DPC (Ireland) - Groupon Ireland Operations Limited
From GDPRhub
| DPC - Groupon Ireland Operations Limited | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 12(2) GDPR Article 15(1) GDPR Article 15(3) GDPR Article 17(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 19.06.2018 |
| Decided: | 08.03.2024 |
| Published: | |
| Fine: | n/a |
| Parties: | Groupon Ireland |
| National Case Number/Name: | Groupon Ireland Operations Limited |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | English |
| Original Source: | DPC (in EN) |
| Initial Contributor: | lm |
The DPA found that Groupon lacked a legal basis for requiring a data subject’s ID in order to fulfill access and erasure requests, and thus violated data minimisation obligations.
English Summary
Facts
On 11 June 2018, a data subject made an access request and an erasure request to Groupon (the controller) via email. The controller directed the data subject to its online portal, which required the complainant to upload a photo of their ID to verify their identity.
The data subject considered this an obstacle to exercising their GDPR rights and submitted a complaint to the Baden-Württemberg DPA on 19 June 2018. The BW DPA transferred it to the Irish Data Protection Commission (DPC), which it considered to be the leading supervisory authority in this case.
The controller subsequently facilitated the complainant’s requests without requiring verification of identity. Still, the data subject was concerned that their data had not been fully deleted.
The DPC considered two main issues:
- Was the controller’s request for ID to verify the data subject’s identity compliant with the GDPR?
- Did the controller appropriately demonstrate that the complainant’s personal data was fully deleted in response to the erasure request?
Holding
The DPC found that the controller infringed Articles 5(1)(c), 6(1),12(2), 15(1) and (3) and 17(1) GDPR with regard to its request for an ID to verify the data subject’s identity. It issued a reprimand with no monetary penalty.
The DPC found that the controller infringed Article 12(2) GDPR when it requested additional information as to the data subject’s identity. Under Article 12(6) GDPR, a controller may only request additional information where it has reasonable doubts concerning the identity of a person making the request. The controller did not demonstrate such doubts here.
Furthermore, requiring the complainant to provide a copy of their ID to verify their identity for access and erasure requests was a violation of Article 5(1)(c) GDPR. Data minimisation obligations require any requests for additional information to be necessary, proportionate and consistent. In this case, no such verification was required to initially open an account; thus, the controller would have been unable to cross-check the identities claimed. In additional, the controller could have used a less-data driven means to verify the data subject’s identity. Indeed, in October 2018, the controller amended its procedures and to no longer require photo ID in these circumstances.
In addition, the controller violated Articles 15(1) and (3) as well as 17(1) GDPR by failing to comply with the data subject’s initial access or erasure requests when initially made without a lawful basis for not complying.
The DPC also determined that the controller infringed Article 6(1) GDPR by continuing to process the complainant’s personal data following receipt of their initial request for erasure.
Finally, the DPC found no infringement concerning whether the controller had appropriated demonstrated that the data subject’s personal data was fully deleted.
The DPC issued a reprimand with no monetary penalty. In doing so, it considered that the controller no longer required photographic ID to verify a data subject’s identity for the purpose of exercising rights under the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
DPC Complaint Ref:
IMI Ref:
Complaint Received From: Baden-Wurttemburg DPA
Date Of Decision: 8 March 2024
Complainant:
Data Controller: Groupon International Limited
Re: v Groupon International Limited
DECISION
This is a Decision of the Data Protection Commission of Ireland (“DPC”) in relation to
DPC complaint reference, (hereinafter referred to as the “Complaint”),
submitted by (“Complainant”) against Groupon International Limited (“Groupon”) to
the Baden-Wurttemburg Data Protection Authority (“BW DPA”). As the subject matter of
the Complaint was determined to be cross-border in nature, the Complaint was
subsequently transferred to the DPC, as the Lead Supervisory Authority (“LSA”) for
Groupon.
This Decision is made pursuant to the powers conferred on the DPC by section 113(2)(a)
of the Data Protection Act 2018 (“Act”) and Article 60 of the General Data Protection
Regulation (“GDPR”).
Communication of Draft Decision to “supervisory authorities concerned”
In accordance with Article 60(3) GDPR, the DPC is obliged to communicate the relevant
information and submit a draft decision, in relation to a complaint regarding cross border
processing, to the supervisory authorities concerned for their opinion and to take due
account of their views.
In accordance with its obligation, the DPC transmitted a Draft Decision in relation to the
matter to the “supervisory authorities concerned”. As Groupon offers services across the
1EU, and therefore the processing is likely to substantially affect data subjects in every EU
member state, the DPC in its role as lead supervisory authority identified that each
supervisory authority is a supervisory authority concerned as defined in Article 4(22) of
the GDPR. On this basis, the Draft Decision of the DPC in relation to the Complaint was
transmitted to each supervisory authority in the EU and EEA for their opinion.
Background to the Complaint
1. On 11 June 2018, the Complainant contacted Groupon by email requesting access
to their personal data and the subsequent erasure of those personal data. The
Complainant sent this email to a number of different channels within Groupon. The
Complainant also telephoned Groupon on 13 and 14 June 2018 in relation to their
access and erasure requests.
2. In response, the Complainant was directed to submit their requests via Groupon’s
online portal, which required the Complainant to upload a copy of an ID document
in order to verify their identity.
3. The Complainant considered this requirement to be excessive and an obstacle to
the exercise of their rights. The Complainant also noted that no such requirements
were in place in order to register or create an account with Groupon. Accordingly,
on 19 June 2018, the Complainant submitted a Complaint to the BW DPA. The
Complaint at this point was solely in relation to the Complainant’s concerns about
being asked to upload a copy of an ID document. In the circumstances where the
DPC was deemed to be the competent authority for the purpose of Article 56(1)
GDPR, the BW DPA subsequently transferred the Complaint to the DPC.
Complaint Handling and Investigation by the DPC
4. On 1 February 2019, the DPC wrote to Groupon formally commencing its
investigation and requesting that Groupon address the concerns raised.
5. In response, Groupon explained that it had since changed its verification
requirements in October 2018 so that photo ID is no longer required, and that it
now authenticates data subject rights requests on the basis of the associated email
address in order to ensure the request is valid in accordance with GDPR
requirements. Groupon invited the Complainant to submit another request which
Groupon would process in accordance with this new system.
26. The Complainant subsequently submitted a new access and erasure request on
17 April 2019 both via email and via Groupon’s portal. In response to the erasure
request, Groupon advised the Complainant as follows:
“After the deletion of your personal information, we will only store your
personal information when it is necessary to continue to operate our
business effectively, including your transactions for financial reporting or
fraud prevention purposes until they are no longer necessary to comply with
our legal obligations, settle disputes and enforce our agreements.
If you have previously purchased through Groupon, the data may include
your customer number, name, e-mail address, billing address, delivery
address, payment details, purchased items, and invoice amount.
These data are stored on a completely separate system and used only for
ongoing fraud prevention purposes. The data stored on this system is kept
for a strictly limited period of time (two years) and then deleted. In particular,
for purposes of fraud prevention, we store information about transactions
made through Groupon to ensure that your account has not been exposed
to fraud. It is also in the customer's interest that we can analyze traffic
patterns on our platform to prevent fraudulent activity. In accordance with
Article 21 GDPR, we have a reasonable and legitimate interest in the fight
against fraud in order to retain personal data for this strictly limited purpose.”
7. The access request was completed by Groupon on 10 May 2019. Groupon availed
of the two month extension provided by Article 12(3) GDPR in order to complete
the erasure request. The erasure request was completed on 5 June 2019. The
Complainant received confirmation of the completion of the erasure request on 11
June 2019. In that confirmation, Groupon stated as follows:
“Hello,
Regarding your request to deletion TYIQZV from 04/17/2019, we hereby
inform you that we have deleted all personal data concerning the e-mail
address [Complainant’s email address], subject to the following legal
requirements:
3 - The storage of personal data in our systems is necessary for us to fulfil
our legal obligations (e.g. personal data in invoices for financial reporting
purposes).
- The storage of personal data is necessary for us to establish, assert and/or
defend legal claims.
- The storage of personal data in our systems is necessary for the limited
purpose of ongoing fraud prevention. This personal information is stored in
a separate system that is accessible for limited purposes only.
In the confidence that this response will fulfil your request, we will consider
it closed. If you require further information, you can submit a new request
via the Groupon Privacy Portal.
Thank you,
Groupon Privacy Team”
8. In response to this confirmation notification, the Complainant wrote to Groupon
again asking for confirmation as to whether all their personal data had been
deleted completely. In the event that this was not the case, the Complainant asked
for further information about the data retained, and about where, how long and by
whom the data are stored:
“Hello Groupon Privacy Team,
From your message/reply I can not clearly see whether all pesonal data
concerning my e-mail address [Complainant’s email address] have been
deleted completely.
Therefore the question: Have all my personal data been deleted
completely? Yes or no?
If the answer to my question is "no", I would like to know:
- Which data are concerned?
- Who stores and/or processes this data?
- Where is this data stored? (Which location? Which country?)
- How long is this data stored? (Please specify the exact date on which the
final deletion will take place.)
- I would like to get a precise explanation for this.
4 Kind regards,”
9. A copy of the Complainant’s correspondence above was forwarded to the DPC for
further investigation, and the DPC duly followed up with Groupon in relation to the
concerns raised and requested that Groupon identify to the Complainant the
specific information it had retained. In response, Groupon stated as follows:
“…we are unfortunately not in a position to advise the data subject the
precise information that has been retained in relation to his account. Our
policy is not to disclose data that we retain for fraud prevention purposes,
and to give priority to preventing fraud in order to protect our business and
the best interests all of our customers. We have already advised the data
subject of the data that we may retain for the purposes of fraud prevention.
This is in accordance with our policy and relevant GDPR requirements.
I confirm that the information is retained as per policy in its original form.”
At this point, the DPC noted that the unspecified personal data that Groupon
continued to retain about the Complainant was for the purposes of fraud prevention
(“retained data”) and that, as set out in Groupon’s response to the erasure request
of 17 April 2019 (see paragraph 6 above), these data would be retained for a period
of 2 years.
10.The DPC provided Groupon’s response above to the Complainant for their views.
The Complainant was not satisfied with the response and queried whether the
retained data had been or would be transferred to any third parties prior to its
deletion, where any such third parties are located, and the appropriate measures
applied by Groupon to any transfers of the retained data to third countries. The
Complainant also noted that the last transaction they had carried out with Groupon
was almost three years ago, and wanted to know the exact date on which the
retained data would be deleted.
11.Groupon provided a substantive response addressing the Complainant’s queries
in relation to third party transfers, which included a list of third parties to whom their
data had been transferred and confirmation that each of those third parties had
been informed of the Complainant’s erasure request.
512.In relation to the Complainant’s query about the exact date their data would be
deleted, Groupon stated that it was not possible to provide a specific date and nor
was it possible to inform customers as to when their data has been deleted. The
Complainant was dissatisfied at this response, stating that “I cannot discern when
the two years indicated by Groupon will have expired and how I can/will then find
out that my data has indeed been irrevocably deleted”.
13.The DPC subsequently put the Complainant’s outstanding concerns to Groupon.
In response, Groupon stated as follows:
“I confirm that [the Complainant’s] data was deleted from our systems,
effective 30 August 2018, two years after the last transaction on his account.
This was in accordance with our Records Retention Policy as advised in
previous responses to this complaint. Please note that it is not our practice,
nor indeed industry standard practice, to inform all customers when their
data has been deleted in accordance with policy. We believe it is not a
GDPR requirement to do so, while we endeavour at all times to provide
information as necessary to comply with GDPR requirements and in the
interests of transparency.
14.This response created some confusion for the Complainant, who noted that
Groupon had previously provided them with confirmation following their deletion
request (see paragraph 7 above) that certain data (i.e. the retained data) were
being retained by Groupon. The DPC subsequently raised these inconsistencies
with Groupon and requested that it clarify the position.
15.Groupon then carried out an internal investigation into the matter and, by way of
clarification, provided the DPC with a full timeline of the actions taken by Groupon
in relation to the Complainant’s account and its responses provided to the
Complainant. In this regard, Groupon stated as follows:
“Groupon wishes to highlight the following relevant facts to the DPC from the
table below, which we hope will rectify any confusion about our handling of the
Data Subject's erasure request:
The Data Subject made his last purchase with Groupon on 30 August 2016.
6 Information about the Data Subject's purchases with Groupon was retained
for the purposes of fraud prevention for two years and then deleted, in line
with Groupon's records retention policy.
Our standard response to a deletion request informs data subjects that
information may be retained for fraud prevention purposes, but this only
applies where a purchase was made less than two years before the date a
deletion request was received.
Here, the information held on Groupon's fraud database in respect of the
Data Subject's last purchase was deleted by 30 August 2018 - two years
after his last purchase on the site. However at this time, Groupon still held
personal data in respect of the Data Subject including his account
registration information and purchase details within it’s main database.
On 17 April 2019 [the Complainant] submitted an access request and
request for deletion of data to Groupon’s customer service through email
(info@groupon.de) and through the Groupon Privacy Portal (copy attached
as Document 1). Groupon responded to that access request on 10 May
2019 (copy attached as Document 2) in which Groupon confirmed the
information it held about the Data Subject. Note that at this date (i.e. 10 May
2019), the information held on the Data Subject on Groupon's fraud
database had already been deleted in accordance with Groupon's records
retention policy, as noted immediately above.
The Data Subject's request for deletion of all remaining personal data held
by Groupon was initiated within Groupon on 10 May 2019. Groupon went
on to delete all account registration information, purchase history,
communications with customer service and other relevant information (i.e.
the remaining personal data held by Groupon about the Data Subject) in
satisfaction of that request by 5 June 2019.
On 5 June 2019, the Data Subject was notified that his deletion request was
completed (copy attached as Document 3), which included Groupon's
standard response sent to data subjects when a request is completed and
includes information to indicate that information could be retained under
certain circumstances.
Regrettably, a lack of further investigation on our part created some
confusion for the Data Subject who went on to request what, if any,
information about him had been retained on Groupon's systems (copy
attached as Document 4). Further, this fact was not communicated to the
DPC in subsequent exchanges with the DPC between 21 June 2019 and
7 17 January 2020, resulting in further confusion and uncertainty, for which
we sincerely apologise.
We have checked our records and can confirm that the response provided
by Groupon's (then) DPO on 1 July 2019 and 15 August 2019 did not
correctly reflect the situation. Those communications should have instead
confirmed that no personal data about the Data Subject was retained in any
of Groupon’s databases, including the fraud database. From the point at
which the erasure request was satisfied on 5 June 2019, the only
information held about the Data Subject by Groupon was any information
held in the context of handling this complaint, Groupon's exchanges with
the Data Subject and the DPC, and information related to his access and
deletion requests within the Privacy Portal.
Taking all of this into account, I can confirm that Groupon no longer processes
any data relating to the Data Subject (other than in the context of handling the
access and deletion request and this complaint)”.
16.In summary, in light of this information, the DPC understood that the retained data
had in fact been deleted on 30 August 2018 (two years from the date of the
Complainant’s last purchase on their account) and that the confusion seemed to
stem from the fact that Groupon had included a generic or standard confirmation
response to the Complainant’s erasure request which suggested that further data
had been retained. As clarified by Groupon however, this was not correct and all
personal data it held about the Complainant were fully deleted at the time the
erasure request was completed on 5 June 2019 (save for “any information held in
the context of handling this complaint, Groupon's exchanges with the Data Subject
and the DPC, and information related to his access and deletion requests within
the Privacy Portal”).
17.A substantive response detailing the explanations above was subsequently
provided to the Complainant (via the DPC) by Groupon. However, the Complainant
did not accept Groupon’s confirmation that their personal data had been fully
deleted and stated that “[d]ata are only deleted when they are actually and
irretrievably deleted”. The Complainant therefore further stated as follows:
“I hereby reiterate my demand and expect it to be fulfilled in a timely manner:
8 Groupon and the Irish DPC may please confirm the complete and
irretrievable deletion of my data from all systems and media.
The Irish DPC shall please explain how it ensures or has ensured that
Groupon actually and verifiably deletes or has deleted my data completely
and irretrievably from all systems and media (e.g. also from possible
backups).”
18.The DPC then put the Complainant’s outstanding concerns above to Groupon and
specifically sought appropriate documentary evidence (e.g. erasure logs, relevant
screenshots, etc.) to demonstrate that all of the Complainant’s personal data had
been permanently deleted.
19.In response, Groupon provided the DPC with a zip folder containing an Excel file
of exported system logs relating to the Complainant’s requests, as well as an
explanatory note to assist both the Complainant and the DPC in understanding the
technical information contained in the file.
20.Two requests were recorded in the Excel file, labelled ‘TYIQZV’ and ‘JWXDYL’.
Regarding the contents of the Excel file, Groupon explained the column headings
and the details contained within the entry labelled ‘TYIQZV’ as follows:
“Deadline and extension - The Deadline was extended because request
included both Data Access as well as Deletion afterwards and possible
technical issues.
Completed date - this is the Date the full data deletion was confirmed to the
customer.
Request Type is set to "deletion" as this was the last request type chosen as
it was changed during processing, (later a because of the occurring need there
was a [sic] additional type introduced in the system, access/deletion for this
type of cases.)
Last Public Reply Date - this is the Last message sent by Groupon to the
customer, due to the following complaint/second request that followed the data
deletion process, the conversation was continued within the first request.
Stage and Completed Sub-Tasks - Completed means the status of the
request was set to completed due to the data subjects Data Deletion,
completed Sub-Tasks 4/4 means that the system got 4 confirmations from 4
tasks assigned to our system categories used - one for data bases and second
9 was communications systems, 4 subtasks means that the access request and
deletion request were handled in the same request.”
21.Regarding the entry labelled ‘JWXDYL’, Groupon explained as follows:
“The second request was a follow-up question from the data subject and was
sent to us because the automatic system response suggested that we may hold
some personal data even after the deletion - this is true because depending on
the legal obligations on specific markets, this data is however anonymized, if
held at all.”
22.Groupon advised the DPC that OneTrust was its data privacy requests software
provider at the time, and that Groupon changed its data privacy requests software
provider from OneTrust to Transcend in October 2021. Groupon further advised
that the system logs were exported from its OneTrust system prior to this
changeover and that “we are not able to recover any more details from the
requests, because…the system we used was decommissioned, and even then,
the request related files were recoverable within the system for about 6 months
after that they were also permanently deleted.”. As such, the DPC understood from
Groupon that the exported system logs constituted the totality of the data Groupon
continued to hold about the Complainant and that any other data had already been
permanently deleted. Groupon also provided the DPC with a file containing system
screenshots from its Transcend system which displayed no search results against
the Complainant’s details.
23.The DPC subsequently provided the Complainant with a copy of the Excel file
together with Groupon’s explanations and asked the Complainant whether they
were now satisfied with the explanations provided. In response, the Complainant
stated that they remained unsatisfied and repeated their previous request that the
DPC “please explain how it ensures or has ensured that Groupon actually and
verifiably deletes or has deleted my data completely and irretrievably from all
systems and media (e.g. also from possible backups)."
10Section 109(2) of the Act
24.Under section 109(2) of the Act, the DPC may, where it considers that there is a
reasonable likelihood of the parties reaching, within a reasonable time, an
amicable resolution of the subject matter of a complaint, take such steps as it
considers appropriate to arrange or facilitate such a resolution. The DPC engaged
with both parties to attempt to achieve an amicable resolution of the Complaint.
However, these attempts were ultimately unsuccessful.
25.The DPC advised Groupon via correspondence dated 19 September 2023 that it
had been unable to facilitate the amicable resolution of the Complaint.
26.Prior to its preparation of this Decision, the DPC prepared a Preliminary Draft
Decision for the purposes of facilitating the parties in exercising their respective
rights to be heard in relation to this Decision. The DPC then prepared a Draft
Decision, which was transmitted to the supervisory authorities concerned pursuant
to Article 60(3) GDPR.
Notification of the Preliminary Draft Decision to Groupon
27.The DPC provided Groupon with a copy of its Preliminary Draft Decision on 13
December 2023 and invited submissions from Groupon.
28.By correspondence dated 21 December 2023, Groupon confirmed that it had no
submissions to make and that it considered the decision to be fair in the
circumstances.
Notification of the Preliminary Draft Decision to the Complainant
29.The DPC provided the Complainant (via the BW DPA) with a copy of its Preliminary
Draft Decision on 28 December 2023 and invited submissions from the
Complainant. The BW DPA issued the Complainant with the Preliminary Draft
Decision on 2 February 2024.
30.By correspondence dated 5 February 2024, the Complainant provided their
submissions on the Preliminary Draft Decision.
11 31.The DPC has carefully considered the submissions of the Complainant in making
this Decision. The DPC’s consideration of these submissions is set out at
paragraphs 55-58 below.
Transmission of the Draft Decision to the Supervisory Authorities Concerned
32.The DPC transmitted the Draft Decision to the supervisory authorities concerned
in accordance with Article 60(3) GDPR on 8 February 2024. The DPC did not
receive any relevant and reasoned objections under Article 60(4) GDPR.
33.Given that no relevant and reasoned objections were received from any of the
supervisory authorities concerned within a period of four weeks, after having been
consulted on 8 February 2024, the DPC did not revise the Draft Decision.
Issues Under Investigation and Applicable Law
34.The objective of the investigation of the Complaint by the DPC was to ascertain
whether Groupon had responded to the Complainant’s access and erasure
requests in a manner compliant with the GDRR.
35.The Complaint initially concerned Groupon’s requirement that the Complainant
upload an ID document in order to exercise their rights of access and erasure,
However, on 17 April 2019 following the commencement of the DPC’s investigation
and as explained at paragraphs 5 and 6 above, the Complainant subsequently
submitted new access and erasure requests. These new requests were, in effect,
re-submissions of the original requests. Although the Complainant was provided
with access to their data at that point, the Complainant did not accept that their
data were fully deleted thereafter. Accordingly, the scope of the DPC’s
investigation concerned Groupon’s facilitation of the Complainant’s access and
erasure requests as a whole, including both the original and ‘re-submitted’ access
and erasure requests, as well as Groupon’s ID requirements in relation to the
original requests.
36.Following the conclusion of its investigation, the DPC identified the following issues
to be considered in this Decision:
12 a. Whether Groupon’s request for ID in order to verify the Complainant for the
purposes of their original access and erasure requests was compliant with
the GDPR.
b. Whether Groupon had appropriately demonstrated that the Complainant’s
personal data were fully deleted in response to the erasure request.
c. Whether Groupon was obliged to identify the specific information contained
within and constituting the retained data.
37.For the purposes of its investigation and assessment of the Complaint, the DPC
has considered the following Articles of the GDPR:
a. Article 15, which provides for a data subject’s right of access.
b. Article 17, which provides for a data subject’s right of erasure. Article 17(3)
sets out the circumstances where further retention of personal data will be
lawful notwithstanding the receipt of an erasure request.
c. Article 5(1)(c), which provides for the principle of data minimisation.
d. Article 6(1), which provides that processing shall be lawful only if and to the
extent that at least one of the lawful bases provided for under Articles
6(1)(a)-(f) applies.
e. Article 12(2), which obliges controllers to “facilitate the exercise of data
subject rights…”
f. Article 12(6), which provides (without prejudice to Article 11) that “where the
controller has reasonable doubts concerning the identity of the natural
person making the request referred to in Articles 15 to 21, the controller may
request the provision of additional information necessary to confirm the
identity of the data subject.”
Analysis and Findings
Issue 1: Whether Groupon’s request for ID in order to verify the identity of the
Complainant for the purposes of their original access and erasure requests was
compliant with the GDPR.
38.As noted at paragraph 37(f) above, Article 12(6) GDPR provides that a controller
may only request additional information where it has reasonable doubts
concerning the identity of the person making a request. Article 12(6) further
provides that, in such circumstances, controllers may only request additional
information that is “necessary to confirm the identity of the data subject”. It follows
13 from this that a controller must be able to demonstrate its reasonable doubts and
further demonstrate how the type of additional information requested is necessary
in order to overcome those doubts.
39.The EDPB’s ‘Guidelines 01/2022 on data subject rights – Right of access’ (Access
1
Guidelines) explain how any request by a controller for additional information in
order to confirm a data subject’s identity must be necessary, proportionate and
consistent with the principle of data minimisation under Article 5(1)(c) GDPR. For
example, paragraphs 67 and 68 state as follows:
“In cases where the controller requests or is provided by the data subject
with additional information necessary to confirm the identity of the data
subject, the controller shall, each time, assess what information will allow it
to confirm the data subject’s identity and possibly ask additional questions
to the requesting person or request the data subject to present some
additional identification elements, if it is proportionate (see section 3.3).
In order to allow the data subject to provide the additional information
required to identify his or her data, the controller should inform the data
subject of the nature of the additional information required to allow
identification. Such additional information should not be more than the
information initially needed for the authentication of the data subject. In
general, the fact that the controller may request additional information to
assess the data subject’s identity cannot lead to excessive demands and to
the collection of personal data which are not relevant or necessary to
strengthen the link between the individual and the personal data
2
requested.”
40.The Access Guidelines further explain that a proportionality assessment should be
carried out regarding the identification of the requesting person:
“…if the controller has reasonable grounds for doubting the identity of the
requesting person, it may request additional information to confirm the data
subject’s identity. However, the controller must at the same time ensure that
it does not collect more personal data than is necessary to enable
authentication of the requesting person. Therefore, the controller shall carry
1
2EDPB Guidelines 01/2022 on data subject rights – Right of access, Version 2.0, Adopted 28 March 2023.
Ibid, paras 67-68.
14 out a proportionality assessment, which must take into account the type of
personal data being processed (e.g. special categories of data or not), the
nature of the request, the context within which the request is being made,
as well as any damage that could result from improper disclosure. When
assessing proportionality, it should be remembered to avoid excessive data
collection while ensuring an adequate level of processing security.” 3
41.Significantly, the Access Guidelines note the heightened risk involved where an
identity document is requested, and state that such a form of identification “should
be considered inappropriate, unless it is necessary, suitable, and in line with
national law” and that “[i]n such cases the controllers should have systems in place
that ensure a level of security appropriate to mitigate the higher risks for the rights
4
and freedoms of the data subject to receive such data.”
42.In this case, Groupon initially required the Complainant to submit a copy of their
photographic ID in order to process their access and erasure requests. The DPC
further understands that the provision of a copy of such data was not a requirement
at account opening stage and, therefore, Groupon had no means to check the
veracity of any such information that the Complainant may have submitted.
43.Having regard to the above, the DPC determines that Groupon infringed Article
5(1)(c), by its failure to adhere to the principle of data minimisation. In particular,
this infringement occurred when Groupon initially required submission of a copy of
the Complainant’s photographic ID in order to verify account ownership for the
purposes of processingtheir access and erasure requests, in circumstances where
no such verification appeared to have been obtained or required in order to initially
open an account. It is also clear that a less data-driven means of verification
(namely, by way of the email address associated with the account) was available
to Groupon, and this is reflected in Groupon’ssubsequent change to its procedures
in October 2018, whereby the requirement to submit photographic ID was
discontinued.
44.In addition Groupon has not demonstrated or indicated that it had reasonable
doubts as to the Complainant’s identity, such as would have justified it in
requesting the provision of additional information to confirm their identity (in the
form of photographic ID) under Article 12(6) GDPR. The fact that Groupon
3
4Ibid, para 70.
Ibid, para 74.
15 ultimately gave effect to the erasure request in the absence of the submission of a
copy of photographic ID demonstrates that no such reasonable doubts concerning
the identity of the Complainant existed. As such, the DPC determines that the
request for additional identification was an infringement of Article 12(2) GDPR.
45.In summary, Groupon should not have requested that the Complainant provide
photographic ID when they submitted their access and erasure requests without
establishing that there was a reasonable doubt concerning their identity or whether
the requested document was relevant and proportionate.
46.It follows from the above that Groupon failed to comply with the Complainant’s
initial access and erasure requests at the time they were made without a lawful
basis for not complying. Therefore, the DPC determines that Groupon infringed the
Complainant’s right to access under Articles 15(1) and 15(3) GDPR and the
Complainant’s right to erasure under Article 17(1) GDPR. As outlined at paragraph
43 above, the requirement in place at the time for a requesting data subject to
provide photographic ID in order to give effect to the request is adjudged to be
inconsistent with the principle of data minimisation as set out in Article 5(1)(c)
GDPR. As such, it was not valid for Groupon to seek to rely on this requirement as
a basis on which not to comply with the Complainant’s initial requests for access
to and erasure of their personal data.
47.In addition, the DPC determines that Groupon infringed Article 6(1) GDPR by
continuing to process the Complainant’s personal data following receipt of their
initial request for erasure. The validity of each of the Complainant’s requests has
not been disputed, and Groupon’s request for verification is adjudged to have been
inconsistent with the principle of data minimisation pursuant to Article 5(1)(c)
GDPR, as outlined above at paragraph 43. As such, Groupon’s requirement for a
copy of photographic ID was invalid and the request for erasure should have been
complied with when received, subject to the Complainant’s account ownership
being verified by other, more appropriate means.
48.For the reasons set out at paragraphs 38-47 above, the DPC finds that
Groupon:
a. infringed Article 5(1)(c) GDPR by having initially required the
Complainant to provide a copy of their ID in order to verify their
identity for the purposes of their access and erasure requests, in
16 circumstances where no such verification appeared to have been
obtained or required in order to initially open an account and a less
data-driven means of verification (namely, by wayof the email address
associated with the account) was available to Groupon;
b. infringed Article 12(2) GDPR by initially requesting additional
information as to the Complainant’s identity at the time they made
their access and erasure requests, in circumstances where it has not
demonstrated that reasonable doubts existed concerning the
Complainant’s identity that would have necessitated the application
of Article 12(6) of the GDPR;
c. infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to
comply with the Complainant’s initial access and erasure requests at
the time they were made without a lawful basis for not complying, in
circumstances where Groupon’s request (as a prerequisite to
responding to the initial access and erasure requests) for
photographic ID has been found to be an infringement of Article 5(1)(c)
GDPR; and
d. infringed Article 6(1) GDPR by continuing to process the
Complainant’s personal data following receipt of their initial request
for erasure.
Issue 2: Whether Groupon has appropriately demonstrated that the Complainant’s
personal data were fully deleted in response to the erasure request
49.As set out at paragraphs 19-21 above, Groupon provided both the DPC and the
Complainant with an Excel file containing exported system logs relating to the
Complainant’s requests, as well as an explanatory note to assist both the
Complainant and the DPC in understanding the technical information contained in
the file. The DPC carefully considered the information contained within the Excel
file and noted that the data related solely to administrative and technical details
about the Complainant’s requests and that those details themselves were
consistent with Groupon’s position that the remainder of the Complainant’s
personal data had been fully deleted (in particular the entries for ‘Completed Date’
and ‘Stage and Completed Sub-Tasks’ as described at paragraph 20 above).
1750.Although the Complainant was not satisfied with these explanations when they
were put to them, the DPC notes that no evidence was provided by the
Complainant to suggest that, at this time, Groupon had failed to fully delete the
Complainant’s personal data (save for the limited administrative data relating to
the Complainant’s request and the Complaint, as contained within the Excel file).
There are obvious logical difficulties in proving the non-existence of personal data
in the absence of evidence or any reasonable doubts being proffered to the
contrary. Although the Complainant clearly held concerns that their data may not
have been fully deleted, the DPC found Groupon’s evidence and explanations to
be more persuasive.
51.As set out at paragraph 22 above, Groupon also provided the DPC with a further
file containing system screenshots from its Transcend system (which replaced its
previous OneTrust system in October 2021) which displayed no search results
against the Complainant’s details. This was also consistent with Groupon’s
position that the remainder of the Complainant’s personal data had been fully
deleted.
52.The DPC was also satisfied that the data contained within the Excel file, insofar as
they constituted personal data, appeared to have been retained by Groupon solely
for record-keeping purposes in order to maintain a proper record of the fact that
those requests had been addressed. As such, it is the DPC’s view that the retention
of such data was appropriate for the purposes of demonstrating Groupon’s
compliance with the GDPR, as required pursuant to Articles 5(2) and 24(1) GDPR.
53.The DPC considered the information and explanations provided by Groupon to be
sufficiently comprehensive. It is the DPC’s view that, in the absence of evidence
to support the existence of any further data being retained, the information and
explanations provided by Groupon ought to have allayed any reasonable concerns
the Complainant may have had regarding the permanent deletion of their data.
54.Having carefully considered the evidence provided by Groupon as referred to
above, and noting also Groupon’s efforts to demonstrate compliance with its
accountability obligations despite the length of time that had now passed since the
data was confirmed (by Groupon) to have been deleted, it is the DPC’s view that
it is reasonable for it to conclude that, save for the limited administrative data
contained within the exported system logs, the Complainant’s personal data had
been fully deleted.
1855.In their submissions on the Preliminary Draft Decision, the Complainant indicated
their dissatisfaction with the DPC’s (then-provisional) conclusions set out above
regarding Groupon’s evidence and explanations as to the erasure of their personal
data. In summary, the Complainant was of the view that the DPC was required to
“carry out appropriate in-depth checks (e.g. find out where [the Complainant’s]
personal data has been stored, copied, backed up, archived by Groupon) and
ensure that the personal data in question has indeed been completely and
irretrievably deleted from all systems and media instead of believing Groupon's
Excel file and screenshots.”
56.In an effort to assuage the Complainant’s doubts as expressed in their
submissions, the DPC decided, on an exceptional basis, to subsequently carry out
an examination of Groupon’s databases to further test Groupon’s evidence as to
the full erasure of the Complainant’s personal data.
57.During this exercise, on 7 February 2024, the DPC examined Groupon’s (i)
“Cyclops” Customer Database, which consisted of a US version and an
International version (the latter broken down into an extensive list of countries
where Groupon’s customers are located); (ii) Customer Mailing Database, which
consisted of a US version and a single International version; (iii) Merchant
Database, which consisted of a single International version; and (iv) One Trust
Request Log, which the DPC noted corresponded with the exported system logs
referred to at paragraphs 19-22 above.
58.This examination involved entering the Complainant’s details into each of the
databases mentioned above, which included, where applicable, the US and
International versions as well as each of the various countries listed on the
International version of the “Cyclops” Customer Database. On each occasion, no
results were returned save for in relation to the Customer Mailing Database, which
returned just two results consisting solely of the two emails exchanged between
the DPC and Groupon earlier that day to arrange the time for the examination (and
which included the Complainant’s first name and surname in the ‘Subject’ field for
the purposes of identifying the complaint). In light of these results, the DPC was
further satisfied that Groupon had appropriately demonstrated the permanent
deletion of the Complainant’s personal data (save for the limited administrative
data contained within the Excel file of exported system logs, and the first name
and surname of the Complainant as contained within the ‘Subject’ field of the two
19 emails exchanged between the DPC and Groupon) as per their erasure request.
For the avoidance of doubt, Groupon also confirmed directly to the DPC officers
who carried out the examination that Groupon did not retain any personal data
belonging to the Complainant.
59.Based on the facts and analysis set out at paragraphs 49-54 above, the DPC
concludes that Groupon has appropriately demonstrated that the
Complainant’s personal data (save for the limited administrative data
contained within the Excel file of exported system logs, and the first name
and surname of the Complainant as contained within the ‘Subject’ field of
the two emails exchanged between the DPC and Groupon) were fully deleted
in response to the erasure request. This conclusion is further bolstered by
the results of the DPC’s examination as described at paragraphs 56-58
above. Accordingly, the DPC finds that no infringement of GDPR by Groupon
has occurred in respect of this issue.
Decision on Infringements of GDPR
60.Following the investigation of the Complaint against Groupon, the DPC finds that
in the circumstances of this Complainant’s case, Groupon infringed the GDPR as
follows:
For the reasons set out at paragraphs 38-43 above, the DPC finds that
Groupon infringed Article 5(1)(c) GDPR by having initially required the
Complainant to provide a copy of their ID in order to verify their identity for
the purposes of their access and erasure requests, in circumstances where
no such verification appeared to have been obtained or required in order to
initially open an account and a less data-driven means of verification
(namely, by way of the email address associated with the account) was
available to Groupon;
For the reasons set out at paragraph 44 above, the DPC finds that Groupon
infringed Article 12(2) GDPR by initially requesting additional information as
to the Complainant’s identity at the time they made their access and erasure
requests, in circumstances where it has not demonstrated that reasonable
doubts existed concerning the Complainant’s identity that would have
necessitated that application of Article 12(6) of the GDPR;
20 For the reasons set out at paragraph 46 above, the DPC finds that Groupon
infringed Articles 15(1), 15(3) and 17(1) GDPR by having failed to comply
with the Complainant’s initial access and erasure requests at the time they
were made without a lawful basis for not complying, in circumstances where
Groupon’s request (as a prerequisite to responding to the initial access and
erasure requests) for photographic ID has been found to be an infringement
of Article 5(1)(c) GDPR; and
For the reasons set out at paragraph 47 above, the DPC finds that Groupon
infringed Article 6(1) GDPR by continuing to process the Complainant’s
personal data following receipt of their initial request for erasure.
Remedial Measures by Groupon
61.In respect of these infringements, it is noted that Groupon no longer requires
photographic ID in order to verify a data subject’s identity for the purposes of
exercising their data subject rights under GDPR. This process was terminated in
October 2018. Groupon’s procedure for facilitating the exercise of data subject
rights now relies on email authentication instead.
Judicial Remedies With Respect to Decision of the DPC
62.In accordance with Article 78 GDPR, both Groupon and the Complainant have a
right to an effective judicial remedy against a legally binding decision of a
supervisory authority. Pursuant to section 150(5) of the Act , an appeal to the Irish
Circuit Court or the Irish High Court may be taken by a data subject or any other
person (this includes a data controller) affected by a legally binding decision of the
DPC within 28 days of receipt of notification of such decision. An appeal may also
be taken by a data controller within 28 days of notification; under section 150(1)
against the issuing of an enforcement notice and/or information notice by the DPC
against the data controller; and under section 142, against any imposition upon it
of an administrative fine by the DPC.
Decision on Corrective Powers
Infringements of Articles 5(1)(c), 6(1), 12(2), 15(1), 15(3) and 17(1) GDPR
21 63.In deciding on the corrective powers that are to be exercised in respect of the
infringements of the GDPR outlined above, I have had due regard to the
Commission's power to impose administrative fines pursuant to section 141 of the
Act. In particular, I have considered the criteria set out in Article 83(2) (a)-(k) of the
GDPR. When imposing corrective powers, I am obliged to select the measures
that are effective, proportionate and dissuasive in response to the· particular
infringements. The assessment of what is effective, proportionate and dissuasive
must be made in the context of the objective pursued by the corrective measures,
for example re-establishing compliance with the GDPR or punishing unlawful
behaviour (or both) . I find that an administrative fine would not be necessary,
proportionate or dissuasive in the particular circumstances in relation to the
infringements of the Articles of the GDPR as set out above.
64.In light of the extent of these infringements, the DPC hereby issues a reprimand to
Groupon, pursuant to Article 58(2)(b) of the GDPR.
Signed: _____________________________
Tony Delaney
Deputy Commissioner
On behalf of the Data Protection Commission
5
See the Article 29 Data Protection Working Party 'Guidelines on the application and setting of
administrative fines for the purposes of Regulation 2016/679’, at page 11.
22
