Datatilsynet - 2018-7320-0166

From GDPRhub
Datatilsynet - 2018-7320-0166
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(c) GDPR

Article 12(6) GDPR

Article 17 GDPR

Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 25.10.2019
Fine: none
Parties: Pandora Vs. anonymous
National Case Number: 2018-7320-0166
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Danish
Original Source: Datatilsynet (in DK)

Pandora's systemic practice to ask for identification before considering a data subject’s request is contrary to the principle of data minimisation.

English Summary[edit | edit source]

Facts[edit | edit source]

Citizen submitted a request for erasure of his personal data to the jewellery company Pandora SA according to Article 17 GDPR. The company asked him to submit his passport or driving license before considering examining his request.

Dispute[edit | edit source]

On which condition can the controller ask for an ID proof in order to respond to a deletion request?

Holding[edit | edit source]

The Datatilsynet noted that data controllers must carry out a concrete assessment on whether there is a reasonable doubt about the identity of a data subject. Pandora’s general practice to ask for identification without providing any exceptions did not comply with Articles 5(1)(c) and 12(6) GDPR. It ordered Pandora to carry out this assessment. Finally, it stressed that this is the first case where the Datatilsynet has taken a decision as the leading supervisory authority under the "one-stop shop mechanism" in connection with cross-border processing of personal data.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Danish original for more details.


One citizen complained that a company asked him to submit, for example, a passport or driver's license before it would consider his request for deletion. The Data Inspectorate found that the general procedure for ID validation did not comply with the rules, since the data controller has a duty to make a concrete assessment of whether there is reasonable doubt about the identity of the natural person.


Journal number: 2018-7320-0166


Summary
The Data Inspectorate has ruled in a case in which a UK citizen complained that Pandora A / S had asked him to submit a passport, driver's license or national identity card before Pandora would consider his request for deletion.
Pandora stated that, for security reasons, the company had established a general procedure for submitting credentials in connection with requests to exercise the rights of data subjects.
The Data Inspectorate found that Pandora's general procedure, which without exception required ID validation for processing requests for the exercise of data subjects' rights, did not comply with the Data Protection Regulation.
The Danish Data Protection Authority emphasized, among other things, that the data controller has a duty to make a concrete assessment of whether there is a reasonable doubt about the identity of the natural person when receiving requests for the exercise of data subjects' rights.
The case is the first case where the Danish Data Protection Agency has taken a decision as the lead supervisory authority under the "one-stop shop mechanism" in connection with cross-border processing of personal data.
 
Decision
 
The Data Inspectorate hereby returns to the case, whereupon, on May 30, 2018, the Complaints complained to The Information Commissioner's Office (ICO) that Pandora A / S (hereafter Pandora) has refused to delete his personal data in Pandora's systems / databases. In accordance with Article 56 of the Data Protection Regulation [1], the Data Inspectorate has been designated as the lead supervisory authority in the case.
 
1. Decision
After reviewing the case, the Data Inspectorate finds that there is reason to express criticism that Pandora's processing of personal data has not taken place in accordance with the rules of Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
The Data Inspectorate also finds grounds for issuing orders to Pandora to decide on and against complaints to decide whether the conditions for deletion pursuant to Article 17 of the Data Protection Regulation are met and, where appropriate, to delete the personal data processed on complaints. . The decision must be taken as soon as possible and no later than two weeks from today's date. The order is granted pursuant to Article 58 (2) of the Data Protection Regulation. 2 (c).
The Data Inspectorate points out that in accordance with section 41 (1) of the Data Protection Act [2]. Paragraph 2 (5) is punishable by failure to comply with an order issued by the Data Inspectorate pursuant to Article 58 (2) of the Regulation. 2 (c).
Pandora must inform the Authority when a decision has been made.
The following is a detailed examination of the case and a justification for the Danish Data Protection Agency's decision.
2. Case making
It appears from the case that on May 23, 2018, complaints contacted Pandora by requesting that it be deleted from the company's database.
In an email dated May 29, 2018, Pandora petitioned to file its request for deletion via the company’s online form.
Complainants then filled out the online form the same day, but due to technical issues, complainants took screenshots of the completed form and emailed the images of the completed form to Pandora.
On May 30, 2018, Pandora announced complaints that in order to use Pandora's processing of the deletion request - in accordance with the requirements of the online form on the website - he would have to submit credentials in the form of e.g. passport, driver's license or national identity card to enable the company to confirm his identity.
However, the complainant did not want to send a credential to Pandora, which is why Pandora did not respond to the complainant's request for deletion, as Pandora in his opinion could not confidently identify complaints without the credentials.
2.1. Pandora's remarks
Pandora has stated that the registrant fills out the form on Pandora's website, which is sent encrypted to Pandora, after which it is stored in Pandora's internal systems and handled and answered by a designated employee. Since the data subject can enter any email address in the form - including one that is not registered in Pandora's systems - the data subject will receive a confirmation email from Pandora immediately after submitting the request, with a link that the person must use to confirm the request.
Pandora has further stated that if the data subject enters an e-mail address that is not registered in the company's systems or if there are other uncertainties related to the request, Pandora's customer service department will contact the data subject for clarification.
Once the request is answered, Pandora confirms this to the data subject and the credentials attached to the form are deleted immediately after the request is processed. Thus, the identification is kept for no longer than 30 days, unless the request procedure is extended pursuant to Art. 12, par. Third
Pandora has emphasized that the data subject's credentials are used solely for identity purposes and that Pandora never asks for credentials in connection with requests that relate only to the data subject's desire to unsubscribe as a recipient of a Pandora newsletter (which he or she has signed up for).
Pandora has argued that ID validation is an important part of Pandora's "DSR procedure" (abbreviation for data subject rights procedure). In Pandora's view, the company is required to verify the data subject's identity before handling a DSR request from the person concerned. Pandora has among other things referred to recital 64 of the Data Protection Regulation, Data Protection Supervisor's Guide on the rights of data subjects, section 2.6 and report 1565 on the Data Protection Regulation, para. 4.2.2.4 (pp. 269 et seq.).


Pandora states that the company has approx. 9.7 million registered customers, and that Pandora does not have a unique identifier (such as a customer or ID number) for each individual customer that can be used to validate the customer's identity. Any personal information that Pandora has registered in the company's systems (eg name, address, e-mail address and telephone number) is according to Pandora easy to search for, for example. social media and to some extent publicly available. It is Pandora's assessment that a procedure where Pandora does not ask for credentials will pose a significant risk to Pandora's customers.
Pandora submits that, in Pandora's view, the company's procedure fulfills the requirement that the assessment of whether identification should be considered necessary must be specifically assessed in relation to the individual request. In that regard, Pandora submits that because Pandora's relationship with the company's customers is primarily an online relationship where the company does not know the natural person behind the request, the specific assessment in each case will therefore be the same. In Pandora's view, therefore, there will always be either reasonable doubt and a general risk, or there will never be any reasonable doubt or any general risk.
In light of this complexity, Pandora initially conducted a risk assessment of the company's existing setup and, on this basis, established a procedure that, in Pandora's opinion, both easily and safely safeguards the data subjects' rights, while at the same time Pandora fulfills the company's obligations under the Data Protection Regulation, including the requirements of Article 12 (2) 2 and 6, as well as the company's duty to secure the identity of the data subjects and not to unduly disclose or delete personal data.
Pandora submits that a more specific assessment is not possible in the present case because there is no specific information in the case that can be used as a valid basis for assuming that the data subject is the person he claims to be. be. Pandora submits that the request for identification in the specific case is necessary and, overall, proportionate.
Pandora also points out that, on December 4, 2018, the ICO ruled in a case materially identical to the present one. In that case, the ICO found no basis for criticizing the fact that Pandora had requested a customer to provide credentials in order to validate his or her identity prior to meeting the customer's request for deletion. The ICO considered that the request for credentials was proportionate.
 
2.2. The complainant's remarks
The complainant has generally stated that he did not want to supplement Pandora with additional personal information to respond to the request for deletion. Complaints also allege that Pandora could have contacted him via email or phone to confirm his identity.
3. Justification for the Danish Data Protection Agency's decision
It follows from Article 12 (1) of the Data Protection Regulation. 2, that the data controller must facilitate the exercise of the data subject's rights under, inter alia, Article 17 on deletion.
In accordance with Article 12 (1) of the Data Protection Regulation. 6, a data controller can, if there is reasonable doubt about the identity of the natural person making a request for e.g. deletion, request additional information needed to confirm the identity of the data subject.
Furthermore, it follows from the principles of the Data Protection Regulation for the processing of personal data that personal data include: must be sufficient, relevant and limited to what is necessary in relation to the purposes to which they are addressed, in accordance with Article 5 (2). 1 (c).
The Data Inspectorate also refers to the Article 29 Group's guidelines on the right to data portability WP242 rev.01 [3], page 14 f. the following is stated:
“There are no prescribed requirements in the Data Protection Regulation on how the data subject can be authenticated. (…) In addition, Article 12 (2) provides: 6, that if a data controller has reasoned about the identity of a data subject, he may request additional information to confirm the data subject's identity. (…) If information and data collected online are linked to pseudonyms or unique identifiers, data controllers may carry out appropriate procedures to enable a natural person to request data portability and receive information pertaining to him or her. In all cases, the data controller must establish a authentication procedure in order to be able to establish with certainty the identity of the data subject requesting his or her personal information or, more generally, exercising the rights granted by the Data Protection Regulation.
These procedures often already exist. The data subjects are often already authenticated by the data controller before entering into a contract or obtaining consent for processing. As a result, the personal data used to register the natural person at the processing can also be used as evidence to authenticate the data subject for portability purposes.
In these cases, a request for proof of the legal identity of the data subjects may be required, while verification may be relevant to assess the relationship between the information and the natural person, since such a connection does not concern the official or legal identity. In essence, the ability of the data controller to request additional information to identify a person's identity may not lead to exaggerated claims and to the collection of personal information that is not relevant or necessary to strengthen the connection between the natural person and the personal data requested. about.
In many cases, such confirmation procedures are already in place. For example, often usernames and passwords to allow natural persons access to data in email accounts, social network accounts and accounts for various other services, where natural persons choose to use some of these without disclosing their full name and identity. "


The Data Inspectorate assumes that Pandora always asks for credentials in connection with a request from a data subject who wishes to exercise his rights.


Following a review of the case, the Data Inspectorate is of the opinion that Pandora's general procedure, which without exception requires ID validation in connection with processing requests for the exercise of data subjects' rights, is not in accordance with Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
The Data Inspectorate has hereby emphasized that Article 12 (2) of the Data Protection Regulation. 6, implies that the data controller has a duty to make a concrete assessment of whether there is reasonable doubt as to the identity of the natural person in connection with the individual request for the exercise of the rights of the data subject. In this connection, the Data Inspectorate finds that the fact that online customer relationships do not mean that there will always be reasonable doubt about the identity of the natural person.


The Data Inspectorate has also emphasized that a request for additional information for the purpose of identifying the natural person must be proportionate, in accordance with Article 5 (2). Therefore, the data controller may not require more information than is necessary to identify the natural person. The Data Inspectorate finds that it does not comply with Article 12 (2). 2 that Pandora has organized a procedure whereby the data subject must provide more information than was originally collected in order to process a request for the exercise of the rights of the data subject.
The fact that Pandora has designed its systems in such a way that e.g. are not associated with unique identifiers to the data subjects, in the opinion of the Data Inspectorate can not lead to it being justified that in all cases Pandora requires the data subject to legitimize in order to exercise his rights under the regulation. In the opinion of the Data Inspectorate, Pandora's general ID validation procedure goes beyond what is required and unnecessarily complicates the data subject's ability to exercise his rights.
In view of the above, the Data Inspectorate thus finds a basis for criticizing the fact that Pandora's processing of personal data has not taken place in accordance with the rules in Article 12 (2) of the Data Protection Regulation. 6 and Article 5 (2). 1 (c).
The Data Inspectorate also finds grounds for issuing orders to Pandora to decide on and against complaints to decide whether the conditions for deletion pursuant to Article 17 of the Data Protection Regulation are met and, where appropriate, to delete the personal data processed on complaints. .
The Data Inspectorate notes that, when dealing with complaints, the Authority will always make a concrete assessment of the circumstances. In the opinion of the Data Inspectorate, a reference to a decision taken in another European country may not necessarily lead to a similar decision being made by the Authority.
 
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46 / EC (general data protection regulation).
 
[2] Law No 502 of 23 May 2018 laying down additional provisions for a regulation on the protection of individuals with regard to the processing of personal data and on the free exchange of such information (Data Protection Act).
 
[3] At its first meeting of 25 May 2018, the European Data Protection Council confirmed that this is also an expression of the Council's position.