IMY (Sweden) - DI-2020-10549

From GDPRhub
Revision as of 08:14, 30 April 2024 by Ec (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IMY - DI-2020-10549
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 12(6) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 31.03.2023
Published: 14.04.2024
Fine: n/a
Parties: CDON AB
National Case Number/Name: DI-2020-10549
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: ec

The DPA issued a reprimand against a controller for unnecessarily using a burdensome identity verification method when data subjects requested erasure, such as asking data subjects to provide their order number and price of the last order.

English Summary

Facts

7 data subjects separately contacted CDON AB (“controller”), a Swedish company, and made an erasure request. The controller replied that in order to process the request, it needed information on date of birth, address, customer number information on recent purchases such as order number and information on payment method including the last four digits of the credit card number in case of card payment. Several data subjects argued they could not retrieve all the requested information as their purchases were so far back in time.

The data subjects lodged separate complaints against the controller in Finland (6) and Denmark (1). Given the cross-border nature of the processing, the Swedish DPA (“Integritetsskydds myndigheten”) made use of the cooperation and consistency mechanisms provided by the GDPR, as the controller was based in Sweden.

The controller argued that the names and email addresses of the data subjects were not sufficient to ensure the data subject’s identity. It therefore requested additional information from the data subjects pursuant to Article 12(6) GDPR. The controller also stated it took the complaints very seriously and has since reviewed and clarified the identification process so that data subjects only need to answer one of the two security questions, and offers data subject to contact customer service for investigation of alternative security questions to verify the customer’s identity in the case of the data subject being unwilling or unable to answer the questions.

Moreover, the controller stated that it deleted customer profiles automatically depending on the consumer law obligations in various countries, for example after three years in Sweden. The controller thereby confirmed that all of the data subjects’ personal data were deleted.

Holding

The DPA did not investigate two out of seven complaints. The controller could not verify the receiving or processing date of those erasure requests as several years had passed since the complaints were submitted to the Finnish DPA. The DPA then noted it could not draw any firm conclusions as to what occurred in the two cases. Moreover, as the controller confirmed it did not process personal data of these two data subjects anymore, the DPA found no reason to investigate these two complaints further.

Regarding the remaining five complaints, the DPA first assessed if the controller had reasonable grounds to doubt the identity of the data subjects. The DPA pointed out that under Article 12(6) GDPR additional information may be requested if the controller has reasonable grounds to doubt the identity of the controller, but must carry out a proportionality assessment first. The DPA held that randomly requiring data for identification purposes without assessing whether the data is necessary violates Article 12(6) GDPR and the principle of data minimisation under Article 5(1)(c) GDPR.

The DPA then examined whether the information requested was necessary to confirm the data subjects’ identity. The DPA found that the controller had not provided sufficient support to conclude that the additional information it requested was necessary to identify the data subjects ’identity. Therefore, the DPA concluded that the controller violated Article 5(1)(c) GDPR and Article 12(6) GDPR.

Moreover, the DPA further stated that the controller used a burdensome verification method when requesting erasure without justification, by for example asking the data subjects to provide the order number and price of the last order when the last order was a long time ago. The DPA held that the controller did not facilitate the exercise of the data subjects’ rights, thereby violating Article 12(2) GDPR.

The DPA then examined the current practice of the controller for handling requests for erasure, since the controller had reviewed its procedures since 2018 when the complaints were received. The DPA found the existing procedure not disproportionate and thus not in violation with the GDPR.

The DPA found that the violations were a minor infringement pursuant to Recital 148, because (1) the controller had taken measures to facilitate the exercise of data subjects’ rights under the GDPR and amended its practice to comply with the GDPR, (2) the infringements found occurred relatively long ago and (3) the controller had not received any corrective action for GDPR violations before. Thus, the DPA issued a reprimand to the controller for breaching Article 5(1)(c) GDPR, Article 12(2) GDPR and 12(6) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(11)







                                                                     CDON AB
                                                                     Södergatan 22, 6 tr,
                                                                     211 34 Malmö







Diary number:
DI-2020-10549 Decision after supervision according to

                               data protection regulation – CDON AB
Date:
2023-03-31



                               The Privacy Protection Authority's decision


                               The Swedish Data Protection Authority states that CDON AB has processed personal data
                               contrary to:


                                    • articles 5.1 c and 12.6 of the data protection regulation by having requested
                                         additional information by the appellants in complaints 1-3 and 6-7 when requested to

                                         have their personal data deleted, without the processing being necessary for
                                         to confirm the identity of the complainants.


                                    • article 12.2 of the data protection regulation by using a
                                         onerous verification method against the appellants in complaints 1-3 and 6-7.
                                         The company has thus not made it sufficiently easy for the complainants to practice

                                         their right to erasure according to Article 17 of the Data Protection Regulation.

                               IMY gives CDON AB a reprimand according to article 58.2 b of the data protection regulation for

                               violation of articles 5.1 c, 12.6 and 12.2 of the data protection regulation.


                               Account of the supervisory matter


                               The handling
                               IMY has initiated supervision regarding CDON AB (CDON or the company) due to seven
                               complaint. The complaints have been handed over to IMY, as responsible

                               supervisory authority according to Article 56 of the Data Protection Regulation. The handover has taken place
                               from the supervisory authority in the countries where the complainants have filed their complaints
                               (Finland and Denmark) in accordance with the regulation's provisions on cooperation at
                               cross-border treatment.


                               The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies
                               complaints concerning cross-border treatment, IMY has used them
Mailing address:
Box 8114 mechanisms of cooperation and uniformity contained in Chapter VII i
                               data protection regulation. Concerned regulatory authorities have been
104 20 Stockholm the data protection authorities in Denmark, Norway and Finland.
Website:
www.imy.se

E-mail:
imy@imy.se 1
Telephone: regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med
                               directive 95/46/EC (General Data Protection Regulation).
08-657 61 00


                                                             Page 1 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 2(11)
                               Date: 2023-03-31






                               The complaints
                               Summary of complaints

                               In summary, the following is apparent from the complaints. The appellants have requested that their
                               personal data must be deleted. The company has replied that one request can only be handled
                               if the individual submits information about date of birth, address, customer number,

                               information about recent purchases such as order number and information about payment method
                               including the last four digits of the credit card number when paying by card. Several of them
                               complainants believe that their purchases are so far back in time that they could not

                               retrieve all the requested data. The appellants dispute that all of the
                               the requested data is necessary to confirm their identity and manage
                               their requests.


                               What the complainant and CDON have stated in their respective complaints
                               Complaint 1 (Finland with national diary number 2529/182/2018)

                               On 28 May 2018, the appellant submitted a request for the deletion of his
                               personal data. The company has replied that a request can only be handled if it is
                               the complainant comes in with date of birth, address, customer number, order number and

                               depending on the payment method for the latest order, the following information:

                                   • on invoice: price and reference number

                                   • for card payment: the last four digits of the credit card number
                                   • for direct payment: reference number and receipt


                               In summary, the appellant states that she cannot remember or find them
                               the information requested by the company because the order was made 5–10 years ago.


                               Complaint 2 (Finland with national diary number 2537/154/2018)
                               On 25 May 2018, the appellant submitted a request for the deletion of his
                               customer data. The company has replied that it requires information about the date of birth,

                               customer number, order number and payment method for the most recent order.
                               The appellant believes that it is unreasonable to have to answer these questions in order to be able to
                               protect their rights. The complainant does not have the information requested by the company

                               and has used the erasure request email that was associated with the complainant
                               customer account.


                               Complaint 3 (Finland with national diary number 2648/182/2018)
                               On 31 May 2018, the complainant contacted the Finnish data protection authority after
                               have requested access to and deletion of their data from the company. The company has the 29

                               May 2018 in response to the complainant's request stated that in order to verify the complainant
                               as a customer, for security reasons, information about the complainant's address, customer number,
                               order number from the last order and depending on the payment method for it
                               last order the following information:


                                   • on invoice: price and reference number
                                   • for card payment: the last four digits of the credit card number

                                   • for direct payment: reference number and receipt

                               The appellant states that it has been a long time since the appellant bought anything from the company and that

                               the complainant does not have the information that the company requires. Furthermore, it is stated that the company
                               does not seem to delete the data without getting answers to their detailed questions at one
                               request for deletion.






                                                            Page 2 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 3(11)
                               Date: 2023-03-31






                               Complaint 4 (Finland with national diary number 2664/182/2018)
                               On 31 May 2018, the complainant turned to the Finnish data protection authority after
                               to have requested deletion from the company. It had been 5-10 years since the appellant ordered anything

                               from the company. In order to have their data deleted, the complainant needs to provide
                               data from their purchase which was carried out several years ago. The appellant also needs
                               provide personal data that was not previously needed to complete a purchase. The company has

                               in its response to the appellant informed that there is a right to access and that
                               delete personal data but that the company has the right to retain certain personal data for
                               accounting purposes. In order to meet a request, the company needs for security reasons

                               get information about the complainant's date of birth, address, customer number, order number from
                               last order and depending on the payment method of the last order
                               following task:


                                   • on invoice: price and reference number
                                   • for card payment: the last four digits of the credit card number

                                   • for direct payment: reference number and receipt

                               The company has stated that they cannot verify the date the complaint was received by the company

                               or the date on which the company requested additional information from the complainant.
                               Because the appellant has not been an active customer of CDON in the last two to five years
                               CDON also confirms that the complainants' personal data has been deleted from CDON's system

                               and that no information about the appellant remains.

                               Complaint 5 (Finland with national diary number 2478/153/2018)

                               The complainant has contacted the Finnish Data Protection Authority after requesting
                               deletion of their data at the company. The company has informed the complainant that it
                               there is a right to access and to delete personal data but that the company has the right to
                               retain certain personal data for accounting purposes. To accommodate a request

                               does the company need information about the complainant's date of birth, address,
                               customer number, order number from the last order and depending on
                               payment method for the last order following information:


                                   • on invoice: price and reference number
                                   • for card payment: the last four digits of the credit card number

                                   • for direct payment: reference number and receipt

                               The appellant does not remember when an order was made from the company and how the purchase was made

                               was paid. It has been over a year since anything was ordered.

                               The company has stated that they cannot verify the date the complaint was received by the company

                               or the date on which the company requested additional information from the complainant.
                               Because the appellant has not been an active customer of CDON in the last two to five years
                               CDON also confirms that the complainants' personal data has been deleted from CDON's system

                               and that no information about the appellant remains.

                               Complaint 6 (Finland with national diary number 2814/154/2018)

                               The complainant has filed a complaint with the Finnish Data Protection Authority after
                               a request for erasure with the company on 21 May 2018. The complainant states that the company
                               makes it difficult to exercise the right to erasure by requesting information as a man

                               should not have to save as a customer. The process contributes to the fact that it takes a long time to get
                               personal data deleted. In its response to the complainant on 29 May 2018, the company demanded
                               information about date of birth, address, customer number and one of the following:





                                                            Page 3 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 4(11)
                               Date: 2023-03-31






                                   • order number from the last order,
                                   • depending on the payment method for the most recent order, the following information:
                                            o on invoice: price and reference number

                                            o for card payment: the last four digits of the credit card number
                                            o for direct payment: reference number and receipt


                               Complaint 7 (Denmark with national diary number 2018-31-0638)
                               The complainant states that he tried to delete his customer account online at cdon.dk by
                               use a hyperlink http://cdon.dk/. The company responded to the complainant on 29 May

                               2018 and requested information about date of birth, address, customer number, order number from
                               last order and payment method for the last order including those
                               last four digits of the credit card number. The appellant states i.a. that the company requires more

                               data when exercising the right to deletion than when creating the customer account.
                               The complainant has used the same email address when requesting deletion as at
                               the creation of the customer account with the company.


                               What CDON AB has stated otherwise
                               CDON AB has essentially stated the following.


                               The complaints
                               Of the complaints received, CDON has been able to identify six out of seven complainants against

                               information in their systems. As regards these six complainants, CDON notes that they are
                               personal data controller for the processing of personal data to which the complaints refer.
                               Regarding the seventh complaint (2478/153/2018), the company has stated that the complainant

                               could not be identified but that it is possible that the complainant has had a customer relationship
                               with CDON under an email address other than the one provided therein
                               complaints sent to the supervisory authority.


                               In connection with the appellants requesting deletion, they have submitted to CDON
                               name and email address. However, CDON has assessed that only these two data are not

                               sufficient to ensure the identity of the complainants. CDON has, with the support of Article 12.6
                               in the data protection regulation, therefore requested supplementary information from all
                               complaining. In addition to name and email address, CDON has requested the following information in order to
                               ensure the identity of the complainants:

                                   • date of birth,
                                   • civil registration address,
                                   • customer number,

                                   • order number for last order, and
                                   • payment method for last order.


                               In addition, the complainants have had to provide the following information about payment methods:

                                   • for invoice purchases: price and reference number,

                                   • in case of card payment: the last four digits of the card,
                                   • in the case of direct payment: reference or invoice number.


                               Existing routines
                               In this context, CDON takes the complaints received very seriously
                               difficulties for data subjects to exercise their rights under the data protection regulation

                               and has continuously worked to improve its procedures for identification upon request
                               register extract or deletion. Since 2018, when the complaints were received,
                               the identification process has been reviewed and clarified. Over the years, CDON has

                               worked to improve handling and ensure a simple and secure process at



                                                            Page 4 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 5(11)
                                Date: 2023-03-31






                                requests for erasure. Customers who wish to request deletion or access are referred to

                                to contact the company at kunddata@cdon.com. In connection with a registered
                                contacts the company with a request for deletion, the company informs the registered person that
                                the registrant's email will shortly be unregistered from CDON's newsletter

                                (if such subscription is activated). To have their account deleted, request i
                                the current situation CDON that the customer answers two security questions (one each from category 1
                                and 2) in order for CDON to be able to ensure that the person making contact is correct

                                registered. Those registered may choose to answer a question from each
                                security category of questions that CDON provides. This means that they

                                registrants need to answer only one of the following security questions in category 1. According
                                the control questions in category 1, customers must state date of birth, civil registration address
                                or customer number at CDON.com. After that, the registrants only need to answer

                                one of the following security questions in category 2. The control questions in category 2 are linked to
                                latest order where the customer either states the order number or depending on the payment method
                                enter one of the following information: on invoice; sum and OCR number, at

                                card payment: the last four digits of the card and in case of direct payment; transaction id
                                or invoice ID.


                                In case a customer is unwilling or unable to answer the security questions requested
                                the data subject is also offered the opportunity to contact customer service for follow-up and

                                investigation of alternative security issues to try to find another way to verify
                                the customer's identity. CDON believes that at least two more are necessary
                                information in addition to name and e-mail address from customers according to the company's new routine for

                                to be able to verify with sufficient certainty that it is the right person making one
                                request. CDON's routine for identification and verification of the data subject does not mean

                                that new information is collected about the data subject. CDON only requests to receive two different ones
                                data verified against the data CDON already processes about it
                                registered with a legal basis to be able to verify the identity of the registered.


                                The company's thinning routines

                                CDON has explained that they have a routine for thinning emails and another routine for
                                thinning of personal data. CDON's routine for thinning emails means that all emails
                                received in CDON's customer data box, i.e. kunddata@cdon.com, where customers become

                                referred if they have requests for deletion or register extracts, are thinned and deleted
                                after 14 months from the date the emails were received by CDON. Thinning of customer profiles
                                on CDON is currently based on consumer law obligations in different countries

                                for example after three years in Sweden. CDON thus confirms that all were complained about
                                personal data deleted at CDON.


                                Justification of decisions


                                Applicable regulations


                                In order for personal data processing to be compatible with the data protection regulation, it is required
                                among other things, that the processing meets the requirements regarding the principles of processing of
                                                                                                   3
                                personal data specified in Article 5 of the Data Protection Regulation, including the principle
                                on data minimization (Article 5.1 c) and the principle of responsibility (Article 5.2).




                                2Since 22 January 2021, CDON only collects birth numbers (if the registered person chooses to supplement with
                                that information in security question 1) and not the full social security number (dnr DI-2020-10549-18 p.2).
                                3 See the judgment of the European Court of Justice, Valsts eizumenu dienests, C-175/20, EU:C:2022:124, paragraph 50, with
                                case law.



                                                              Page 5 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 6(11)

                                 Date: 2023-03-31






                                 According to Article 5.1 c of the data protection regulation, the personal data must be adequate,

                                 relevant and not too extensive in relation to the purposes for which they are processed
                                 (principle of task minimization).


                                 In accordance with the principle of responsibility stipulated in Article 5.2 of the Data Protection Regulation
                                 the personal data controller must be able to demonstrate that paragraph 1 of this article is complied with,

                                 i.e. has the burden of proof for this. 4


                                 According to article 11.2 of the data protection regulation, if the person in charge of personal data,
                                 in the cases referred to in paragraph 1 of this article, can show that he is not in a position to

                                 identify the data subject, the personal data controller shall, if possible, inform it
                                 registered about this. In such cases, Articles 15–20 shall not apply, except when the

                                 registered for the exercise of their rights in accordance with these articles
                                 provides additional information that makes identification possible.


                                 According to article 12.2 of the data protection regulation, the personal data controller must
                                 facilitate the exercise of the data subject's rights in accordance with Articles 15-22. IN

                                 the cases referred to in Article 11.2 of the Data Protection Regulation receive it
                                 personal data controller does not refuse to comply with the data subject's request to

                                 exercise their rights under Articles 15-22, unless the data controller
                                 shows that he or she is unable to identify the data subject.


                                 Article 12.6 of the data protection regulation states that without prejudice to the application of

                                 article 11 of the data protection regulation, the personal data controller gets, if he has
                                 reasonable grounds to doubt the identity of the natural person submitting a request

                                 according to articles 15-21, request additional information necessary to
                                 confirm the data subject's identity is provided. In the European Data Protection Board
                                 (EDPB) guidelines 01/2022 on the right of access states the following.


                                    If the personal data controller has reasonable grounds to doubt the requester

                                    the person's identity, he may, as stated above, request additional information for
                                    to confirm the identity of the data subject. However, the personal data controller must

                                    at the same time ensure that it does not collect more personal data than is necessary
                                    to enable identification of the requesting person. Therefore it should

                                    personal data controller make a proportionality assessment, which must take
                                    consideration of the type of personal data being processed (e.g. special categories of

                                    information or not), the nature of the request, the context in which the request is made as well as
                                    any damage that may occur as a result of improper disclosure. At

                                    assessment of proportionality, excessive data collection should be avoided
                                    while ensuring an appropriate level of security during treatment. 6


                                    The data controller should implement an authentication procedure (control of
                                    the identity of the data subject) to be certain of the identity of the persons who

                                    request access to their data, and ensure the security of processing one


                                 4 See the judgment of the European Court of Justice Valsts eizumenu dienests, C-175/20, EU:C:2022:124, paragraphs 77 and 81.
                                 5Guidelines 01/2022 on data subject rights - Right of access Version 2.0 Adopted on 28 March 2023 (EDPB's
                                 Guidelines 01/2022 on the right of access).
                                 6
                                  EDPB Guidelines 01/2022, paragraph 70, IMY's translation; original: "As indicated above, if the controller has
                                 reasonable grounds for doubting the identity of the requesting person, it may request additional information to confirm
                                 the data subject's identity. However, the controller must at the same time ensure that it does not collect more personnel
                                 data than is necessary to enable authentication of the requesting person. Therefore, the controller shall carry out a
                                 proportionality assessment, which must take into account the type of personal data being processed (e.g. special
                                 categories of data or not), the nature of the request, the context within which the request is being made, as well as
                                 any damage that could result from improper disclosure. When assessing proportionality, it should be remembered to
                                 avoid excessive data collection while ensuring an adequate level of processing security.“


                                                               Page 6 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 7(11)
                                Date: 2023-03-31







                                   request for access in accordance with Article 32, for example a secure channel for those
                                   registered to provide additional information. The method used for
                                   authentication should be relevant, appropriate, proportionate and respect the principle

                                   about task minimization. If the personal data controller introduces measures aimed at
                                   to identify the data subject that is burdensome it must in an appropriate way

                                   justify this and ensure compliance with all fundamental principles,
                                   including data minimization and the obligation to facilitate the exercise of those
                                   data subject's rights (Article 12.2 of the Data Protection Ordinance). 7


                                The Swedish Privacy Authority's assessment


                                The complaints
                                According to article 57.1 f of the data protection regulation, IMY must process complaints and where this is the case

                                appropriately investigate the matter to which the complaint relates. The case includes seven complaints.
                                IMY has requested that CDON comment on what information the company has requested,

                                the necessity of each individual data, date of when the request for erasure was received i
                                respective complaint, date of when the company requested supplementary information in order to
                                confirm the identity in each complaint and whether the complainants contacted the company after

                                May 25, 2018.

                                Of complaints 4 (Finland with national diary number 2664/182/2018) and 5 (Finland

                                with national diary number 2478/153/2018) no date appears for when the appellants
                                made a request for deletion with the company or when the company requested it
                                the supplementary information. The company has stated that they have deleted the complainant's

                                personal data in the two individual complaints in accordance with its routine and cannot
                                verify the date of when the request in the respective complaint was received or handled. IMY
                                finds no reason to doubt that CDON has lacked the opportunity to find any information

                                about the complainants and their requests for erasure. It has been several years since
                                the complaints were submitted to the Finnish Data Protection Authority.


                                IMY states that it is not possible to draw any safe conclusions from what has occurred
                                in the case of the two complainants based on what has been possible to investigate in the complaints. The
                                has, among other things, especially in light of the fact that the appellants' requests are attributable to

                                the time in close connection with the data protection regulation starting to apply, has not been
                                possible to investigate whether these two complaints are covered by the data protection regulation. CDON
                                has further confirmed that no personal data on these two appellants anymore

                                processed by the company. Against this background, IMY finds that the substantive issue in the two
                                the complaints are investigated to the extent that is appropriate according to Article 57.1 f i
                                data protection regulation. IMY therefore finds no reason to investigate these two complaints

                                further. IMY has consequently based on the remaining five current complaints
                                in the case partly examined the company's actions in these individual cases, partly about the company's
                                current routine is compatible with the data protection regulation.










                                7EDPB's Guidelines 01/2022, point 71, IMY's translation, original; “The controller should implement an authentication
                                procedure in order to be certain of the identity of the persons requesting access to their data, and ensure security of
                                the processing throughout the process of handling an access request in accordance with Art. 32 GDPR, including for
                                instance a secure channel for the data subjects to provide additional information. The method used for authentication
                                should be relevant, appropriate, proportionate and respect the data minimization principle. If the controller imposes
                                measures aimed at authenticating the data subject which are burdensome, it needs to adequately justify this and
                                ensure compliance with all fundamental principles, including data minimization and the obligation to facilitate the
                                exercise of data subjects' rights (Art. 12(2) GDPR).



                                                              Page 7 of 11 The Swedish Privacy Agency Diary number: DI-2020-10549 8(11)
                                Date: 2023-03-31






                                General starting points

                                It can be stated that the personal data controller, in order to identify a registered person,
                                may request additional information that is necessary, about the personal data controller
                                have reasonable grounds to doubt the identity of the person making the request.


                                The Data Protection Regulation does not explicitly regulate which data may be requested or
                                how the additional information is to be collected. The personal data controller must

                                make a proportionality assessment to determine what is appropriate with respect
                                to the regulation's requirements regarding security, among other things, but also in light of
                                the requirement in Article 12.2 of the Data Protection Regulation, according to which it

                                personal data controller shall facilitate the exercise of the data subject's rights. To
                                casually require information for identification without regard to whether the information is
                                necessary as described in article 12.6 of the data protection regulation contravenes according to

                                IMY against both this provision and also against the principle of data minimization i
                                Article 5.1 c of the data protection regulation.


                                As follows from the wording of these regulations and as confirmed by the EDPB's
                                guideline 01/2022 on the right of access, the personal data controller must implement a
                                proportionality assessment and be able to justify the verification method used.

                                To avoid excessive data collection, a request for additional
                                information be proportionate in relation to the type of data being processed and
                                                                                                   8
                                the damage that may occur. This is also confirmed by the guidelines.

                                Has there been a breach of the data protection regulation regarding what

                                presented in the complaints in this case?
                                The question is about the information that the company required to meet the requests in them
                                the individual cases where the data protection regulation is applicable (i.e. complaints 1-3 and 6-7)

                                have been necessary to identify the respective appellants and thus in accordance with
                                data protection regulation. The information that the company has requested in the individual complaints,
                                in addition to name and e-mail, has been date of birth, civil registration address, customer number,

                                order number and payment method for the last order, as well as, depending on the payment method, price and
                                reference number when paying invoices, the last four digits of the card when paying by card,

                                reference or invoice number for direct payment.

                                The company has been given the opportunity to justify the manner in which the respective information was requested

                                been necessary to identify the appellants in the individual cases. The company has without
                                explain in more detail the necessity of the respective requested information, replied that it had not been
                                enough name and email to identify the complainants and verify that it is

                                the right person making a request. According to IMY, the company's statement does not
                                sufficient support to establish that all of the other current information has been
                                necessary to identify the data subjects in accordance with Article 12.6 i

                                the data protection regulation and the principle of data minimization in Article 5.1 c i
                                data protection regulation. It is CDON, in the capacity of personal data controller, who
                                must be able to demonstrate that the processing is carried out in accordance with the regulation (Article 5.2 i

                                data protection regulation). IMY believes that CDON has not done this. IMY states
                                thus that CDON AB processed personal data in violation of article 5.1 c and 12.6 i
                                data protection regulation.


                                In this case, the complainants have had to come in with relatively many
                                personal data in order to be able to exercise their right to deletion, i.a. order number and price for

                                latest order and reference number for invoice purchases together with additional


                                8EDPB's Guidelines 01/2022, General considerations on the assessment of the data subject's request, pages 2-3.



                                                              Page 8 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 9(11)
                                Date: 2023-03-31






                                tasks. In any case, it had been a long time since the appellant had shopped at CDON.
                                This has meant that the appellants have not been able to exercise their right to erasure according to Article
                                17 of the data protection regulation without having to make an effort to look for in some cases

                                old information and in any case a lot of information. By using without justification
                                opts out of such a burdensome verification method when requesting deletion, the company has
                                thus not facilitating the exercise of the data subjects' rights in the manner required

                                according to article 12.2 of the data protection regulation. CDON AB has thus processed
                                personal data in violation of Article 12.2 of the data protection regulation.


                                Is the company's current routine compatible with the data protection regulation?
                                The investigation shows that the company has continuously reviewed its routines for
                                the handling of requests for deletion since 2018, when all current complaints i

                                the case was received. The general routines that have been reviewed are those that have been in force since 22
                                January 2021 up to and including the date of IMY's decision in the current case.


                                To ensure the identity of the data subject requesting deletion, it needs
                                registrants now answer two questions (one question in category 1 and one question in category 2)
                                such as date of birth and order number. In category 1, registrants need

                                since January 22, 2021 do not state the social security number but only the date of birth about it
                                registrants choose to supplement with that information. It is not new personal data
                                which is requested to confirm the identity of the data subject without two different data in order to

                                compare them against data that the company already processes about the data subject in order to
                                verify the registrant. That CDON verifies the identity of the data subject before
                                deletion of personal data takes place is also a protection for the data subject who should not

                                have to have their personal data deleted by mistake. The company also offers a
                                alternative route for the data subject who cannot or does not want to answer the security questions
                                namely to contact customer service to find another way to verify it

                                data subject's identity. For a customer who has not placed an order there is thus
                                the option to contact customer service instead.


                                Against this background, IMY finds that CDON's existing routine is not disproportionate and
                                thus not in violation of the data protection regulation, provided that the company only
                                collects the information that appears from the routine in situations where there is reason to
                                doubt the identity of the data subject and that then only the information that is

                                necessary to identify the data subject is requested.


                                Choice of intervention
                                From article 58.2 i and article 83.2 of the data protection regulation it appears that IMY has
                                power to impose administrative penalty charges in accordance with Article 83.

                                Depending on the circumstances of the individual case, administrative
                                penalty fees are imposed in addition to or instead of the other measures referred to in article
                                58.2 of the data protection regulation, such as injunctions and prohibitions. Further

                                it appears from article 83.2 of the data protection regulation which factors must be taken into account
                                decisions on administrative penalty charges must be imposed and upon determination of
                                the amount of the fee. If it is a question of a minor violation, IMY receives according to what

                                set out in recital 148 instead of imposing a penalty charge issue a reprimand under
                                article 58.2 b of the data protection regulation. Consideration shall be given to aggravating and
                                mitigating circumstances of the case, such as the nature of the violation, degree of severity

                                and duration as well as previous violations of relevance.

                                IMY notes the following relevant circumstances. The current supervision includes
                                CDON AB's handling of five individual appellant's requests in the situation which

                                the complaints concern.



                                                              Page 9 of 11The Swedish Privacy Agency Diary number: DI-2020-10549 10(11)
                                Date: 2023-03-31






                                The company has taken measures to make it easier for registered users to exercise their rights
                                rights in accordance with the data protection regulation and changed its procedures so that they are

                                compatible with the data protection regulation. Some measures had already been taken before
                                this supervisory case was initiated. Furthermore, the observed violations occurred

                                relatively far back in time. The company has not previously received any corrective action
                                for breach of data protection regulations. Against this background, IMY finds that
                                it is a question of such a minor violation in the sense referred to in recital 148 and

                                that CDON AB should be given a reprimand according to Article 58.2 b of the data protection regulation for
                                the violations found.




                                This decision has been taken by the unit manager Catharina Fernquist after a presentation by

                                lawyer Salli Fanaei.Catharina Fernquist, 2023-03-31 (This is an electronic
                                signature)


                                Copy to
                                The data protection officer



















































                                                               Page 10 of 11 The Swedish Privacy Agency Diary number: DI-2020-10549 11(11)
                                Date: 2023-03-31






                                How to appeal


                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.
























































                                                               Page 11 of 11