AKI (Estonia) - 18.02.2022: Difference between revisions

From GDPRhub
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 65: Line 65:
}}
}}


In an [[Article 60 GDPR|Article 60]] GDPR procedure, the Estonian DPA handled three complaints regarding the same controller. In all complaints, it reprimanded the controller for not adequately responding to data subject's requests. In the third complaint, the DPA confirmed that requesting an ID for verification is acceptable when there is reasonable doubt about the data subject's identity ([[Article 12 GDPR|Article 12(6) GDPR]]).   
In an [[Article 60 GDPR]] procedure, the Estonian DPA handled three complaints regarding the same controller. The DPA reprimanded the controller for not adequately responding to data subject's requests. The authority also held that requesting an ID for verification purposes is acceptable when there is reasonable doubt about the data subject's identity ([[Article 12 GDPR#6|Article 12(6) GDPR]]).   


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Estonian DPA (DPA) acted a lead supervisory authority for three different complaints regarding the same controller. Although not specifically disclosed, the controller seemed to be a transportation service.   
The Estonian DPA (DPA) acted as a lead supervisory authority for three different complaints regarding the same controller. Although not specifically disclosed, the controller seemed to be a transportation service.   


<u>Complaint 1: Latvian data subject</u>  
<u>Complaint 1: Latvian data subject</u>  


The data subject contacted the controller by e-mail (in Latvian) on 28 September 2018, followed by several follow-ups. At a certain point (not clear from decision), the data subject filed a complaint at the Latvian DPA because he wanted to receive information regarding data collected about him. The Latvian DPA transferred this complaint on 4 November 2019 to the Estonian DPA. The DPA also send several inquiries to the controller in 2020. The controller stated that the data subject had already received the requested data and information on 28 October 2018. The controller also explained that it declined a request to change the data subject's e-mail address, because a specific (undisclosed) word could infringe the controller's trade mark rights.  
The data subject contacted the controller by e-mail (in Latvian) on 28 September 2018, followed by several follow-ups. At a certain point (not clear from decision), the data subject filed a complaint at the Latvian DPA because he wanted to receive information regarding data collected about him. The Latvian DPA transferred this complaint on 4 November 2019 to the Estonian DPA. The DPA also send several inquiries to the controller in 2020. The controller stated that the data subject had already received the requested data and information on 28 October 2018.  


<u>Complaint 2: Polish data subject 1</u>
<u>Complaint 2: Polish data subject 1</u>


This Polish data subject sent e-mails to three different e-mail addresses on 16 may 2019, requesting access and erasure of his personal data. The data subject also used the application of the controller to request erasure. The controller deleted the account of the data subject but was not able to provide access to personal data. There seemed to be a lot of miscommunication between the data subject and the controller.  The controller stated for example that the data subject had not read the confirmation of deletion of the ''first account'', while the data subject created a ''second account'' to request erasure again. This second account was later also deleted by the controller, without providing access.  
This Polish data subject sent e-mails to three different e-mail addresses on 16 may 2019, requesting access and erasure of his personal data. The data subject also used the application of the controller to request erasure. The controller deleted the account of the data subject but was not able to provide access to personal data. There seemed to be a lot of miscommunication between the data subject and the controller.  The controller stated for example that the data subject had not read the confirmation of deletion of the ''first account'', while the data subject created a ''second account'' to request erasure again. This second account was later also deleted by the controller, without providing access. On 25 June 2019, the data subject filed a complaint at the Polish DPA, which transferred the complaint to the Estonian DPA on 2 January 2020. After several inquiries by the latter, the controller admitted that it had not been able to comply with the access request, amongst other things caused by the abundance of communication channels. The controller stated it was preferred that data subjects would submit requests using the controller’s application to be sure that requests were made by the holder of the account. After another inquiry by the DPA, the controller was able to provide the data subject with the requested information.  
 
On 25 June 2019, the data subject filed a complaint at the Polish DPA, which transferred the complaint to the Estonian DPA on 2 January 2020. After several inquiries by the latter, the controller admitted that it had not been able to comply with the access request, amongst other things caused by the abundance of communication channels. The controller stated it was preferred that data subjects would submit requests using the controller’s application to be sure that requests were made by the holder of the account. After another inquiry by the DPA, the controller was able to provide the data subject with the requested information.


<u>Complaint 3: Polish data subject 2</u>
<u>Complaint 3: Polish data subject 2</u>


On 5 January 2019, the second Polish data subject requested  the controller to erase her personal data. However, the controller asked for a picture of the data subject with her ID in order to complete the deletion. The data subject filed a complaint with the Polish DPA on 4 February 2019. It is not clear when the decision was transferred to the Estonian DPA. After an inquiry by the latter, the controller explained that it had reasonable doubt about the identity of the data subject and was therefore allowed to request additional information to confirm the identity of the data subject ([[Article 12 GDPR|Article 12(6) GDPR)]]. The data subject contacted the controller through e-mail. For requests made through the controller's application, ID-verification was not required. The controller also clarified that its legal basis for processing the image and the ID-card was legitimate interest and that this ID-verification would prevent fraud deleting the data of the wrong data subject. The controller also confirmed that it had already deleted the account of the data subject on 22 October 2019.  
On 5 January 2019, the second Polish data subject requested  the controller to erase her personal data. However, the controller asked for a picture of the data subject with her ID in order to complete the deletion. The data subject filed a complaint with the Polish DPA on 4 February 2019. It is not clear when the decision was transferred to the Estonian DPA. After an inquiry by the latter, the controller explained that it had reasonable doubt about the identity of the data subject and was therefore allowed to request additional information to confirm the identity of the data subject ([[Article 12 GDPR#6|Article 12(6) GDPR)]]. The data subject contacted the controller through e-mail. For requests made through the controller's application, ID-verification was not required. The controller also clarified that its legal basis for processing the image and the ID-card was legitimate interest and that this ID-verification would prevent deleting the data of the wrong data subject. The controller also confirmed that it had already deleted the account of the data subject on 22 October 2019.  


=== Holding ===
=== Holding ===
<u>Complaint 1: Latvian Data subject</u>   
<u>Complaint 1: Latvian Data subject</u>   


The DPA determined that the controller had provided the requested information to the data subject but that the processing could have been more transparent. The controller had to make its replies more clear in general. Specifically, it had to reply in depth about ''what'' data has been collected, ''how'' data was collected, ''when'' data was collected and ''through what information channels''. Because of the fact that the controller provided more specific answers after inquiries of the DPA, the latter found a reprimand pursuant of [[Article 58 GDPR|Article 58(2)(b)]] GDPR appropriate. The DPA also stated that the controller did not have to change the email address because it could infringe its copyright.
The DPA determined that the controller had provided the requested information to the data subject but that the processing could have been more transparent. The controller had to make its replies more clear in general. Specifically, it had to reply in depth about ''what'' data has been collected, ''how'' data was collected, ''when'' data was collected and ''through what information channels''. Because of the fact that the controller provided more specific answers after inquiries of the DPA, the latter found a reprimand pursuant of [[Article 58 GDPR#2b|Article 58(2)(b)]] GDPR appropriate. The DPA also stated that the controller did not have to change the email address because it could infringe its copyright.


<u>Complaint 2: Polish data subject</u>
<u>Complaint 2: Polish data subject</u>


The DPA stated that the abundance of communication channels had created communication problems. It was therefore reasonable for the controller to direct customers with an account to submit their requests using the application. The DPA determined that the personal data had been handed to the data subject and was deleted afterwards. The DPA still stated that the controller could have been more transparent about its processing. The controller should have been been more precise when answering data subject's requests. The DPA stated that the controller was able to provide personal data to an identified data subject, and that it was not necessary for the DPA to start a procedure to achieve this. Despite the fact that the controller provided the information, the DPA deemed it necessary to reprimand the controller pursuant of [[Article 58 GDPR|Article 58(2)(b) GDPR]] because the data subject was entitled to ask about information collected about them, and the controller had to reply to the data subject within one month ([[Article 12 GDPR|Article 12(3) GDPR]]). On the mitigating side, the reprimand was also reasonable because the controller had responded to the complainant and had cooperated with the DPA.   
The DPA stated that the abundance of communication channels had created communication problems. It was therefore reasonable for the controller to direct customers with an account to submit their requests using the application. The DPA determined that the personal data had been handed to the data subject and was deleted afterwards. The DPA still stated that the controller could have been more transparent about its processing. The controller should have been been more precise when answering data subject's requests. The DPA stated that the controller was able to provide personal data to an identified data subject, and that it was not necessary for the DPA to start a procedure to achieve this. Despite the fact that the controller provided the information, the DPA deemed it necessary to reprimand the controller pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] because the data subject was entitled to ask about information collected about them, and the controller had to reply to the data subject within one month ([[Article 12 GDPR#3|Article 12(3) GDPR]]). On the mitigating side, the reprimand was also reasonable because the controller had responded to the complainant and had cooperated with the DPA.   


<u>Complaint 3: Polish data subject</u>
<u>Complaint 3: Polish data subject</u>


The DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, the DPA stated again that the data processing could have been more transparent. The controller should have explained the legal grounds of its processing for the ID card better and it should have explained why it was necessary to request an ID card. However, without prejudice to [[Article 11 GDPR|Article 11 GDPR,]] the controller was allowed to request additional information to verify the identity of a data subject pursuant to [[Article 12 GDPR|Article 12(6) GDPR]] when it has reasonable doubt about the identity. The DPA also stated that the abundance of communication channels had made it more difficult for the controller to identify users outside the application. It was therefore reasonable to direct customers with an account to use the application for requests. The DPA also reprimanded the controller ([[Article 58 GDPR|Article 58(2)(b) GDPR]]). The reprimand was again deemed appropriate because the controller provided more specific answers to the complaint after inquiries of the DPA.   
The DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, the DPA stated again that the data processing could have been more transparent. The controller should have explained the legal grounds of its processing for the ID card better and it should have explained why it was necessary to request an ID card. However, without prejudice to [[Article 11 GDPR|Article 11 GDPR,]] the controller was allowed to request additional information to verify the identity of a data subject pursuant to [[Article 12 GDPR#6|Article 12(6) GDPR]] when it has reasonable doubt about the identity. The DPA also stated that the abundance of communication channels had made it more difficult for the controller to identify users outside the application. It was therefore reasonable to direct customers with an account to use the application for requests. The DPA also reprimanded the controller ([[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]). The reprimand was again deemed appropriate because the controller provided more specific answers to the complaint after inquiries of the DPA.   


== Comment ==
== Comment ==
Line 104: Line 102:
Regarding the investigation of the first complaint, the Estonian DPA stated that it had difficulty acquiring information and translations from the Latvian DPA. It was not able to understand the contents of the original request of the data subject. It does not become clear in this decision whether or not the Latvian DPA actually provided the assistance the Estonian DPA requested.   
Regarding the investigation of the first complaint, the Estonian DPA stated that it had difficulty acquiring information and translations from the Latvian DPA. It was not able to understand the contents of the original request of the data subject. It does not become clear in this decision whether or not the Latvian DPA actually provided the assistance the Estonian DPA requested.   


In all three complaints, the DPA issues a reprimand under [[Article 58 GDPR|Article 58(2)(b) GDPR]]. After this, the DPA draws attention to the fact that pursuant of [[Article 5 GDPR|Article 5(1)(a) GDPR]], data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided with misleading information concerning the processing of data (including the deletion of data). The DPA also reiterated the data subject’s right of erasure under [[Article 17 GDPR]] at the end of all of the three complaints.   
In all three complaints, the DPA issues a reprimand under [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. After this, the DPA draws attention to the fact that pursuant of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided with misleading information concerning the processing of data (including the deletion of data). The DPA also reiterated the data subject’s right of erasure under [[Article 17 GDPR]] at the end of all of the three complaints.   


== Further Resources ==
== Further Resources ==

Latest revision as of 10:27, 13 December 2023

AKI - 18.02.2097
LogoEE.png
Authority: AKI (Estonia)
Jurisdiction: Estonia
Relevant Law: Article 5(1) GDPR
Article 5(1)(a) GDPR
Article 12(6) GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started: 04.11.2019
Decided: 18.02.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 18.02.2097
European Case Law Identifier: EDPBI:EE:OSS:D:2022:333
Appeal: Not appealed
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: Enzo Marquet

In an Article 60 GDPR procedure, the Estonian DPA handled three complaints regarding the same controller. The DPA reprimanded the controller for not adequately responding to data subject's requests. The authority also held that requesting an ID for verification purposes is acceptable when there is reasonable doubt about the data subject's identity (Article 12(6) GDPR).

English Summary

Facts

The Estonian DPA (DPA) acted as a lead supervisory authority for three different complaints regarding the same controller. Although not specifically disclosed, the controller seemed to be a transportation service.

Complaint 1: Latvian data subject

The data subject contacted the controller by e-mail (in Latvian) on 28 September 2018, followed by several follow-ups. At a certain point (not clear from decision), the data subject filed a complaint at the Latvian DPA because he wanted to receive information regarding data collected about him. The Latvian DPA transferred this complaint on 4 November 2019 to the Estonian DPA. The DPA also send several inquiries to the controller in 2020. The controller stated that the data subject had already received the requested data and information on 28 October 2018.

Complaint 2: Polish data subject 1

This Polish data subject sent e-mails to three different e-mail addresses on 16 may 2019, requesting access and erasure of his personal data. The data subject also used the application of the controller to request erasure. The controller deleted the account of the data subject but was not able to provide access to personal data. There seemed to be a lot of miscommunication between the data subject and the controller. The controller stated for example that the data subject had not read the confirmation of deletion of the first account, while the data subject created a second account to request erasure again. This second account was later also deleted by the controller, without providing access. On 25 June 2019, the data subject filed a complaint at the Polish DPA, which transferred the complaint to the Estonian DPA on 2 January 2020. After several inquiries by the latter, the controller admitted that it had not been able to comply with the access request, amongst other things caused by the abundance of communication channels. The controller stated it was preferred that data subjects would submit requests using the controller’s application to be sure that requests were made by the holder of the account. After another inquiry by the DPA, the controller was able to provide the data subject with the requested information.

Complaint 3: Polish data subject 2

On 5 January 2019, the second Polish data subject requested the controller to erase her personal data. However, the controller asked for a picture of the data subject with her ID in order to complete the deletion. The data subject filed a complaint with the Polish DPA on 4 February 2019. It is not clear when the decision was transferred to the Estonian DPA. After an inquiry by the latter, the controller explained that it had reasonable doubt about the identity of the data subject and was therefore allowed to request additional information to confirm the identity of the data subject (Article 12(6) GDPR). The data subject contacted the controller through e-mail. For requests made through the controller's application, ID-verification was not required. The controller also clarified that its legal basis for processing the image and the ID-card was legitimate interest and that this ID-verification would prevent deleting the data of the wrong data subject. The controller also confirmed that it had already deleted the account of the data subject on 22 October 2019.

Holding

Complaint 1: Latvian Data subject

The DPA determined that the controller had provided the requested information to the data subject but that the processing could have been more transparent. The controller had to make its replies more clear in general. Specifically, it had to reply in depth about what data has been collected, how data was collected, when data was collected and through what information channels. Because of the fact that the controller provided more specific answers after inquiries of the DPA, the latter found a reprimand pursuant of Article 58(2)(b) GDPR appropriate. The DPA also stated that the controller did not have to change the email address because it could infringe its copyright.

Complaint 2: Polish data subject

The DPA stated that the abundance of communication channels had created communication problems. It was therefore reasonable for the controller to direct customers with an account to submit their requests using the application. The DPA determined that the personal data had been handed to the data subject and was deleted afterwards. The DPA still stated that the controller could have been more transparent about its processing. The controller should have been been more precise when answering data subject's requests. The DPA stated that the controller was able to provide personal data to an identified data subject, and that it was not necessary for the DPA to start a procedure to achieve this. Despite the fact that the controller provided the information, the DPA deemed it necessary to reprimand the controller pursuant of Article 58(2)(b) GDPR because the data subject was entitled to ask about information collected about them, and the controller had to reply to the data subject within one month (Article 12(3) GDPR). On the mitigating side, the reprimand was also reasonable because the controller had responded to the complainant and had cooperated with the DPA.

Complaint 3: Polish data subject

The DPA confirmed that the account of the data subject had been deleted, so the breach was eliminated. However, the DPA stated again that the data processing could have been more transparent. The controller should have explained the legal grounds of its processing for the ID card better and it should have explained why it was necessary to request an ID card. However, without prejudice to Article 11 GDPR, the controller was allowed to request additional information to verify the identity of a data subject pursuant to Article 12(6) GDPR when it has reasonable doubt about the identity. The DPA also stated that the abundance of communication channels had made it more difficult for the controller to identify users outside the application. It was therefore reasonable to direct customers with an account to use the application for requests. The DPA also reprimanded the controller (Article 58(2)(b) GDPR). The reprimand was again deemed appropriate because the controller provided more specific answers to the complaint after inquiries of the DPA.

Comment

The controller seems to be some sort of transportation service. In paragraph 13.1, it is stated that the data subject did not specify whether or not she was a 'driver or customer'.

Regarding the investigation of the first complaint, the Estonian DPA stated that it had difficulty acquiring information and translations from the Latvian DPA. It was not able to understand the contents of the original request of the data subject. It does not become clear in this decision whether or not the Latvian DPA actually provided the assistance the Estonian DPA requested.

In all three complaints, the DPA issues a reprimand under Article 58(2)(b) GDPR. After this, the DPA draws attention to the fact that pursuant of Article 5(1)(a) GDPR, data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. It was also important that persons are not provided with misleading information concerning the processing of data (including the deletion of data). The DPA also reiterated the data subject’s right of erasure under Article 17 GDPR at the end of all of the three complaints.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

INTERNALUSE ONLY
                                                             Authorityofinformation:DataProtection
                                                             Inspectorate
                                                             Markmade:18.02.2022
                                                             Access restrictionapplies to:18.02.2097
                                                             Legalground:AvTS§35lg 1p 12


Final decisionarticle 60

Data controller
Complainants                     ,                 and


      Reprimand in a personal data protection matter

      Notice of termination of proceedings

    1. Complaint of


    1.1.On 4 November 2019, the Estonian data protection authority (the Data Protection
        Inspectorate) received the complaint of                       through the IMI system,
        which was submitted to the inspectorate by the Latvian data protection authority.
                   wanted to receive information on the data collected in regard to him,
        including his contact data, location details, purposes of data processing, the processing
        method used, where and how the personal data of the complainant is retained, and when

        the data of the complainant was last changed. The Estonian DPAaskedthe Latvian DPA
        for more information about the complaint severaltimes.

   2. The correspondence betweenthe datacontrollerand the data subject

    2. In the course of the supervision proceedings,         forwarded to the inspectorate the
        emails of the complainant                    , his various requests, and the related
        metadata.


    2.1.The complainant contacted the data controller (                      ) on 28 September
        2018, using the email address                   and writing a complaint in Latvian. The
        inspectorate is not aware of the contents of the requests, due to the requests being made
        in Latvian.


    2.2.It appears to the inspectorate that    responded to the request of the complainant on
        28 October 2018 and forwarded to the complainant the documents concerning the
        complainant.

    2.3.One of the emails does not open forthe inspectorate. It appears,however, that     itself
        approached the complainant on 3 November 2018 – this correspondence also includes
                 ’ own request. Once again, the content of the requestis difficult tounderstand.


    2.4.The complainant contacted        again on 5 November 2018.

    2.5.     answeredon 7 November 2018.

    2.6.The complainant contacted       on30 November 2018. The complainant did not receive
        a reply to this request.


    2.7.The complainant contacted        again on 2 January 2019.

          Tatari39 /10134 Tallinn /627 4135 / info@aki.ee/ www.aki.ee /Registrycode70004235 2.8.     replied to the complainant’s email on 2 January 2019.

 2.9.The complainant contacted         again on 9 May 2019.         has not attached any other
     documents concerning emails.


 2.10.      Additionally,       has enclosed the complainant’s communication from 25 June
     2019, which is in Latvian. The inspectorate is unable to understand to whom the
     communication is addressed. The complainant has contacted someone also on 30 July
     2019; there is a reference in the subject line to              . The third PDFdocument
     is entitled ‘    reply’ – presumably, this document includes the response of the data
     controller to the complainant’s requests.


 2.11.      The inspectorate asked the Latvian supervisory authority for clarification twice
     to understand what specifically the complainant requested; the inspectorate also asked
     to translate the complaint in Latvian into English.

3. Inquiries of the inspectorate to

 3. The inspectorate then sent an inquiry to the data controller on 8April 2020.


 3.1.The data controller replied on 5June 2020, apologising fornot responding to the inquiry
     of the Data Protection inspectorate on time on 8 April 2020 and thanking for the
     extension of the term.

 3.2.The data controller confirmed that the user                     is identifiable by way of

     the inquiries made to the Customer Service and the emails exchanged between the
     complainant and the email address                     (                   ).

 3.3.To the knowledge of the data controller,                     does not currently have any
     active user accounts. Regardless of      ’s ability/inability to identify                 ,
     it is therefore not feasible to change the complainant’s email address. Should
                createa new accountand request thatit be linked to the aforementioned email

     address,                               reserves the right to refuse such a request, as the
     use of the word ‘    ’ in the email address may infringe       ’s rights as the holder of a
     registered trade mark, the name may be misleading because of its other components,
     and therefore, it is unjustified to acceptthe aforementioned request.

 3.4.The data controller added that, for reasons of data security, their preference is for
     customers to submit requests to close a user account and to transfer the collected data

     via in-app messages. This way, it is ensured in the best possible way that the actual
     owner of the user account is behind the request. For its part,      does its best to grant
     the requests received through other channels (email). This requires additional manual
     work on the part of the customer support, which is open to human error due to the large
     number of customers, especially if the customer uses several user accounts and more
     than one channel to make different requests. The combination of the following actions
     is likely to yield the best results: a) making the submission of data subjects’ requests

     under the General Data Protection Regulation as simple, comprehensible, and
     convenient as possible whenusing in-app messages;b) promoting the use of the app for
     the above purpose among        ’s customers, highlighting the advantages of the provided
     channel and the disadvantages of the alternative channels.

 3.5.The inspectorate forwarded a new inquiry to the data controller on 13 May 2020. The

     inspectorate requestedthat the complainant be provided with all information concerning

                                            2(11)        the complainant, including the information that the complainant referred to. A request
        was also made to submit to the inspectorate a copy of the reply to the complainant
        together with the data file issued to the complainant.

    3.6.The data controller replied on 26 May 2020 regarding the complaint made by
        as follows:


    3.7.                 was provided with data about them in CSV format on 28 October2018.
        The purposes of processing the data were described in 2018 (as is done currently in
            ’s Privacy Policy, available at                   ). The data retention response was
        forwarded to             on 7 November 2018 and the response log was sent in the
        response dated 28 October 2018. Information about                      was appended as
        an attachment to the reply given to the inspectorate.



   4. Positionof the Data ProtectionInspectorate

        4.1. The Estonian Data Protection Inspectorate finds that the data controller has
        responded to the complaint and handed out information the complainant asked.


        4.2. The data controller has cooperated with the inspectorate (provided detailed
        responses to enquiries, forwarded the emails                            exchanged with
        complainants, as well as metadata). Therefore, it would be reasonable to reprimand the
        data controller in accordance with the GDPR and terminate the proceeding.

        4.3. In regard to complaint                     , the complainant wished to receive

        information on the data collected in regardto them, including their contact data,location
        details, purposes of data processing, the processing method used, where and how the
        personal data of the complainant is retained, and when the data of the complainant was
        last changed. During the proceeding, the data controller has explained which data was
        collected in regard to complainant            and clarified that the email address of the
        complainant cannot be changed to contain an email address referring to the data
        controller, as this would entail a copyright infringement


        4.4. The data controller explained that based on the data security considerations, it is
        preferred that clients submit requests for deleting their user account or forwarding the
        data collected via in-app messages. That way, it can be best ensured that the request is
        indeed made by the actualholder ofthe useraccount.                          shall, in turn,
        do its best to support the satisfaction of requests received via other channels (email) as
        well.


        4.5. The data controller has sent the metadata to the inspection and clarified that
                 ’ user accounthas beendeleted. The data controller said that it is necessaryby
        law and with legitimate interest to retain certain data, e.g. accounting documents.

        4.6. The inspectorate finds that data processing could have been more transparent. At
        the intervention of the inspectorate, the data controller provided more detailed and

        specific answers to the complainant. This is why a reprimand is appropriate as a result
        of the proceeding.

5. Decisionofthe inspectorate inthe complaint of

        5.1. The Estonian DataProtection Inspectorate finds thatwhenprocessing personal data,

        the controller shall ensure that the data is processed lawfully, fairly, and in a transparent

                                              3(11)        manner in relation to the data subject (Article 5 (1) a) of the General Data Protection
        Regulation).       cannot be held responsible for not changing the complainant’s email
        address to                                           – it might bring up copyright issues
        because the email address refers to ‘    ’.

        5.2. In addition,     has to reply to data subjects in a more explained way, in the sense
        that the data subject receives their answer in depth about what data has been collected,
        how, when, and through what information channels.             has to make the responses

        more clear to the data subjects in general.

   6. The EstonianData ProtectionInspectorate issues areprimand to the data controller
                          underArticle 58 (2)b) of the GeneralData ProtectionRegulation
   and draws attentionto the following:

        6.1. When processing personal data, the controller shall ensure that the data is processed

        lawfully, fairly, and in a transparent manner in relation to the data subject (Article 5 (1)
        a) of the General Data Protection Regulation). It is also important that persons are not
        provided misleading information concerning the processing of data (including the
        deletion of data).

        6.2. The data subject has a right to request the deletion of, for instance, an account as
        well as other personal data concerning this person without undue delay. They also have
        the right to demand this if there is no legal basis for the processing of data. The personal

        data shall be deleted without delay pursuant to Article 17 of the General DataProtection
        Regulation.

      7. Complaint of


      7.1. On2 January 2020, the Estonian Data Protection Inspectorate received the complaint
        of                   through the IMI system, which was submitted to the inspectorate
        by the Polish data protection authority. The complainant had turned to the Polish data
        protection authority on 25 June 2019.

      7.2. According to the complaint, the citizen wanted to delete their user account and
        personal data from the      system. Prior to that, the complainant had wantedto receive

        information collected about themselves. The complainant sent aletter to        on 16 May
        2019 requesting        to delete their personal data. This letter was sent to the email
        addresses                   ,               and                  . The complainant was
        told by customer support that the deletion of data would take place through the
        application. The complainant adds that by the time of contacting      ’s Polish customer
        support, the complainant had already deleted the application. The complainant wants to
        see the data collected about the complainant.


8. The correspondence betweenthe datacontrollerand data subject

        8.1. On 16 May 2019, the data subject wrote the following to the controller:
        In accordance with the point “8.Deletion” of         “Privacy for Passengers” and in the
        article 17 of GDPR,I hereby requestto permanently delete my          account, Iwithdraw
        all consents to the processing of any of my personal data and I request to delete all data
        collected about me.

        Beforehand, in accordance with the point “9. Portability” of          “Privacy Policy for
        Passengers” andrelevant regulations of GDPR, please send to my e-mail aadress or via
        another agreedchannel all the data collected about me.


                                              4(11)        8.2.     replied on 19 May 2019 that for the account to be deleted, the request must be
        sent through the application (from           ).

        8.3. Somehow, there is a response on 16 of May 2019 from           , which says, “We are
        currently struggling with a significant number of incoming reports; out responses can
        therefore reachyou later than usual.” (It might be an automatic response).


        8.4. On 19 May 2019, the data subject sent an email to       , saying the following:
        I’m sorry, but you did not understand my request. You also did not checkthe exactstatus
        of my account (I submitted a request to delete my account in the application already on
        16 May, and especially for you, I just createdan account and re-submitted a request to
        delete it). Deleting the account is just one element of my request. I am waiting for the
        next part to be completed.

        First of all, you have not read or understood my previous message. Please read and
        understand my request from 16 May 2019, in particular regarding the erasure of
        collected data. Before that, I recommend you familiarize with your own Privacy Policy
        and provisions of GDPR.
        In the event of     failing to fulfil its statutory obligation, the matter will be refferedto
        the President of UODO (Personal Data Protection Office). Let me remind you that a
        fine up to EUR 20 million and up to 4% of the total annual turnover of the preceding

        financial year may be imposed for breaching the provisions of the GDPR.
        Please treatmy request from the previous email carefully, seriously and consider it with
        due diligence.

        8.5. On 21 May 2019, the data subject once again wrote to the data controller:
        Mrs           ,

        I assure you that I got acquinted with it. I see,however, that we do not understand each
        other, therefore I want to end my correspondence with you at this point. I consider my
        request still unsolved by the     office in Warsaw.
        I inform you that I will await for a response from competent individuals within your
        organization (i.e Data Protection Officer at                         until June 16. All
        messages in this correspondence were also sent to him and to customer support
        (             ).

        In case of further evasion of the obligation imposed by the GDPR, on 17 June 2019, an
        adequate letter will be sent to the UODO.

9. Inquiries of the inspectorate to

        9.1. The inspectorate then sent an inquiry to the data processor on 8 April 2020. The
        Polish complainant has contacted       forclarification and deletion of the data, but they

        are not satisfied with the answers provided. Polish national,          , requests a copy
        of the data collected about them and allegedly not sentto them by      . The inspectorate
        asked to forward all information and data collected on the Polish citizen,
                 . Additionally, the inspectorate requested         to delete data that could be
        deleted by       in relation to            and provide the inspectorate an explanation
        regarding this (which data was deleted).


        9.2.     replied on 5 May 2020:
        In answering this question, weaskthe DataProtection Inspectorate to specify the details
        of the transmission of the information and data collected (addressee, method and
        channel of transmission, if the Data Protection Inspectorate has any preferences in this
        regard). In particular, does the Data Protection Inspectorate: a) request that the
        information and data be provided directly to                             or b) want the

        information and data to be transmitted to an official designated by the Data Protection

                                              5(11)Inspectorate, whose personal identification code could be used by          to encrypt the
information and data transmitted? Please indicate the above preference for the
transmission of information and data no later than by 8 May 2020. In the absence of
input,      will forward the collected information and data directly to
by email no later than 8 May 2020 and will share with the Data Protection Inspectorate
the email confirming the transmission.


9.3. We have clarified in our previous cooperation with the Data Protection Inspectorate
(see our answer to inquiry 2.1-1/19/1946 of the Data Protection Inspectorate) that the
deletion process includes the following actions: -the useris logged out ofthe application
(force logout); - first name and surname are deleted (fields are left blank); - the email
address is deleted (the field is cleared); - the telephone number is replaced by a sequence
of random numbers; all communication with the customer (especially the newsletter) is

prohibited;  - the deletion command is transmitted to the associated systems
(communication platforms).

9.4. The user was identified through customer service inquiries and emails. Based on
these and      ’s information system logs, the chronology of user-related actions is as
follows:

Account 1: 06.09.2018 – creation of the account (account_no:             )

Account 1: 11.05.2019 – account deletion request (in-app request)
Account 1: 16.05.2019 – account is deleted, information is provided to the customer.
The customer does not notice the confirmation of account deletion.
Account 2: 19.05.2019 – a new request from the customer to delete the account is sent
by email and instructions for making an in-app request are sent to the user.
Account 2: 19.05.2019 – the customer creates a new account (account_no:                  )
and sends an in-app request for the new account to be deleted.

Account 2: 21.05.2019 – customer service sends an in-app confirmation message that
the account will be deleted within 30 days.
Account 2: 25.05.2019 – the new account is deleted.                     ’s inquiries were
answered, the deletion of accounts was performed more quickly than required under
Article 12 (3) of the General Data Protection Regulation.
In summary, the requests for deleting the in-app user account were granted on 16 May

2019 and25 May 2019 –however, the requestsetout in point (ii) wasdifficult to comply
with and it was not fulfilled.
The following contributed to this result: a) the abundance of communication channels
and the customer’s statements of intent; b) the fact that       ’s customer service may
have assumed that the scope of the customer’s later statement of intent (19 May 2019
in-app request) (delete only the user account) may take precedence over the scope of
the customer’s previous statement of intent (19 May 2019 email; deletion and prior

transmission of the data collected). A further analysis of the communication related to
this complaint indicates that the customer’s actual statement of intent included the
transmission of the data collected about them. Further internal investigation will allow
     to fulfil the customer’s actual request, which we want to achieve no later than 8
May 2020, by forwarding the requested data to the email address of

9.5. The inspectorate forwarded a new inquiry to        on 13 May 2020, requesting that

the inspectorate be provided with the information provided to               in connection
with their complaint. At that point, a third complaint, by      , came to the attention of
the inspectorate, and the inspectorate asked      for clarification.

9.6.      answeredon 19 May 2020 forwarding the reply sentto                         on 8
May 2020.        also included all the data that     had collected on


                                       6(11)    Regulationand draws attentionto the following:

        12.1. When processing personal data, the controller shall ensure that the data is
        processed lawfully, fairly, and in a transparent manner in relation to the data subject
        (Article 5 (1) a) of the General Data Protection Regulation). It is also important that
        persons are not provided misleading information concerning the processing of data
        (including the deletion of data).


        12.2. The data subject has a right to request the deletion of, for instance, an account as
        well as other personal data concerning this person without undue delay. They also have
        the right todemand this if there is no legal basis for the processing of data. The personal
        data shall be deleted without delay pursuant to Article 17 of the GeneralDataProtection
        Regulation.



13. Complaint of

            13.1.                 turned to the Polish data protection authority on 4 February
            2019 to delete her      account, but to do so, she was asked to provide a picture of
            herself with an ID-card. In her initial complaint to Poland, the complainant wrote

            that on 5 January 2019, she requested that            delete her personal data. The
            complainant has not specified whether she is driver or a customer. The complainant
            wrote to the email address                     .

14. The correspondence betweenthe datacontrollerand data subject

        14.1. The correspondence between the complainant and            shows that on 5 January

        2019, the complainant wrote that she wished to delete her account:
        1.1.
            5 January, 17:46 EET
                I resign. Please erase my e-mail and phone number from your database.


                5 January, 18:34 EET
                Good morning,

                Certainly, I will satisfy your request, however I would like to inquire whatis the
                reason for the resignation from our services? Are you certain you wish to delete
                your account?


                5 January, 18:42 EET
                I am certain. The reason is the multitude of notifications about discount (SMS,

                mail, app notifications).


                5 January, 19:02 EET
                The deletion of your phone number can be done only if your entire account will
                be deleted. There is a possibility to only cancelthe notifications, so they don’t
                disturb you anymore. Therefore, what do you choose, cancellation of the
                notifications or the deletion of the entire account?



                5 January, 19:04 EET
                What do you mean by ‘cancellation of notifications’?

                                              8(11)                5 January, 19:09 EET
                Right now your setting regarding the receipt of notifications and messages is
                turned on. I can turn it off, so that all the offers will be blocked. The only
                messages you will receive would be the ones concerning the confirmations of

                fares, which is required by law.


                5 January, 19:12 EET
                Ok. Please, delete my account.



                6 January, 08:29 EET
                Good morning,
                Ok, I will get to it right away. The last thing I need to ask you is your clear
                photograph with an ID card close to your face (all this data will be deleted with
                the account) so that I can confirm your identity. It is necessaryat this moment,
                so that I can continue.


                20.03.2019, the complainant further contacted the Polish data protection
                authority, explaining that they did not know where to turn. They added the
                address and contacts of the data controller, noting that the violation related to
                their contact details.



15. Inquiries of the Inspectorate to

        15.1. The Inspectorate sent an inquiry to the data controller on 13 May 2020 as to the
        legal basis on which the complainant is obliged submit a picture of themselves together
        with their ID-cardto delete their      account.

        15.2.      replied on 26 May 2020:

        ‘Pursuant toArticle 12 (6) of the GDPR, where the data controller has reasonable doubts
        concerning the identity of the natural person making the request, the controller may
        request the provision of additional information necessaryto confirm the identity of the
        data subject. The legal basis for processing the image and the ID-card is the legitimate
        interest of     as the data controller. Providing a picture and ID-card helps to prevent
        fraud and allows to identify the person requesting the deletion of the account. This will
        also prevent a potentially more significant violation that would result from the deletion

        of data at the request of the wrong person. However,          prefers to receive the data
        subject’s request for deletion through the application, which does not require additional
        information. Additional information in the form ofa picture andID-cardis required only
        if identification inside the application is unsuccessful.
                      ’s account has been deleted as at22 October 2019.”



16. Positionofthe Data ProtectionInspectorate

        16.1. The Estonian Data Protection Inspectorate finds that the data controller has
        responded to the complainant and cooperated with the inspectorate (provided detailed
        responses to enquiries, forwarded the emails                             exchanged with
        complainants, as well as metadata). Therefore, it would be reasonable to reprimand the

        data controller in accordance with the GDPR and terminate proceedings regarding the

                                              9(11)        complainant.

        16.2. The data controller explained that based on the data security considerations, it is
        preferred that clients submit requests for deleting their user account or forwarding the
        data collected via in-app messages. That way, it can be best ensured that the request is
        indeed made by the actualholder of the useraccount.                        shall, in turn,

        do its best to support satisfaction of requests received via other channels (email) aswell.

        16.3. The account of                 has beendeleted, sothe breachhas beeneliminated.

        16.4. The inspectorate finds that data processing could have been more transparent. At
        the intervention of the inspectorate, the data controller provided more detailed and
        specific answers to the complainant. The data controller should have beenclearer about

        the factwhy and on what legal grounds it is necessaryto present anID-card. Therefore,
        a reprimand to the data controller is needed. This is why a reprimand is appropriate as
        a result of the proceeding.

        The complaints have indicated that if the data subject takes the necessary steps
        inside the application to express theirwill, be it to access the data collected, close

        the account, or make any otherrequest, communicationbetweenthe data subject
        and       will then function better. The abundance of communication channels has
        createdcommunication problems. Itis also more difficult to identify the user and
        their identity when the communication takes place outside the application.
        Therefore, it is reasonable for        to direct customers with an account to make
        theirdeclarations of intentthrough the application.



17. Decisionconcerning                      complaint

        17.1. Concerning                     ’s   complaint,  The Estonian Data Protection
        Inspectorate finds that     has the right to ask for the ID-cardpursuant toArticle 12 (6)
        of the GDPR.         has made clear that without prejudice to Article 11, where the
        controller has reasonable doubts concerning the identity of the natural person making
        the request referred to in Articles 15 to 21, the controller may request the provision of

        additional information necessaryto confirm the identity of the data subject.

        17.2. The data controller also has made clear that it does not ask for an ID-card when
        the inquiries are made in the application and are completed successfully. An ID-card is
        requested when the inquiries in the application have failed.      only asked for the ID-
        card to protect sensitive information collected about the complainant. The data
        controller had to make sure that the person asking information is really the real user.

        The data controller has made an effort to protect the data. However, the data controller
        has to explain exactly why and on what legal grounds the ID-cardis being asked.

18. The Estonian Data ProtectionInspectorate issuesa reprimand to the data controller
                       under Article 58 (2) b) of the General Data Protection Regulation
and draws attentionto the following:


        18.2. When processing personal data, the controller shall ensure that the data is
        processed lawfully, fairly, and in a transparent manner in relation to the data subject
        (Article 5 (1) a) of the General Data Protection Regulation). It is also important that
        persons are not provided misleading information concerning the processing of data
        (including the deletion of data).



                                             10 (11)        18.2. The data subject has a right to request the deletion of, for instance, an account as
        well as other personal data concerning this person without undue delay. They also have
        the right to demand this if there is no legal basis for the processing of data. The personal

        data shall be deleted without delay pursuant to Article 17 of the General DataProtection
        Regulation.

        18.3. The controller is obligated to explain why certaindocuments are required from the

        complainant (e.g.             ). The data controller could have explained to the
        complainant in more detail why and under what legal basis they requested them to
        provide a copy of their ID-card. This could have prevented the submission of a
        complaint to the supervisory authority.



In view of the above, we shall terminate the supervisory proceeding.

This decision may be challenged within 30 days by submitting one of the two:

    -   A challenge to the Director General of the Estonian Data Protection Inspectorate
        pursuant to the Administrative Procedure Act , or
    -   Anappealto anadministrative court under the Code ofAdministrative Court Procedure         2
        (in this case,the challenge in the same matter canno longer be reviewed).



Respectfully



Lawyer
Authorised by the Director General































1
2https://www riigiteataja.ee/en/eli/527032019002/consolide
 https://www riigiteataja.ee/en/eli/512122019007/consolide

                                               11(11)