of access, Version 2.0, Adopted 28 March 2023.
 Ibid, paras 67-68.

                                             14              out a proportionality assessment, which must take into account the type of
              personal data being processed (e.g. special categories of data or not), the

              nature of the request, the context within which the request is being made,
              as well as any damage that could result from improper disclosure. When

              assessing proportionality, it should be remembered to avoid excessive data
              collection while ensuring an adequate level of processing security.”  3


    41.Significantly, the Access Guidelines note the heightened risk involved where an
       identity document is requested, and state that such a form of identification “should
       be considered inappropriate, unless it is necessary, suitable, and in line with

       national law” and that “[i]n such cases the controllers should have systems in place
       that ensure a level of security appropriate to mitigate the higher risks for the rights
                                                                 4
       and freedoms of the data subject to receive such data.”

    42.In this case, Groupon initially required the Complainant to submit a copy of their

       photographic ID in order to process their access and erasure requests. The DPC
       further understands that the provision of a copy of such data was not a requirement

       at account opening stage and, therefore, Groupon had no means to check the
       veracity of any such information that the Complainant may have submitted.

    43.Having regard to the above, the DPC determines that Groupon infringed Article

       5(1)(c), by its failure to adhere to the principle of data minimisation. In particular,
       this infringement occurred when Groupon initially required submission of a copy of

       the Complainant’s photographic ID in order to verify account ownership for the
       purposes of processingtheir access and erasure requests, in circumstances where
       no such verification appeared to have been obtained or required in order to initially

       open an account. It is also clear that a less data-driven means of verification
       (namely, by way of the email address associated with the account) was available

       to Groupon, and this is reflected in Groupon’ssubsequent change to its procedures
       in October 2018, whereby the requirement to submit photographic ID was
       discontinued.


    44.In addition Groupon has not demonstrated or indicated that it had reasonable
       doubts as to the Complainant’s identity, such as would have justified it in

       requesting the provision of additional information to confirm their identity (in the
       form of photographic ID) under Article 12(6) GDPR. The fact that Groupon

3
4Ibid, para 70.
 Ibid, para 74.

                                             15   ultimately gave effect to the erasure request in the absence of the submission of a
   copy of photographic ID demonstrates that no such reasonable doubts concerning
   the identity of the Complainant existed. As such, the DPC determines that the

   request for additional identification was an infringement of Article 12(2) GDPR.

45.In summary, Groupon should not have requested that the Complainant provide
   photographic ID when they submitted their access and erasure requests without

   establishing that there was a reasonable doubt concerning their identity or whether
   the requested document was relevant and proportionate.

46.It follows from the above that Groupon failed to comply with the Complainant’s

   initial access and erasure requests at the time they were made without a lawful
   basis for not complying. Therefore, the DPC determines that Groupon infringed the
   Complainant’s right to access under Articles 15(1) and 15(3) GDPR and the

   Complainant’s right to erasure under Article 17(1) GDPR. As outlined at paragraph
   43 above, the requirement in place at the time for a requesting data subject to
   provide photographic ID in order to give effect to the request is adjudged to be

   inconsistent with the principle of data minimisation as set out in Article 5(1)(c)
   GDPR. As such, it was not valid for Groupon to seek to rely on this requirement as
   a basis on which not to comply with the Complainant’s initial requests for access

   to and erasure of their personal data.

47.In addition, the DPC determines that Groupon infringed Article 6(1) GDPR by
   continuing to process the Complainant’s personal data following receipt of their

   initial request for erasure. The validity of each of the Complainant’s requests has
   not been disputed, and Groupon’s request for verification is adjudged to have been
   inconsistent with the principle of data minimisation pursuant to Article 5(1)(c)

   GDPR, as outlined above at paragraph 43. As such, Groupon’s requirement for a
   copy of photographic ID was invalid and the request for erasure should have been
   complied with when received, subject to the Complainant’s account ownership

   being verified by other, more appropriate means.

48.For the reasons set out at paragraphs 38-47 above, the DPC finds that
   Groupon:


       a. infringed Article 5(1)(c) GDPR by having initially required the
          Complainant to provide a copy of their ID in order to verify their

          identity for the purposes of their access and erasure requests, in


                                        16             circumstances where no such verification appeared to have been
             obtained or required in order to initially open an account and a less
             data-driven means of verification (namely, by wayof the email address

             associated with the account) was available to Groupon;

          b. infringed Article 12(2) GDPR by initially requesting additional
             information as to the Complainant’s identity at the time they made

             their access and erasure requests, in circumstances where it has not
             demonstrated that reasonable doubts existed concerning the
             Complainant’s identity that would have necessitated the application

             of Article 12(6) of the GDPR;

          c. infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to

             comply with the Complainant’s initial access and erasure requests at
             the time they were made without a lawful basis for not complying, in
             circumstances where Groupon’s request (as a prerequisite to

             responding to the initial access and erasure requests)              for
             photographic ID has been found to be an infringement of Article 5(1)(c)
             GDPR; and


          d. infringed  Article  6(1)  GDPR     by   continuing   to  process    the
             Complainant’s personal data following receipt of their initial request
             for erasure.


Issue 2: Whether Groupon has appropriately demonstrated that the Complainant’s
personal data were fully deleted in response to the erasure request


   49.As set out at paragraphs 19-21 above, Groupon provided both the DPC and the
      Complainant with an Excel file containing exported system logs relating to the

      Complainant’s requests, as well as an explanatory note to assist both the
      Complainant and the DPC in understanding the technical information contained in
      the file. The DPC carefully considered the information contained within the Excel

      file and noted that the data related solely to administrative and technical details
      about the Complainant’s requests and that those details themselves were
      consistent with Groupon’s position that the remainder of the Complainant’s
      personal data had been fully deleted (in particular the entries for ‘Completed Date’

      and ‘Stage and Completed Sub-Tasks’ as described at paragraph 20 above).



                                         1750.Although the Complainant was not satisfied with these explanations when they
   were put to them, the DPC notes that no evidence was provided by the
   Complainant to suggest that, at this time, Groupon had failed to fully delete the

   Complainant’s personal data (save for the limited administrative data relating to
   the Complainant’s request and the Complaint, as contained within the Excel file).
   There are obvious logical difficulties in proving the non-existence of personal data
   in the absence of evidence or any reasonable doubts being proffered to the

   contrary. Although the Complainant clearly held concerns that their data may not
   have been fully deleted, the DPC found Groupon’s evidence and explanations to
   be more persuasive.


51.As set out at paragraph 22 above, Groupon also provided the DPC with a further
   file containing system screenshots from its Transcend system (which replaced its

   previous OneTrust system in October 2021) which displayed no search results
   against the Complainant’s details. This was also consistent with Groupon’s
   position that the remainder of the Complainant’s personal data had been fully

   deleted.

52.The DPC was also satisfied that the data contained within the Excel file, insofar as
   they constituted personal data, appeared to have been retained by Groupon solely

   for record-keeping purposes in order to maintain a proper record of the fact that
   those requests had been addressed. As such, it is the DPC’s view that the retention
   of such data was appropriate for the purposes of demonstrating Groupon’s

   compliance with the GDPR, as required pursuant to Articles 5(2) and 24(1) GDPR.

53.The DPC considered the information and explanations provided by Groupon to be

   sufficiently comprehensive. It is the DPC’s view that, in the absence of evidence
   to support the existence of any further data being retained, the information and
   explanations provided by Groupon ought to have allayed any reasonable concerns

   the Complainant may have had regarding the permanent deletion of their data.

54.Having carefully considered the evidence provided by Groupon as referred to
   above, and noting also Groupon’s efforts to demonstrate compliance with its

   accountability obligations despite the length of time that had now passed since the
   data was confirmed (by Groupon) to have been deleted, it is the DPC’s view that
   it is reasonable for it to conclude that, save for the limited administrative data

   contained within the exported system logs, the Complainant’s personal data had
   been fully deleted.


                                        1855.In their submissions on the Preliminary Draft Decision, the Complainant indicated
   their dissatisfaction with the DPC’s (then-provisional) conclusions set out above

   regarding Groupon’s evidence and explanations as to the erasure of their personal
   data. In summary, the Complainant was of the view that the DPC was required to
   “carry out appropriate in-depth checks (e.g. find out where [the Complainant’s]
   personal data has been stored, copied, backed up, archived by Groupon) and

   ensure that the personal data in question has indeed been completely and
   irretrievably deleted from all systems and media instead of believing Groupon's
   Excel file and screenshots.”


56.In an effort to assuage the Complainant’s doubts as expressed in their
   submissions, the DPC decided, on an exceptional basis, to subsequently carry out

   an examination of Groupon’s databases to further test Groupon’s evidence as to
   the full erasure of the Complainant’s personal data.

57.During this exercise, on 7 February 2024, the DPC examined Groupon’s (i)

   “Cyclops” Customer Database, which consisted of a US version and an
   International version (the latter broken down into an extensive list of countries
   where Groupon’s customers are located); (ii) Customer Mailing Database, which

   consisted of a US version and a single International version; (iii) Merchant
   Database, which consisted of a single International version; and (iv) One Trust
   Request Log, which the DPC noted corresponded with the exported system logs

   referred to at paragraphs 19-22 above.

58.This examination involved entering the Complainant’s details into each of the
   databases mentioned above, which included, where applicable, the US and

   International versions as well as each of the various countries listed on the
   International version of the “Cyclops” Customer Database. On each occasion, no
   results were returned save for in relation to the Customer Mailing Database, which

   returned just two results consisting solely of the two emails exchanged between
   the DPC and Groupon earlier that day to arrange the time for the examination (and
   which included the Complainant’s first name and surname in the ‘Subject’ field for

   the purposes of identifying the complaint). In light of these results, the DPC was
   further satisfied that Groupon had appropriately demonstrated the permanent
   deletion of the Complainant’s personal data (save for the limited administrative

   data contained within the Excel file of exported system logs, and the first name
   and surname of the Complainant as contained within the ‘Subject’ field of the two


                                        19       emails exchanged between the DPC and Groupon) as per their erasure request.
       For the avoidance of doubt, Groupon also confirmed directly to the DPC officers
       who carried out the examination that Groupon did not retain any personal data

       belonging to the Complainant.

   59.Based on the facts and analysis set out at paragraphs 49-54 above, the DPC
       concludes    that Groupon has        appropriately demonstrated that the

       Complainant’s personal data (save for the limited administrative data
       contained within the Excel file of exported system logs, and the first name
       and surname of the Complainant as contained within the ‘Subject’ field of

       the two emails exchanged between the DPC and Groupon) were fully deleted
       in response to the erasure request. This conclusion is further bolstered by
       the results of the DPC’s examination as described at paragraphs 56-58

       above. Accordingly, the DPC finds that no infringement of GDPR by Groupon
       has occurred in respect of this issue.


Decision on Infringements of GDPR

   60.Following the investigation of the Complaint against Groupon, the DPC finds that
       in the circumstances of this Complainant’s case, Groupon infringed the GDPR as

       follows:


             For the reasons set out at paragraphs 38-43 above, the DPC finds that
              Groupon infringed Article 5(1)(c) GDPR by having initially required the
              Complainant to provide a copy of their ID in order to verify their identity for
              the purposes of their access and erasure requests, in circumstances where

              no such verification appeared to have been obtained or required in order to
              initially open an account and a less data-driven means of verification
              (namely, by way of the email address associated with the account) was

              available to Groupon;

             For the reasons set out at paragraph 44 above, the DPC finds that Groupon

              infringed Article 12(2) GDPR by initially requesting additional information as
              to the Complainant’s identity at the time they made their access and erasure
              requests, in circumstances where it has not demonstrated that reasonable

              doubts existed concerning the Complainant’s identity that would have
              necessitated that application of Article 12(6) of the GDPR;



                                           20             For the reasons set out at paragraph 46 above, the DPC finds that Groupon
              infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to comply
              with the Complainant’s initial access and erasure requests at the time they

              were made without a lawful basis for not complying, in circumstances where
              Groupon’s request (as a prerequisite to responding to the initial access and
              erasure requests) for photographic ID has been found to be an infringement

              of Article 5(1)(c) GDPR; and

             For the reasons set out at paragraph 47 above, the DPC finds that Groupon

              infringed Article 6(1) GDPR by continuing to process the Complainant’s
              personal data following receipt of their initial request for erasure.


Remedial Measures by Groupon

   61.In respect of these infringements, it is noted that Groupon no longer requires

       photographic ID in order to verify a data subject’s identity for the purposes of
       exercising their data subject rights under GDPR. This process was terminated in
       October 2018. Groupon’s procedure for facilitating the exercise of data subject
       rights now relies on email authentication instead.


Judicial Remedies With Respect to Decision of the DPC


   62.In accordance with Article 78 GDPR, both Groupon and the Complainant have a
       right to an effective judicial remedy against a legally binding decision of a
       supervisory authority. Pursuant to section 150(5) of the Act , an appeal to the Irish

       Circuit Court or the Irish High Court may be taken by a data subject or any other
       person (this includes a data controller) affected by a legally binding decision of the
       DPC within 28 days of receipt of notification of such decision. An appeal may also

       be taken by a data controller within 28 days of notification; under section 150(1)
       against the issuing of an enforcement notice and/or information notice by the DPC
       against the data controller; and under section 142, against any imposition upon it

       of an administrative fine by the DPC.

Decision on Corrective Powers

Infringements of Articles 5(1)(c), 6(1), 12(2), 15(1), 15(3) and 17(1) GDPR





                                            21   63.In deciding on the corrective powers that are to be exercised in respect of the
       infringements of the GDPR outlined above, I have had due regard to the

       Commission's power to impose administrative fines pursuant to section 141 of the
       Act. In particular, I have considered the criteria set out in Article 83(2) (a)-(k) of the

       GDPR. When imposing corrective powers, I am obliged to select the measures
       that are effective, proportionate and dissuasive in response to the· particular
       infringements. The assessment of what is effective, proportionate and dissuasive

       must be made in the context of the objective pursued by the corrective measures,
       for example re-establishing compliance with the GDPR or punishing unlawful
       behaviour (or both) . I find that an administrative fine would not be necessary,

       proportionate or dissuasive in the particular circumstances in relation to the
       infringements of the Articles of the GDPR as set out above.


   64.In light of the extent of these infringements, the DPC hereby issues a reprimand to
       Groupon, pursuant to Article 58(2)(b) of the GDPR.







Signed: _____________________________

Tony Delaney


Deputy Commissioner

On behalf of the Data Protection Commission















5
  See the Article 29 Data Protection Working Party 'Guidelines on the application and setting of
administrative fines for the purposes of Regulation 2016/679’, at page 11.

                                            22