DPC - C-XX-X-XX Groupon International Limited - December 2020
DPC - C-XX-X-XX Groupon International Limited - December 2020 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(c) GDPR Article 6(1) GDPR Article 12(2) GDPR Article 12(6) GDPR Article 17(1) GDPR Article 60(2) GDPR Article 60(3) GDPR Article 60(4) GDPR Section 109(2) |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 16.12.2020 |
Published: | |
Fine: | None |
Parties: | Groupon International Limited |
National Case Number/Name: | C-XX-X-XX Groupon International Limited - December 2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | Data Protection Commission (in EN) |
Initial Contributor: | Cellular |
The Irish DPA found that Groupon infringed the principle of data minimisation (Article 5(1)(c) GDPR) by requiring the complainant to verify their identity by submitting a copy of a national ID document when a less data-driven solution to the question of identity verification was available. The DPC also found that Groupon infringed Articles 12(2),17(1)(a) and 6(1) GDPR.
English Summary
Facts
Acting in its capacity as lead supervisory authority, the Irish DPA (DPC) commenced an examination of a complaint originally received by the Polish DPA. The complaint concerned cross-border processing in which the DPC was competent to act as lead SA.
This complaint concerned Groupon’s practice at the time of the complaint of requiring data subjects to verify their identity with an electronic copy of a national identity card. This requirement applied when data subjects made certain requests, including requests for erasure of personal data, but the requirement did not apply when data subjects created a Groupon account.
Holding
The decision found that Groupon infringed the principle of data minimisation in Article 5(1)(c) GDPR by requiring the complainant to verify their identity by submitting a copy of a national ID document in circumstances where a less data-driven solution to the question of identity verification (namely by way of confirmation of email address) was available to Groupon.
The decision also found that Groupon infringed Articles 12(2),17(1)(a) and 6(1) in the circumstances of the complainant’s case.
The decision also reprimanded Groupon in respect of the infringements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.