DSB - DSB-D122.970/0004-DSB/2019

From GDPRhub
DSB - DSB-D122.970/0004-DSB/2019
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 17 GDPR
Type: Complaint
Outcome: Upheld
Decided: 21. 5. 2018
Published: n/a
Fine: None
Parties: Anonymous
National Case Number: DSB-D122.970/0004-DSB/2019
European Case Law Identifier: ECLI:AT:DSB:2019:DSB.D122.970.0004.DSB.2019
Appeal: n/a
Original Language:

German

Original Source: RIS (in DE)

The DSB issued a decision related to the righ to be forgotten: to exercise this right, the controller may not require more data than the ones previously asked to the data subject.

English Summary[edit | edit source]

Facts[edit | edit source]

An online user has registered with his own email address and his wife's first name on a webpage. Despite the fact that no further information was required by the page, he added the gender "female" bis ZIP code and a phone number. Later, he requested the account to be deleted.

While assessing the deletion request, the controller realised that the name and gender of the user did not match with the data provided. Thus, the controller asked the data subject to fill out a form (that was provided on the webpage of the Austrian DPA) and required to provide further data and to sign it as a form of identification.

Being unhappy with these adaptational request of information, the data subject filed a complaint with the DSB.

Dispute[edit | edit source]

Can a controller require further information for verification purposes, if the controller has no internal data to match it with?

Holding[edit | edit source]

In the view of the DSB the controller of the webpage has de facto allowed pseudononymous profiles, as users only need to provide a valid email, but may choose any unverified first name they wish to use (here a female first name).

The controller may not require more than the previously provided data to verify a data subject (here the email and for example the password).

Therefore, the complainant's right to erasure was violated. The controller was ordered to delete the data. No fine was issued.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the German original for more details.


Page areas:

    To content (Accesskey 0)
    To the navigation bar (Accesskey 1)
    Home (Accesskey 5) Contact (Accesskey 6) Sitemap (Accesskey 7) Imprint (Accesskey 8) Deutsch (Accesskey 9) 

Legal Information System of the Federal Government
Navigation bar:

    Federal law
    National law
    Local law
    Judicature
    Other announcements, decrees
    Total query

Data Protection Authority
Print preview (Accesskey D).
Decision text DSB-D122.970/0004-DSB/201...

    Display legal records Display legal records and decision text 

Accompanying documents

Main document
    web page
    PDF document
    RTF document

Decisive authority
Data Protection Authority
Document type
Decision text
Decision type
Notice of appeal
Business figures
DSB-D122.970/0004-DSB/2019
Decision date
08.11.2019
Contestation before the BVwG/VwGH/VfGH
This decision is final.
Standard
DSG §24 Abs5
DSGVO Art4 Z1
DSGVO Art4 Z2
DSGVO Art4 Z5
DSGVO Art11 Abs1
DSGVO Art11 Abs2
DSGVO Art12 Abs2
DSGVO Art17 Abs1
DSGVO Art58 Abs2 litc
Text

GZ: DSB-D122.970/0004-DSB/2019 of 8.11.2019

Note Processor: Names and companies, legal forms and product names, addresses (including URLs, IP and e-mail addresses), file numbers (and the like), etc., as well as their initials and abbreviations may be abbreviated and/or changed for reasons of pseudonymisation. Obvious spelling, grammar and punctuation errors have been corrected].

DECISION

SAYING

The data protection authority decides on the data protection complaint of Roland A*** (complainant) from **** V***stadt of 4 June 2018 (in the version of the rectification of defects of 7 June 2018) against N*** Online-Services Gesellschaft mbH & Co KG (respondent) from **** D***stadt, represented by R*** T*** Rechtsanwälte Ges.m.b.H. from **** B***, for violation of the right to deletion as a result of the rejection of the complainant's request of 26 May 2018 for the deletion of his data by notification of 4 June 2018 as follows:

1. the complaint is upheld and it is established that the defendant has infringed the complainant's right to deletion by failing to comply with his request for deletion of the user profile designated by the "unique identifier" "Petra" + "j***@***isp.at" of 28 May 2018 and instead informed the complainant by e-mail of 4 June 2018 that the complainant's data had been deleted Instead, by e-mail of 4 June 2018, he asked the complainant to fill in a form, providing his full name and address details and information on previous contacts ("customer number, figures from previous procedures, personnel number or similar") or to submit unspecified "documents" to confirm his identity.

2. the respondent is instructed to delete the user profile designated by the "unique identifier" "Petra" + "j***@***isp.at" with all data stored in connection therewith within a period of two weeks, otherwise it will be executed.

Legal basis: Article 4 lines 1, 2 and 5, Article 11 paragraphs 1 and 2, Article 12 paragraph 2, Article 17 paragraph 1 and Article 58 paragraph 2 lit. c of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 June 2016/679 on the protection of individuals with regard to the processing of personal data by the competent authorities of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (Basic Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88 as amended (hereinafter referred to as DSGVO), in conjunction with Section 24 (5) of the Data Protection Act (Datenschutzgesetz (DSG), Federal Law Gazette I No. 165/1999 as amended.

REPORTINGS

A. Arguments of the parties and procedure:

1 In his complaint of 4 June 2018 (as improved by an amendment of 7 June 2018 following the mandate of the data protection authority to remedy the deficiencies), the complainant submitted that the defendant made it difficult (and infringed) his right to deletion in an unacceptable manner by requiring proof of identity by filling in and signing a comprehensive form before carrying out the deletion of his data requested by him by e-mail on 26 May 2018, in reply to his letter of 4 June 2018. It was to be assumed that the reason for this was that the respondent had endeavoured to keep as large a database as possible.

2 The respondent, represented by R*** T*** Rechtsanwälte Ges.m.b.H. from B***, submitted in its statement of 25 June 2018 that it operates a classified ad portal with more than 4 million users. In order to register as a user, it is only necessary to provide a first name and an e-mail address. Both data would be used in combination as "unique identifier". In his request for cancellation, the complainant had now only provided the surname "A***" and the e-mail address "j***@***isp.at". However, this e-mail address was neither linked to the surname "A***" nor to the first name "Roland" in the relevant data processing of the defendant, but to the first name "Petra". Therefore, there were reasonable doubts as to the identity of the present complainant with the user whose data he had requested to be deleted. For this reason, the respondent had been entitled to demand proof of identity in the form requested. The reason for this procedure was not the endeavour to be able to identify as many users as possible, but to prevent interference with the rights of third parties, which the complainant had also been informed of. The chosen procedure was in accordance with both the DSG 2000 and the DSGVO. For the future, it was planned to implement an automatic deletion procedure that would enable registered and logged in users to carry out the deletion themselves via a "privacy dashboard".

3 After hearing the parties to the respondent's submissions, the complainant replied (here in his corresponding e-mail, like all of the complainant's e-mails sent from the e-mail address "j***@***isp.at", drawing as "Petra and Roland A***") in his opinion of 7 July 2018 as follows: The e-mail address used was registered in the name of Roland A*** and was used by him and his wife Petra. "For reasons of data protection", the name "Petra" had been given when registering as a user with the respondent. The respondent unjustifiably demanded "concretisation of identity" when data were deleted, which had been neglected during registration (or when a new password had been requested in the meantime). He would have been prepared at any time to give his wife's first name or the password used, and the proof of identity requested by the respondent by sending a form with a handwritten signature was in comparison even less suitable to dispel doubts about his identity with the authorised user.

B. Object of complaint:

The subject matter of the complaint is the question of whether the respondent was right to make the execution of the deletion of his user data requested by the complainant dependent on proof of identity in the form of the sending of a form signed by the respondent with his own hand, including name and address data, or whether the complainant's right to deletion pursuant to Article 17 DSGVO has been violated by this.

C. Establishment of facts:

5 The respondent, a company with its head office in Austria (**** D***stadt) and organised in the legal form of a limited partnership (registered in the commercial register by the ****gericht **** D***stadt to FN 3*2*4*r), operates an online classified advertising portal ("[Comment of the editor: cited self-designation of the respondent removed for reasons of pseudonymisation]"), which is accessible at the URL https://www.n***.at.

Assessment of evidence: These findings are based on the credible and undisputed information provided by the respondent, the publicly accessible company register and the access to the respondent's website (last accessed on 8 November 2019), in particular the data protection declaration accessible there (https://www.n***.at / data protection declaration).

6. the complainant is registered with the respondent as a user (account holder). The registration was carried out in accordance with the Respondent's General Terms and Conditions of Business (version of 7 July 2011 https://www.n***.at/agb), which were valid then and are still valid today, and in accordance with the Data Protection Declaration valid at the time of the present decision (of August 2019, https://www.n***.at/data protection declaration; point 2.2.1.: "Mandatory information is only first name and e-mail address"), at a time not further specified online without proof of identity by stating the first name "Petra" (this is the first name of the complainant's wife) and with the e-mail address "j***@***isp.at". In addition, the complainant voluntarily entered the gender "female", a telephone number, postcode and place of residence in the user profile associated with the account. First name and e-mail address serve as "unique identifiers" to verify the authorization to use the account.

Evaluation of evidence: As before with regard to the legal framework established by the respondent; in all other respects, the findings are based on the credible and undisputed statements of the complainant and the documents submitted by him (printout of the user profile, enclosure to the statement of 7 July 2018). The findings on the use of data as "unique identifier" are based on the defendant's submissions in the opinion of 25 June 2018, introductory part in Journal of Cases: DSB-D122.970/0003-DSB/2018.

7 On 28 May 2018, the complainant had decided to delete the data of his account and user profile. It was not possible to carry out the deletion himself online. Instead, the respondent offered to download a form from the website of the data protection authority (title: "Request to the responsible person Right of deletion Art.17.pdf"). This form provided for proof of identity by providing full name and address details and information on previous contacts ("customer number, figures from previous proceedings, personnel number or comparable") or the submission of unspecified "documents".

Assessment of evidence: As before, the cited form was submitted as an annex to the complaint of 4 June 2018.

8 The complainant subsequently sent the following message on 28 May 2018 from the e-mail address "j***@***isp.at" to the defendant's e-mail address "datenschutz@n***.at

"Good afternoon,

either you delete my data immediately and inform me about it, or I am forced to contact the data protection officer. This hurdle you have set up is not provided for by law. However, you are welcome to come and see me and check my identity.

A***“ (formatting not reproduced 1:1)

9 To which the respondent replied by e-mail on 4 June 2018 as follows:

"Clara (N*** Privacy Policy)

June 4, 07:54 CEST

Dear n***user,

Thank you very much for your message.

As only the person concerned, identified or identifiable by the personal data to be deleted, is entitled to claim and we wish to avoid any abusive exercise of rights, we ask you to fill in the attached form and send it to us.

It goes without saying that this data will be treated confidentially and will not be used for any other purpose than the identification and documentation of the deletion.

Please bear in mind that with this profile deletion all your data will be irrevocably deleted and we can only accept deletion requests from the e-mail address to be deleted.

By submitting the above-mentioned form, you assure us that you have the authority to make a deletion request for the account in question.

If you have any further questions, please do not hesitate to contact us.

Sincerely yours,

N*** Data protection team

Annexes

Request to the person in charge Right of cancellation Art 17.pdf" (formatting not reproduced 1:1)

10 In response, the complainant filed the present complaint for violation of his right of cancellation on the same day.

Assessment of evidence: As before, as well as the contents of the complaint under item 10. DSB-D122.970; the quoted e-mail exchange originates from the enclosures to the complaint of 4 June 2018.

D. From a legal point of view, the following follows:

Sum:

11. the complaint has been found justified.

Applicable law:

12 Since the facts of the case to be examined here, beginning with the complainant's request for the deletion of his data of 28 May 2018, occurred entirely after 25 May 2018, this Regulation of Union Law is to be applied pursuant to Article 99.2 of the DPA and pursuant to Article 69.7 of the DPA the DPA in the version of Federal Law Gazette I no. 24/2018.

13 The following provisions of the DSGVO shall apply to issues relating to the verification and proof of the identity of a data subject in order to exercise his/her rights:

"Article 4

Definitions

For the purposes of this Regulation

(1) 'personal data' means any information relating to an identified or identifiable natural person (hereinafter referred to as 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an on-line identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person

(2) 'processing' means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

3) "Restriction of processing" [...];

four, "profiling"..;

(5) 'pseudonymisation' means the processing of personal data in such a way that the personal data cannot be related to a specific data subject without the use of supplementary information, provided that this supplementary information is kept separate and is subject to technical and organisational measures ensuring that the personal data is not related to an identified or identifiable natural person; [...]".

"Article 11

Processing for which the identification of the data subject is not necessary

1. Where the purposes for which a controller processes personal data do not or no longer require the identification of the data subject by the controller, the controller shall not be obliged to keep, obtain or process additional information to identify the data subject for the sole purpose of complying with this Regulation.

2. Where, in cases referred to in paragraph 1 of this Article, the controller is able to demonstrate that he is unable to identify the data subject, he shall inform the data subject accordingly, where possible. In such cases, Articles 15 to 20 shall not apply unless, in order to exercise the rights laid down in those Articles, the data subject provides additional information enabling him to be identified.

"Article 12

Transparent information, communication and modalities for the exercise of

Rights of the data subject

(1) […]

2. The controller shall facilitate the exercise of the rights of the data subject pursuant to Articles 15 to 22; in the cases referred to in Article 11(2), the controller may refuse to act on the data subject's request to exercise his rights pursuant to Articles 15 to 22 only if he establishes that he is not in a position to identify the data subject. […]“

Applied to the established facts, it follows that

14 It is established that the respondent is processing data of the complainant pursuant to Art. 4 No. 1 and 2 DPA. The complainant, as a user (and customer of the respondent), entered this data himself into the (online) system used for data processing by the respondent.

15 Since the respondent had no intention of identifying the complainant when processing the respondent's data, i.e., the existence and relevant legal identity (conformity) of the complainant as a natural person (cf. 4 no. 5 DPA also speaks of a "specific data subject") with the "online person" represented in the created user profile and to store corresponding data (such as full name data, date of birth or a verifiable home address), pseudonymised data pursuant to Article 4 no. 5 DPA were available from the outset in the view of the respondent. Although it would have been conceivable to identify the complainant by collecting additional data, the respondent has, however, what is decisive from the point of view of the data protection authority, expressly made it possible for its users, as the persons affected by the processing, to create pseudonymous user profiles by not requiring any proof of identity when registering. From the outset, the respondent thus refrained from identifying the complainant as a specific data subject within the meaning of Article 11.1 of the DPA. Until the time of the request for cancellation, the complainant was, as it were, only a pseudonym, first name and e-mail address in its user database.

Under Article 12.2 of the DSGVO, the respondent [editor's note: in the original, due to a clerical error "complainant"] has an express duty to facilitate the exercise of the right of cancellation by the person concerned. The data subject may only be identified to the extent that this is necessary in order to check the entitlement to exercise the right of cancellation. In the present case, the stored profile data will be used for the requested deletion of a pseudonymous user profile. A pseudonymous user can identify himself by knowing the login data (user ID, password), by giving details of the stored data content of the profile or by proving his power of disposal over the mailbox whose e-mail address was given during registration. No new data (such as first name, surname, residential address, a copy of an identity card or the graphic image of a handwritten signature) need be collected for this purpose (cf. Art. 11 para. 1 DSGVO). Moreover, these would not be suitable at all for the intended purpose of identity verification, since no comparative data are stored at the respondent's premises whose identity (conformity) could be verified with the newly collected data. The complainant has rightly pointed this out.

17) In the case of an appeal, the complainant could have been requested by the respondent to provide both parts of the "unique identifier", i.e. first name and registered e-mail address, which the respondent so designated.

18 By not contenting itself with this, but insisting on the completion of an extensive form (which is based on the normal case of processing the data of identified, non-pseudonymous natural persons), the respondent infringed the complainant's right to deletion under Article 12.2 in conjunction with Article 17.1 of the DPA. This was to be established in accordance with § 24.5 sentence 1 of the Data Protection Act [editor's note: in the original, due to an editorial mistake, "§ 25.1 sentence 1 of the Data Protection Act"].

In accordance with Article 58.2 lit. c DSGVO in conjunction with Article 24.5, second sentence, DSG, the respondent was also to be instructed to delete the user profile with the complainant's data. In doing so, it had to be taken into account that the complainant had already proved in the course of the proceedings that he knew both parts of the "unique identifier", so that no corresponding condition had to be set. A period of two weeks seems reasonable and sufficient to carry out a simple data processing operation such as the deletion of a user profile.
Keywords
Deletion, right to deletion, data processing on the WWW, Internet service, pseudonymous data, user, pseudonymous user profile, identity check, identification as a condition of deletion
European Case Law Identifier (ECLI)
ECLI:AT:DSB:2019:DSB.D122.970.0004.DSB.2019
Last updated on
09.01.2020
Document number
DSBT_20191108_DSB_E122_970_0004_DSB_2019_00
To the top of the page .
About this page

    © 2020 Federal Ministry for Digitalisation and Business Location