IMY (Sweden) - DI-2020-10549: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| (One intermediate revision by one other user not shown) | |||
| Line 65: | Line 65: | ||
}} | }} | ||
The DPA issued a reprimand against a controller for unnecessarily using a burdensome | The DPA issued a reprimand against a controller for unnecessarily using a burdensome identity verification method when data subjects requested erasure, such as asking data subjects to provide their order number and price of the last order. | ||
== English Summary == | == English Summary == | ||
| Line 74: | Line 74: | ||
The data subjects lodged separate complaints against the controller in Finland (6) and Denmark (1). Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. | The data subjects lodged separate complaints against the controller in Finland (6) and Denmark (1). Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden. | ||
The controller argued that the names and email addresses of the data subjects were not sufficient to ensure the data subject’s identity. It therefore requested additional information from the data subjects pursuant to [[Article 12 GDPR#6|Article 12(6) GDPR]]. The controller also stated it took the complaints very seriously and has since | The controller argued that the names and email addresses of the data subjects were not sufficient to ensure the data subject’s identity. It therefore requested additional information from the data subjects pursuant to [[Article 12 GDPR#6|Article 12(6) GDPR]]. The controller also stated it took the complaints very seriously and has since reviewed and clarified the identification process so that data subjects only need to answer one of the two security questions, and offers data subject to contact customer service for investigation of alternative security questions to verify the customer’s identity in the case of the data subject being unwilling or unable to answer the questions. | ||
Moreover, the controller stated that it deleted customer profiles automatically depending on the consumer law obligations in various countries, for example after three years in Sweden. The controller thereby confirmed that all of the data subjects’ personal data were deleted. | Moreover, the controller stated that it deleted customer profiles automatically depending on the consumer law obligations in various countries, for example after three years in Sweden. The controller thereby confirmed that all of the data subjects’ personal data were deleted. | ||
=== Holding === | === Holding === | ||
The DPA did not investigate two out of seven complaints. The controller could not verify the receiving or processing date of those erasure requests as several years had passed since the complaints were submitted to the | The DPA did not investigate two out of seven complaints. The controller could not verify the receiving or processing date of those erasure requests as several years had passed since the complaints were submitted to the Finnish DPA. The DPA then noted it could not draw any firm conclusions as to what occurred in the two cases. Moreover, as the controller confirmed it did not process personal data of these two data subjects anymore, the DPA found no reason to investigate these two complaints further. | ||
Regarding the remaining five complaints, the DPA first assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under [[Article 12 GDPR#6|Article 12(6) GDPR]] additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller, but must carry out a proportionality assessment first. The DPA held that randomly requiring data for identification purposes without assessing whether the data is necessary violates [[Article 12 GDPR#6|Article 12(6) GDPR]] and the principle of data minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | Regarding the remaining five complaints, the DPA first assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under [[Article 12 GDPR#6|Article 12(6) GDPR]] additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller, but must carry out a proportionality assessment first. The DPA held that randomly requiring data for identification purposes without assessing whether the data is necessary violates [[Article 12 GDPR#6|Article 12(6) GDPR]] and the principle of data minimisation under [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | ||
Latest revision as of 08:14, 30 April 2024
| IMY - DI-2020-10549 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 5(1)(c) GDPR Article 12(2) GDPR Article 12(6) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 31.03.2023 |
| Published: | 14.04.2024 |
| Fine: | n/a |
| Parties: | CDON AB |
| National Case Number/Name: | DI-2020-10549 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | ec |
The DPA issued a reprimand against a controller for unnecessarily using a burdensome identity verification method when data subjects requested erasure, such as asking data subjects to provide their order number and price of the last order.
English Summary
Facts
7 data subjects separately contacted CDON AB (“controller”), a Swedish company, and made an erasure request. The controller replied that in order to process the request, it needed information on date of birth, address, customer number information on recent purchases such as order number and information on payment method including the last four digits of the credit card number in case of card payment. Several data subjects argued they could not retrieve all the requested information as their purchases were so far back in time.
The data subjects lodged separate complaints against the controller in Finland (6) and Denmark (1). Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden.
The controller argued that the names and email addresses of the data subjects were not sufficient to ensure the data subject’s identity. It therefore requested additional information from the data subjects pursuant to Article 12(6) GDPR. The controller also stated it took the complaints very seriously and has since reviewed and clarified the identification process so that data subjects only need to answer one of the two security questions, and offers data subject to contact customer service for investigation of alternative security questions to verify the customer’s identity in the case of the data subject being unwilling or unable to answer the questions.
Moreover, the controller stated that it deleted customer profiles automatically depending on the consumer law obligations in various countries, for example after three years in Sweden. The controller thereby confirmed that all of the data subjects’ personal data were deleted.
Holding
The DPA did not investigate two out of seven complaints. The controller could not verify the receiving or processing date of those erasure requests as several years had passed since the complaints were submitted to the Finnish DPA. The DPA then noted it could not draw any firm conclusions as to what occurred in the two cases. Moreover, as the controller confirmed it did not process personal data of these two data subjects anymore, the DPA found no reason to investigate these two complaints further.
Regarding the remaining five complaints, the DPA first assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller, but must carry out a proportionality assessment first. The DPA held that randomly requiring data for identification purposes without assessing whether the data is necessary violates Article 12(6) GDPR and the principle of data minimisation under Article 5(1)(c) GDPR.
The DPA then examined whether the information requested was necessary to confirm the data subjects’ identity. The DPA found that the controller had not provided sufficient support to conclude that the additional information it requested was necessary to identify the data subjects ’identity. Therefore, the DPA concluded that the controller violated Article 5(1)(c) GDPR and Article 12(6) GDPR.
Moreover, the DPA further stated that the controller used a burdensome verification method when requesting erasure without justification, by for example asking the data subjects to provide the order number and price of the last order when the last order was a long time ago. The DPA held that the controller did not facilitate the exercise of the data subjects’ rights, thereby violating Article 12(2) GDPR.
The DPA then examined the current practice of the controller for handling requests for erasure, since the controller had reviewed its procedures since 2018 when the complaints were received. The DPA found the existing procedure not disproportionate and thus not in violation with the GDPR.
The DPA found that the violations were a minor infringement pursuant to Recital 148, because (1) the controller had taken measures to facilitate the exercise of data subjects’ rights under the GDPR and amended its practice to comply with the GDPR, (2) the infringements found occurred relatively long ago and (3) the controller had not received any corrective action for GDPR violations before. Thus, the DPA issued a reprimand to the controller for breaching Article 5(1)(c) GDPR, Article 12(2) GDPR and 12(6) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(11)
CDON AB
Södergatan 22, 6 tr,
211 34 Malmö
Diary number:
DI-2020-10549 Decision after supervision according to
data protection regulation – CDON AB
Date:
2023-03-31
The Privacy Protection Authority's decision
The Swedish Data Protection Authority states that CDON AB has processed personal data
contrary to:
• articles 5.1 c and 12.6 of the data protection regulation by having requested
additional information by the appellants in complaints 1-3 and 6-7 when requested to
have their personal data deleted, without the processing being necessary for
to confirm the identity of the complainants.
• article 12.2 of the data protection regulation by using a
onerous verification method against the appellants in complaints 1-3 and 6-7.
The company has thus not made it sufficiently easy for the complainants to practice
their right to erasure according to Article 17 of the Data Protection Regulation.
IMY gives CDON AB a reprimand according to article 58.2 b of the data protection regulation for
violation of articles 5.1 c, 12.6 and 12.2 of the data protection regulation.
Account of the supervisory matter
The handling
IMY has initiated supervision regarding CDON AB (CDON or the company) due to seven
complaint. The complaints have been handed over to IMY, as responsible
supervisory authority according to Article 56 of the Data Protection Regulation. The handover has taken place
from the supervisory authority in the countries where the complainants have filed their complaints
(Finland and Denmark) in accordance with the regulation's provisions on cooperation at
cross-border treatment.
The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies
complaints concerning cross-border treatment, IMY has used them
Mailing address:
Box 8114 mechanisms of cooperation and uniformity contained in Chapter VII i
data protection regulation. Concerned regulatory authorities have been
104 20 Stockholm the data protection authorities in Denmark, Norway and Finland.
Website:
www.imy.se
E-mail:
imy@imy.se 1
Telephone: regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med
directive 95/46/EC (General Data Protection Regulation).
08-657 61 00
Page 1 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 2(11)
Date: 2023-03-31
The complaints
Summary of complaints
In summary, the following is apparent from the complaints. The appellants have requested that their
personal data must be deleted. The company has replied that one request can only be handled
if the individual submits information about date of birth, address, customer number,
information about recent purchases such as order number and information about payment method
including the last four digits of the credit card number when paying by card. Several of them
complainants believe that their purchases are so far back in time that they could not
retrieve all the requested data. The appellants dispute that all of the
the requested data is necessary to confirm their identity and manage
their requests.
What the complainant and CDON have stated in their respective complaints
Complaint 1 (Finland with national diary number 2529/182/2018)
On 28 May 2018, the appellant submitted a request for the deletion of his
personal data. The company has replied that a request can only be handled if it is
the complainant comes in with date of birth, address, customer number, order number and
depending on the payment method for the latest order, the following information:
• on invoice: price and reference number
• for card payment: the last four digits of the credit card number
• for direct payment: reference number and receipt
In summary, the appellant states that she cannot remember or find them
the information requested by the company because the order was made 5–10 years ago.
Complaint 2 (Finland with national diary number 2537/154/2018)
On 25 May 2018, the appellant submitted a request for the deletion of his
customer data. The company has replied that it requires information about the date of birth,
customer number, order number and payment method for the most recent order.
The appellant believes that it is unreasonable to have to answer these questions in order to be able to
protect their rights. The complainant does not have the information requested by the company
and has used the erasure request email that was associated with the complainant
customer account.
Complaint 3 (Finland with national diary number 2648/182/2018)
On 31 May 2018, the complainant contacted the Finnish data protection authority after
have requested access to and deletion of their data from the company. The company has the 29
May 2018 in response to the complainant's request stated that in order to verify the complainant
as a customer, for security reasons, information about the complainant's address, customer number,
order number from the last order and depending on the payment method for it
last order the following information:
• on invoice: price and reference number
• for card payment: the last four digits of the credit card number
• for direct payment: reference number and receipt
The appellant states that it has been a long time since the appellant bought anything from the company and that
the complainant does not have the information that the company requires. Furthermore, it is stated that the company
does not seem to delete the data without getting answers to their detailed questions at one
request for deletion.
Page 2 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 3(11)
Date: 2023-03-31
Complaint 4 (Finland with national diary number 2664/182/2018)
On 31 May 2018, the complainant turned to the Finnish data protection authority after
to have requested deletion from the company. It had been 5-10 years since the appellant ordered anything
from the company. In order to have their data deleted, the complainant needs to provide
data from their purchase which was carried out several years ago. The appellant also needs
provide personal data that was not previously needed to complete a purchase. The company has
in its response to the appellant informed that there is a right to access and that
delete personal data but that the company has the right to retain certain personal data for
accounting purposes. In order to meet a request, the company needs for security reasons
get information about the complainant's date of birth, address, customer number, order number from
last order and depending on the payment method of the last order
following task:
• on invoice: price and reference number
• for card payment: the last four digits of the credit card number
• for direct payment: reference number and receipt
The company has stated that they cannot verify the date the complaint was received by the company
or the date on which the company requested additional information from the complainant.
Because the appellant has not been an active customer of CDON in the last two to five years
CDON also confirms that the complainants' personal data has been deleted from CDON's system
and that no information about the appellant remains.
Complaint 5 (Finland with national diary number 2478/153/2018)
The complainant has contacted the Finnish Data Protection Authority after requesting
deletion of their data at the company. The company has informed the complainant that it
there is a right to access and to delete personal data but that the company has the right to
retain certain personal data for accounting purposes. To accommodate a request
does the company need information about the complainant's date of birth, address,
customer number, order number from the last order and depending on
payment method for the last order following information:
• on invoice: price and reference number
• for card payment: the last four digits of the credit card number
• for direct payment: reference number and receipt
The appellant does not remember when an order was made from the company and how the purchase was made
was paid. It has been over a year since anything was ordered.
The company has stated that they cannot verify the date the complaint was received by the company
or the date on which the company requested additional information from the complainant.
Because the appellant has not been an active customer of CDON in the last two to five years
CDON also confirms that the complainants' personal data has been deleted from CDON's system
and that no information about the appellant remains.
Complaint 6 (Finland with national diary number 2814/154/2018)
The complainant has filed a complaint with the Finnish Data Protection Authority after
a request for erasure with the company on 21 May 2018. The complainant states that the company
makes it difficult to exercise the right to erasure by requesting information as a man
should not have to save as a customer. The process contributes to the fact that it takes a long time to get
personal data deleted. In its response to the complainant on 29 May 2018, the company demanded
information about date of birth, address, customer number and one of the following:
Page 3 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 4(11)
Date: 2023-03-31
• order number from the last order,
• depending on the payment method for the most recent order, the following information:
o on invoice: price and reference number
o for card payment: the last four digits of the credit card number
o for direct payment: reference number and receipt
Complaint 7 (Denmark with national diary number 2018-31-0638)
The complainant states that he tried to delete his customer account online at cdon.dk by
use a hyperlink http://cdon.dk/. The company responded to the complainant on 29 May
2018 and requested information about date of birth, address, customer number, order number from
last order and payment method for the last order including those
last four digits of the credit card number. The appellant states i.a. that the company requires more
data when exercising the right to deletion than when creating the customer account.
The complainant has used the same email address when requesting deletion as at
the creation of the customer account with the company.
What CDON AB has stated otherwise
CDON AB has essentially stated the following.
The complaints
Of the complaints received, CDON has been able to identify six out of seven complainants against
information in their systems. As regards these six complainants, CDON notes that they are
personal data controller for the processing of personal data to which the complaints refer.
Regarding the seventh complaint (2478/153/2018), the company has stated that the complainant
could not be identified but that it is possible that the complainant has had a customer relationship
with CDON under an email address other than the one provided therein
complaints sent to the supervisory authority.
In connection with the appellants requesting deletion, they have submitted to CDON
name and email address. However, CDON has assessed that only these two data are not
sufficient to ensure the identity of the complainants. CDON has, with the support of Article 12.6
in the data protection regulation, therefore requested supplementary information from all
complaining. In addition to name and email address, CDON has requested the following information in order to
ensure the identity of the complainants:
• date of birth,
• civil registration address,
• customer number,
• order number for last order, and
• payment method for last order.
In addition, the complainants have had to provide the following information about payment methods:
• for invoice purchases: price and reference number,
• in case of card payment: the last four digits of the card,
• in the case of direct payment: reference or invoice number.
Existing routines
In this context, CDON takes the complaints received very seriously
difficulties for data subjects to exercise their rights under the data protection regulation
and has continuously worked to improve its procedures for identification upon request
register extract or deletion. Since 2018, when the complaints were received,
the identification process has been reviewed and clarified. Over the years, CDON has
worked to improve handling and ensure a simple and secure process at
Page 4 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 5(11)
Date: 2023-03-31
requests for erasure. Customers who wish to request deletion or access are referred to
to contact the company at kunddata@cdon.com. In connection with a registered
contacts the company with a request for deletion, the company informs the registered person that
the registrant's email will shortly be unregistered from CDON's newsletter
(if such subscription is activated). To have their account deleted, request i
the current situation CDON that the customer answers two security questions (one each from category 1
and 2) in order for CDON to be able to ensure that the person making contact is correct
registered. Those registered may choose to answer a question from each
security category of questions that CDON provides. This means that they
registrants need to answer only one of the following security questions in category 1. According
the control questions in category 1, customers must state date of birth, civil registration address
or customer number at CDON.com. After that, the registrants only need to answer
one of the following security questions in category 2. The control questions in category 2 are linked to
latest order where the customer either states the order number or depending on the payment method
enter one of the following information: on invoice; sum and OCR number, at
card payment: the last four digits of the card and in case of direct payment; transaction id
or invoice ID.
In case a customer is unwilling or unable to answer the security questions requested
the data subject is also offered the opportunity to contact customer service for follow-up and
investigation of alternative security issues to try to find another way to verify
the customer's identity. CDON believes that at least two more are necessary
information in addition to name and e-mail address from customers according to the company's new routine for
to be able to verify with sufficient certainty that it is the right person making one
request. CDON's routine for identification and verification of the data subject does not mean
that new information is collected about the data subject. CDON only requests to receive two different ones
data verified against the data CDON already processes about it
registered with a legal basis to be able to verify the identity of the registered.
The company's thinning routines
CDON has explained that they have a routine for thinning emails and another routine for
thinning of personal data. CDON's routine for thinning emails means that all emails
received in CDON's customer data box, i.e. kunddata@cdon.com, where customers become
referred if they have requests for deletion or register extracts, are thinned and deleted
after 14 months from the date the emails were received by CDON. Thinning of customer profiles
on CDON is currently based on consumer law obligations in different countries
for example after three years in Sweden. CDON thus confirms that all were complained about
personal data deleted at CDON.
Justification of decisions
Applicable regulations
In order for personal data processing to be compatible with the data protection regulation, it is required
among other things, that the processing meets the requirements regarding the principles of processing of
3
personal data specified in Article 5 of the Data Protection Regulation, including the principle
on data minimization (Article 5.1 c) and the principle of responsibility (Article 5.2).
2Since 22 January 2021, CDON only collects birth numbers (if the registered person chooses to supplement with
that information in security question 1) and not the full social security number (dnr DI-2020-10549-18 p.2).
3 See the judgment of the European Court of Justice, Valsts eizumenu dienests, C-175/20, EU:C:2022:124, paragraph 50, with
case law.
Page 5 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 6(11)
Date: 2023-03-31
According to Article 5.1 c of the data protection regulation, the personal data must be adequate,
relevant and not too extensive in relation to the purposes for which they are processed
(principle of task minimization).
In accordance with the principle of responsibility stipulated in Article 5.2 of the Data Protection Regulation
the personal data controller must be able to demonstrate that paragraph 1 of this article is complied with,
i.e. has the burden of proof for this. 4
According to article 11.2 of the data protection regulation, if the person in charge of personal data,
in the cases referred to in paragraph 1 of this article, can show that he is not in a position to
identify the data subject, the personal data controller shall, if possible, inform it
registered about this. In such cases, Articles 15–20 shall not apply, except when the
registered for the exercise of their rights in accordance with these articles
provides additional information that makes identification possible.
According to article 12.2 of the data protection regulation, the personal data controller must
facilitate the exercise of the data subject's rights in accordance with Articles 15-22. IN
the cases referred to in Article 11.2 of the Data Protection Regulation receive it
personal data controller does not refuse to comply with the data subject's request to
exercise their rights under Articles 15-22, unless the data controller
shows that he or she is unable to identify the data subject.
Article 12.6 of the data protection regulation states that without prejudice to the application of
article 11 of the data protection regulation, the personal data controller gets, if he has
reasonable grounds to doubt the identity of the natural person submitting a request
according to articles 15-21, request additional information necessary to
confirm the data subject's identity is provided. In the European Data Protection Board
(EDPB) guidelines 01/2022 on the right of access states the following.
If the personal data controller has reasonable grounds to doubt the requester
the person's identity, he may, as stated above, request additional information for
to confirm the identity of the data subject. However, the personal data controller must
at the same time ensure that it does not collect more personal data than is necessary
to enable identification of the requesting person. Therefore it should
personal data controller make a proportionality assessment, which must take
consideration of the type of personal data being processed (e.g. special categories of
information or not), the nature of the request, the context in which the request is made as well as
any damage that may occur as a result of improper disclosure. At
assessment of proportionality, excessive data collection should be avoided
while ensuring an appropriate level of security during treatment. 6
The data controller should implement an authentication procedure (control of
the identity of the data subject) to be certain of the identity of the persons who
request access to their data, and ensure the security of processing one
4 See the judgment of the European Court of Justice Valsts eizumenu dienests, C-175/20, EU:C:2022:124, paragraphs 77 and 81.
5Guidelines 01/2022 on data subject rights - Right of access Version 2.0 Adopted on 28 March 2023 (EDPB's
Guidelines 01/2022 on the right of access).
6
EDPB Guidelines 01/2022, paragraph 70, IMY's translation; original: "As indicated above, if the controller has
reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm
the data subject's identity. However, the controller must at the same time ensure that it does not collect more personnel
data than is necessary to enable authentication of the requesting person. Therefore, the controller shall carry out a
proportionality assessment, which must take into account the type of personal data being processed (e.g. special
categories of data or not), the nature of the request, the context within which the request is being made, as well as
any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to
avoid excessive data collection while ensuring an adequate level of processing security.“
Page 6 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 7(11)
Date: 2023-03-31
request for access in accordance with Article 32, for example a secure channel for those
registered to provide additional information. The method used for
authentication should be relevant, appropriate, proportionate and respect the principle
about task minimization. If the personal data controller introduces measures aimed at
to identify the data subject that is burdensome it must in an appropriate way
justify this and ensure compliance with all fundamental principles,
including data minimization and the obligation to facilitate the exercise of those
data subject's rights (Article 12.2 of the Data Protection Ordinance). 7
The Swedish Privacy Authority's assessment
The complaints
According to article 57.1 f of the data protection regulation, IMY must process complaints and where this is the case
appropriately investigate the matter to which the complaint relates. The case includes seven complaints.
IMY has requested that CDON comment on what information the company has requested,
the necessity of each individual data, date of when the request for erasure was received i
respective complaint, date of when the company requested supplementary information in order to
confirm the identity in each complaint and whether the complainants contacted the company after
May 25, 2018.
Of complaints 4 (Finland with national diary number 2664/182/2018) and 5 (Finland
with national diary number 2478/153/2018) no date appears for when the appellants
made a request for deletion with the company or when the company requested it
the supplementary information. The company has stated that they have deleted the complainant's
personal data in the two individual complaints in accordance with its routine and cannot
verify the date of when the request in the respective complaint was received or handled. IMY
finds no reason to doubt that CDON has lacked the opportunity to find any information
about the complainants and their requests for erasure. It has been several years since
the complaints were submitted to the Finnish Data Protection Authority.
IMY states that it is not possible to draw any safe conclusions from what has occurred
in the case of the two complainants based on what has been possible to investigate in the complaints. The
has, among other things, especially in light of the fact that the appellants' requests are attributable to
the time in close connection with the data protection regulation starting to apply, has not been
possible to investigate whether these two complaints are covered by the data protection regulation. CDON
has further confirmed that no personal data on these two appellants anymore
processed by the company. Against this background, IMY finds that the substantive issue in the two
the complaints are investigated to the extent that is appropriate according to Article 57.1 f i
data protection regulation. IMY therefore finds no reason to investigate these two complaints
further. IMY has consequently based on the remaining five current complaints
in the case partly examined the company's actions in these individual cases, partly about the company's
current routine is compatible with the data protection regulation.
7EDPB's Guidelines 01/2022, point 71, IMY's translation, original; “The controller should implement an authentication
procedure in order to be certain of the identity of the persons requesting access to their data, and ensure security of
the processing throughout the process of handling an access request in accordance with Art. 32 GDPR, including for
instance a secure channel for the data subjects to provide additional information. The method used for authentication
should be relevant, appropriate, proportionate and respect the data minimization principle. If the controller imposes
measures aimed at authenticating the data subject which are burdensome, it needs to adequately justify this and
ensure compliance with all fundamental principles, including data minimization and the obligation to facilitate the
exercise of data subjects' rights (Art. 12(2) GDPR).
Page 7 of 11 The Swedish Privacy Agency Diary number: DI-2020-10549 8(11)
Date: 2023-03-31
General starting points
It can be stated that the personal data controller, in order to identify a registered person,
may request additional information that is necessary, about the personal data controller
have reasonable grounds to doubt the identity of the person making the request.
The Data Protection Regulation does not explicitly regulate which data may be requested or
how the additional information is to be collected. The personal data controller must
make a proportionality assessment to determine what is appropriate with respect
to the regulation's requirements regarding security, among other things, but also in light of
the requirement in Article 12.2 of the Data Protection Regulation, according to which it
personal data controller shall facilitate the exercise of the data subject's rights. To
casually require information for identification without regard to whether the information is
necessary as described in article 12.6 of the data protection regulation contravenes according to
IMY against both this provision and also against the principle of data minimization i
Article 5.1 c of the data protection regulation.
As follows from the wording of these regulations and as confirmed by the EDPB's
guideline 01/2022 on the right of access, the personal data controller must implement a
proportionality assessment and be able to justify the verification method used.
To avoid excessive data collection, a request for additional
information be proportionate in relation to the type of data being processed and
8
the damage that may occur. This is also confirmed by the guidelines.
Has there been a breach of the data protection regulation regarding what
presented in the complaints in this case?
The question is about the information that the company required to meet the requests in them
the individual cases where the data protection regulation is applicable (i.e. complaints 1-3 and 6-7)
have been necessary to identify the respective appellants and thus in accordance with
data protection regulation. The information that the company has requested in the individual complaints,
in addition to name and e-mail, has been date of birth, civil registration address, customer number,
order number and payment method for the last order, as well as, depending on the payment method, price and
reference number when paying invoices, the last four digits of the card when paying by card,
reference or invoice number for direct payment.
The company has been given the opportunity to justify the manner in which the respective information was requested
been necessary to identify the appellants in the individual cases. The company has without
explain in more detail the necessity of the respective requested information, replied that it had not been
enough name and email to identify the complainants and verify that it is
the right person making a request. According to IMY, the company's statement does not
sufficient support to establish that all of the other current information has been
necessary to identify the data subjects in accordance with Article 12.6 i
the data protection regulation and the principle of data minimization in Article 5.1 c i
data protection regulation. It is CDON, in the capacity of personal data controller, who
must be able to demonstrate that the processing is carried out in accordance with the regulation (Article 5.2 i
data protection regulation). IMY believes that CDON has not done this. IMY states
thus that CDON AB processed personal data in violation of article 5.1 c and 12.6 i
data protection regulation.
In this case, the complainants have had to come in with relatively many
personal data in order to be able to exercise their right to deletion, i.a. order number and price for
latest order and reference number for invoice purchases together with additional
8EDPB's Guidelines 01/2022, General considerations on the assessment of the data subject's request, pages 2-3.
Page 8 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 9(11)
Date: 2023-03-31
tasks. In any case, it had been a long time since the appellant had shopped at CDON.
This has meant that the appellants have not been able to exercise their right to erasure according to Article
17 of the data protection regulation without having to make an effort to look for in some cases
old information and in any case a lot of information. By using without justification
opts out of such a burdensome verification method when requesting deletion, the company has
thus not facilitating the exercise of the data subjects' rights in the manner required
according to article 12.2 of the data protection regulation. CDON AB has thus processed
personal data in violation of Article 12.2 of the data protection regulation.
Is the company's current routine compatible with the data protection regulation?
The investigation shows that the company has continuously reviewed its routines for
the handling of requests for deletion since 2018, when all current complaints i
the case was received. The general routines that have been reviewed are those that have been in force since 22
January 2021 up to and including the date of IMY's decision in the current case.
To ensure the identity of the data subject requesting deletion, it needs
registrants now answer two questions (one question in category 1 and one question in category 2)
such as date of birth and order number. In category 1, registrants need
since January 22, 2021 do not state the social security number but only the date of birth about it
registrants choose to supplement with that information. It is not new personal data
which is requested to confirm the identity of the data subject without two different data in order to
compare them against data that the company already processes about the data subject in order to
verify the registrant. That CDON verifies the identity of the data subject before
deletion of personal data takes place is also a protection for the data subject who should not
have to have their personal data deleted by mistake. The company also offers a
alternative route for the data subject who cannot or does not want to answer the security questions
namely to contact customer service to find another way to verify it
data subject's identity. For a customer who has not placed an order there is thus
the option to contact customer service instead.
Against this background, IMY finds that CDON's existing routine is not disproportionate and
thus not in violation of the data protection regulation, provided that the company only
collects the information that appears from the routine in situations where there is reason to
doubt the identity of the data subject and that then only the information that is
necessary to identify the data subject is requested.
Choice of intervention
From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has
power to impose administrative penalty charges in accordance with Article 83.
Depending on the circumstances of the individual case, administrative
penalty fees are imposed in addition to or instead of the other measures referred to in article
58.2 of the data protection regulation, such as injunctions and prohibitions. Further
it appears from article 83.2 of the data protection regulation which factors must be taken into account
decisions on administrative penalty charges must be imposed and upon determination of
the amount of the fee. If it is a question of a minor violation, IMY receives according to what
set out in recital 148 instead of imposing a penalty charge issue a reprimand under
article 58.2 b of the data protection regulation. Consideration shall be given to aggravating and
mitigating circumstances of the case, such as the nature of the violation, degree of severity
and duration as well as previous violations of relevance.
IMY notes the following relevant circumstances. The current supervision includes
CDON AB's handling of five individual appellant's requests in the situation which
the complaints concern.
Page 9 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 10(11)
Date: 2023-03-31
The company has taken measures to make it easier for registered users to exercise their rights
rights in accordance with the data protection regulation and changed its procedures so that they are
compatible with the data protection regulation. Some measures had already been taken before
this supervisory case was initiated. Furthermore, the observed violations occurred
relatively far back in time. The company has not previously received any corrective action
for breach of data protection regulations. Against this background, IMY finds that
it is a question of such a minor violation in the sense referred to in recital 148 and
that CDON AB should be given a reprimand according to Article 58.2 b of the data protection regulation for
the violations found.
This decision has been taken by the unit manager Catharina Fernquist after a presentation by
lawyer Salli Fanaei.Catharina Fernquist, 2023-03-31 (This is an electronic
signature)
Copy to
The data protection officer
Page 10 of 11 The Swedish Privacy Agency Diary number: DI-2020-10549 11(11)
Date: 2023-03-31
How to appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
Page 11 of 11
