AKI (Estonia) - 18.02.2097
|AKI - 18.02.2097|
|Relevant Law:||Article 5(1) GDPR|
Article 5(1)(a) GDPR
Article 12(6) GDPR
Article 60 GDPR
|National Case Number/Name:||18.02.2097|
|European Case Law Identifier:||EDPBI:EE:OSS:D:2022:333|
|Original Source:||EDPB (in EN)|
|Initial Contributor:||Enzo Marquet|
In an Article 60 GDPR procedure, the Estonian DPA handled three complaints regarding the same controller. The DPA reprimanded the controller for not adequately responding to data subject's requests. The authority also held that requesting an ID for verification purposes is acceptable when there is reasonable doubt about the data subject's identity (Article 12(6) GDPR).
English Summary[edit | edit source]
Facts[edit | edit source]
The Estonian DPA (DPA) acted as a lead supervisory authority for three different complaints regarding the same controller. Although not specifically disclosed, the controller seemed to be a transportation service.
Complaint 1: Latvian data subject
The data subject contacted the controller by e-mail (in Latvian) on 28 September 2018, followed by several follow-ups. At a certain point (not clear from decision), the data subject filed a complaint at the Latvian DPA because he wanted to receive information regarding data collected about him. The Latvian DPA transferred this complaint on 4 November 2019 to the Estonian DPA. The DPA also send several inquiries to the controller in 2020. The controller stated that the data subject had already received the requested data and information on 28 October 2018.
Complaint 2: Polish data subject 1
This Polish data subject sent e-mails to three different e-mail addresses on 16 may 2019, requesting access and erasure of his personal data. The data subject also used the application of the controller to request erasure. The controller deleted the account of the data subject but was not able to provide access to personal data. There seemed to be a lot of miscommunication between the data subject and the controller. The controller stated for example that the data subject had not read the confirmation of deletion of the first account, while the data subject created a second account to request erasure again. This second account was later also deleted by the controller, without providing access. On 25 June 2019, the data subject filed a complaint at the Polish DPA, which transferred the complaint to the Estonian DPA on 2 January 2020. After several inquiries by the latter, the controller admitted that it had not been able to comply with the access request, amongst other things caused by the abundance of communication channels. The controller stated it was preferred that data subjects would submit requests using the controller’s application to be sure that requests were made by the holder of the account. After another inquiry by the DPA, the controller was able to provide the data subject with the requested information.
Complaint 3: Polish data subject 2
On 5 January 2019, the second Polish data subject requested the controller to erase her personal data. However, the controller asked for a picture of the data subject with her ID in order to complete the deletion. The data subject filed a complaint with the Polish DPA on 4 February 2019. It is not clear when the decision was transferred to the Estonian DPA. After an inquiry by the latter, the controller explained that it had reasonable doubt about the identity of the data subject and was therefore allowed to request additional information to confirm the identity of the data subject (Article 12(6) GDPR). The data subject contacted the controller through e-mail. For requests made through the controller's application, ID-verification was not required. The controller also clarified that its legal basis for processing the image and the ID-card was legitimate interest and that this ID-verification would prevent deleting the data of the wrong data subject. The controller also confirmed that it had already deleted the account of the data subject on 22 October 2019.
Holding[edit | edit source]
Complaint 1: Latvian Data subject
The DPA determined that the controller had provided the requested information to the data subject but that the processing could have been more transparent. The controller had to make its replies more clear in general. Specifically, it had to reply in depth about what data has been collected, how data was collected, when data was collected and through what information channels. Because of the fact that the controller provided more specific answers after inquiries of the DPA, the latter found a reprimand pursuant of Article 58(2)(b) GDPR appropriate. The DPA also stated that the controller did not have to change the email address because it could infringe its copyright.
Complaint 2: Polish data subject
The DPA stated that the abundance of communication channels had created communication problems. It was therefore reasonable for the controller to direct customers with an account to submit their requests using the application. The DPA determined that the personal data had been handed to the data subject and was deleted afterwards. The DPA still stated that the controller could have been more transparent about its processing. The controller should have been been more precise when answering data subject's requests. The DPA stated that the controller was able to provide personal data to an identified data subject, and that it was not necessary for the DPA to start a procedure to achieve this. Despite the fact that the controller provided the information, the DPA deemed it necessary to reprimand the controller pursuant of Article 58(2)(b) GDPR because the data subject was entitled to ask about information collected about them, and the controller had to reply to the data subject within one month (Article 12(3) GDPR). On the mitigating side, the reprimand was also reasonable because the controller had responded to the complainant and had cooperated with the DPA.
Complaint 3: Polish data subject
The DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, the DPA stated again that the data processing could have been more transparent. The controller should have explained the legal grounds of its processing for the ID card better and it should have explained why it was necessary to request an ID card. However, without prejudice to Article 11 GDPR, the controller was allowed to request additional information to verify the identity of a data subject pursuant to Article 12(6) GDPR when it has reasonable doubt about the identity. The DPA also stated that the abundance of communication channels had made it more difficult for the controller to identify users outside the application. It was therefore reasonable to direct customers with an account to use the application for requests. The DPA also reprimanded the controller (Article 58(2)(b) GDPR). The reprimand was again deemed appropriate because the controller provided more specific answers to the complaint after inquiries of the DPA.
Comment[edit | edit source]
The controller seems to be some sort of transportation service. In paragraph 13.1, it is stated that the data subject did not specify whether or not she was a 'driver or customer'.
Regarding the investigation of the first complaint, the Estonian DPA stated that it had difficulty acquiring information and translations from the Latvian DPA. It was not able to understand the contents of the original request of the data subject. It does not become clear in this decision whether or not the Latvian DPA actually provided the assistance the Estonian DPA requested.
In all three complaints, the DPA issues a reprimand under Article 58(2)(b) GDPR. After this, the DPA draws attention to the fact that pursuant of Article 5(1)(a) GDPR, data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided with misleading information concerning the processing of data (including the deletion of data). The DPA also reiterated the data subject’s right of erasure under Article 17 GDPR at the end of all of the three complaints.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.