DPC - C-XX-X-XX Groupon International Limited - December 2020

From GDPRhub
DPC - C-XX-X-XX Groupon International Limited - December 2020
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(c) GDPR
Article 6(1) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Article 17(1) GDPR
Article 60(2) GDPR
Article 60(3) GDPR
Article 60(4) GDPR
Section 109(2)
Type: Complaint
Outcome: Partly Upheld
Decided: 16.12.2020
Published:
Fine: None
Parties: Groupon International Limited
National Case Number/Name: C-XX-X-XX Groupon International Limited - December 2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Data Protection Commission (in EN)
Initial Contributor: Cellular

The Irish DPA found that Groupon infringed the principle of data minimisation (Article 5(1)(c) GDPR) by requiring the complainant to verify their identity by submitting a copy of a national ID document when a less data-driven solution to the question of identity verification was available. The DPC also found that Groupon infringed Articles 12(2),17(1)(a) and 6(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Acting in its capacity as lead supervisory authority, the Irish DPA (DPC) commenced an examination of a complaint originally received by the Polish DPA. The complaint concerned cross-border processing in which the DPC was competent to act as lead SA.

This complaint concerned Groupon’s practice at the time of the complaint of requiring data subjects to verify their identity with an electronic copy of a national identity card. This requirement applied when data subjects made certain requests, including requests for erasure of personal data, but the requirement did not apply when data subjects created a Groupon account.

Holding[edit | edit source]

The decision found that Groupon infringed the principle of data minimisation in Article 5(1)(c) GDPR by requiring the complainant to verify their identity by submitting a copy of a national ID document in circumstances where a less data-driven solution to the question of identity verification (namely by way of confirmation of email address) was available to Groupon.

The decision also found that Groupon infringed Articles 12(2),17(1)(a) and 6(1) in the circumstances of the complainant’s case.

The decision also reprimanded Groupon in respect of the infringements.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.