IMY (Sweden) - IMY-2022-1032

From GDPRhub
IMY - IMY-2022-1032
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 12(2) GDPR
Article 12(6) GDPR
Article 17 GDPR
Article 56 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.01.2023
Published:
Fine: n/a
Parties: Lensway
National Case Number/Name: IMY-2022-1032
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: IMY (in EN)
Initial Contributor: n/a

In the context of an erasure request, requiring copy of identity documents which are not strictly necessary to identify a data subject breaches Article 12(6) GDPR. Moreover, in these cases, the use of regular mail does not facilitate the exercise of data subjects' right under Article 12(2) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

Two data subjects had customer relationship with Lensway (controller). In february and June 2020 they requested erasure of their data. To comply with the request, the controller required the data subjects to provide, by regular mail, a copy of an identity document and a written and signed form. In one case, also the data subject's social security number.

The data subjects respectively filed complaints with the supervisory authorities of Finland and Denmark which handed them over to the Swedish DPA (IMY) according to Article 56 GDPR in its quality of lead supervisory authority.

In its defense, the controller stated that it could not identify the data subjects with other means. Requesting identity documents was therefore necessary to comply with the erasure requests. It added that the use of regular mail was necessary to ensure that they received the original written documentation.

Holding[edit | edit source]

Since the complaints were against the same controller, the IMY joined them. It started by reminding that under Article 12(2) GDPR, the controller must facilitate the exercise of data subject rights and that under Article 12(6), the controller can request additional information to confirm the identity of the data subject if it has reasonable doubts.

First, the IMY assessed if, in these two cases, the controller had reasonable grounds to doubt the identity of the data subjects. It held that was not entirely clear what information the data subjects provided with their request. The company's doubts about the identity of the data subjects were therefore reasonable.

Second, the IMY then examined the necessity of the "additional information" requested by the controller to overcome such doubts. Taking into account the customer relationship between the data subjects and the controller, the IMY considered that the controller could not, in this occasion, require more personal data than were asked when establishing the customer relationship. The IMY also referred to the EDPB guidelines on the right of access which state that the use of an identity document as part of an authentification process should be considered inappropriate unless strictly necessary under national law. In this case, the IMY held that other less intrusive means could have been sufficient to identify the data subjects. For example, using control questions or requiring the data subject to log in on the controller’s website.

Last, the IMY analysed whether requesting the data subjects to send their information by regular mail was in line with Article 12(2) GDPR. It considered that the use of regular mail could be justifiable for reasons of security. However, in this case, provided that the identity documents were not necessary, the IMY concluded that the controller did not facilitate the exercise of the data subjects’ rights.

Taking into account that the infringements occurred far back in time, only affected two data subjects and that in the meantime, the controller stopped requesting copies of identity documents and written forms, the IMY considered that this constituted a minor infringement and issued a reprimand.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

1(8)






                                                                     Notice: This document is an unofficial translation of the
                                                                     Swedish Authority for Privacy Protection’s decision 2023-

                                                                     01-19, no. IMY-2022-1032. Only the Swedish version of the
                                                                     decision is deemed authentic.





Ref no:
IMY-2022-1032                  Decision under the General Data

                               Protection Regulation – Lensway

Date of decision:
2023-01-19                     Group AB





                               Decision of the Swedish Authority for Privacy

                               Protection

                               The Swedish Authority for Privacy Protection finds that Lensway Group AB when

                               handling the request for erasure made on 20 February 2020 by the complainant in
                               Complaint 1, and the request for erasure made on 25 June 2020 by the complainant in
                               Complaint 2, has processed personal data in breach of:


                                    •    Article 12(6) GDPR by requesting a copy of the identity document and
                                         signature when this was not necessary to confirm the identities of the

                                         complainants; and
                                    •    Article 12(2) of the GDPR by requiring that the complainants when requesting
                                         erasure submit information by mail in order to confirm their identities, which
                                         did not facilitate the exercise of the complainants` right to erasure.


                               The Swedish Authority for Privacy Protection issues a reprimand to Lensway Group
                               AB pursuant to Article 58(2)(b) of the GDPR for infringement of Articles 12(2) and

                               12(6) of the GDPR.


                               Presentation of the supervisory case

                               The Swedish Authority for Privacy Protection (IMY) has initiated supervision regarding

                               Lensway Group AB (the company) due to two complaints, mainly to investigate
                               whether Lensway Group AB has received and handled the complainants’ requests for
                               erasure in accordance with Articles 12 and 17 of the GDPR. The complaints have
                               been submitted to IMY as the lead supervisory authority pursuant to Article 56 of the

                               GDPR. The handover has been made by the supervisory authority of the country
                               where the complainants have lodged their complaints (Finland and Denmark) in
Postal address:                accordance with the provisions of the GDPR on cooperation in cross-border
Box 8114
104 20 Stockholm               processing.
Website:
                               The case has been handled through written procedure. In view of the complaint
www.imy.se
E-mail:                        relating to cross-border processing, IMY has made use of the cooperation and
imy@imy.se                     1
                                Regulation (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the
Phone:                         protection of natural persons with regard to he processing of personal data and on the free movement of such data,
08-657 61 00                   and repealing Directive 95/46/EC (General Data Protection Regulation).Privacy Protection Authority   Our ref: IMY-2022-1032                                                                2(8)
                               Date:2022-12-12






                               consistency mechanisms provided for in Chapter VII of the GDPR. The supervisory
                               authorities concerned have been the data protection authorities in Denmark, Norway
                               and Finland.


                               The complaints
                               The complainants have mainly stated the following.


                               Complaint 1 (Complaint from Finland with national registration number 1576/153/2020)

                               The complainant was in contact with the company on 20 February 2020 and requested

                               erasure. The company replied to the complainant that the complainant needs to send
                               them the postal address so that they can send the complainant documents relating to
                               the complainant’s request. These documents were to be signed and returned by the

                               complainant. In addition, the company requested the complainant to verify the identity
                               by sending a copy of the complainant´s identity document by e-mail. For security
                               reasons, the complainant was not willing to provide what was requested.


                               Complaint 2 (Complaint from Denmark with national registration number 2020-31-
                               3616)


                               The complainant requested erasure of the complainant´s information on lensway.dk. In
                               order to comply with the request, the company requested that the complainant provide

                               the social security number and a copy of the identity document. However, the
                               company could not tell the complainant why they need that information except that
                               they need it in order to confirm the complainant´s identity. The complainant questions

                               the need for the company to collect personal data in order to erase personal data. The
                               complainant suggested that the company could instead confirm the complainant´s
                               identity by sending an e-mail to the address registered on the complainant but they

                               refused.

                               What Lensway Group AB has stated

                               In its statements of 20 April, 12 May and 11 August 2022, the company has mainly
                               stated the following. The Company is the data controller concerning the processing to
                               which the complaints relates.


                               Complaint 1

                               The company has received the complaint’s request for erasure, but the complainant

                               has not completed the company´s at the time current verification process. The
                               company has requested the complainant to submit a copy of the identity document.
                               This is the only way the company has so far been able to ensure the identity of the

                               customer. The copy was to be sent by regular mail. The company also requested the
                               complainant to submit a signed request for erasure. The company has so far not been
                               able to receive this information digitally. In order to ensure that they have received

                               original documents, they have asked the complainant to submit it via regular mail.

                               Complaint 2


                               The company received the request for erasure on 25 June 2020 but the complainant
                               did not complete the company’s at the time current verification process. It is true that

                               the company requested the complainant’s social security number in the written form,
                               but it has been voluntary to provide this information. In addition to the information
                               requested in the written form, the company requested the complainant to submit aPrivacy Protection Authority   Our ref: IMY-2022-1032                                                                3(8)
                               Date:2022-12-12






                               copy of the identity document. The company has so far not been able to identify the
                               complainant in any other way. The complainant was asked to submit the information
                               by regular mail in order to ensure that the company had received the original

                               documents.

                               As regards both complaints the company has stated the following:


                               As regards the written form to be submitted by both complainants, the company states
                               the following concerning the personal data required to disclose and why the

                               information was necessary.

                                   •    Name is mandatory information which is requested to confirm the identity of

                                        the data subject.
                                   •    Email address is mandatory information which is requested because it is used
                                        as a unique identifier of customers in the company’s system.

                                   •    Signature is mandatory for the company to be able to ensure that the data
                                        subject has read the information and has given his or her consent.

                               The company states that they should always ensure that it is the right person that

                               contacts them when it comes to requests to exercise a right under the GDPR. Since
                               the company was previously unable to identify the customer in a good and secure way
                               when they contacted the company through customer service, the manual process via

                               regular mail has been the one they have used. In this way, they have had a two-step
                               verification. Functionality to enable confirmation of the customer’s identity through
                               customer service has not been in place.


                               The customer relationship with the company can be established in two ways, either the
                               customer makes a purchase or the customer logs in to My Pages. When the customer

                               creates an account on My Pages, the customer enters their email address and an
                               email with confirmation is sent to the customer. The customer can then, via the link in
                               the email, come to a web page where they link a password to the email address. The

                               customer account is then created and the company thus receives a two-step
                               verification. The complainants used the second method by which the customer
                               relationship can be established.


                               The complainants made purchases with the company and they were identified through
                               the company’s payment service provided by Klarna. For most payment options, Klarna

                               requires the customer to verify themselves via bank ID. For certain payment methods,
                               for example payment by credit card, the customer may choose not to have to verify via
                               bank ID through Klarna’s app.


                               The company’s existing digital contact channel is My Pages. However, there has been
                               no functionality to handle requests to exercise a right under the GDPR on My Pages.

                               Since April 2022, the company’s customers can now request to be erasured or receive
                               a copy of their personal data directly via My Pages. The customer’s identity is then
                               verified via regular login.Privacy Protection Authority     Our ref: IMY-2022-1032                                                                    4(8)
                                 Date:2022-12-12






                                 Statement of reasons for the decision


                                 Applicable provisions, etc.


                                 According to Article 17(1), the data subject shall have the right to obtain from the
                                 controller the erasure of personal data concerning him or her without undue delay and

                                 the controller shall have the obligation to erase personal data without undue delay
                                 where one of the grounds set out in the Article applies, for example when the personal
                                 data are no longer necessary in relation to the purposes for which they were collected

                                 or if the data subject withdraws consent on which the processing is based.

                                 Article 12(2) requires the controller to facilitate the exercise of data subject rights under

                                 Articles 15 to 22.

                                 Article 12(6) states that, without prejudice to Article 11, where the controller has

                                 reasonable doubts concerning the identity of the natural person making the request
                                 referred to in Articles 15 to 21, the controller may request the provision of additional

                                 information necessary to confirm the identity of the data subject   .

                                 The European Data Protection Board’s (EDPB) Guidelines 01/2022 on access state      2

                                 inter alia:

                                    65. In cases where the controller requests the commission of additional information

                                    necessary to confirm the identity of the data subject, the controller shall each time
                                    assess what information will allow it to confirm the data subject’s identity and
                                    possibly ask additional questions to the requesting person or request the data

                                    subject to present some additional identification elements, if it is proportionate (see
                                    section 3.3). Such additional information should not be more than the information
                                    initially needed for the verification of the data subject’s identity (authentication). In

                                    general, the fact that the controller may request additional information to assess the
                                    data subject’s identity cannot lead to excessive demands and to the collection of
                                    personal data which is not relevant or necessary to strengthen the link between the

                                    individual and the personal data requested.

                                    [...]


                                    73. It should be emphasised that using a copy of an identity document as a part of
                                    the authentication process creates a risk for the security of personal data and may

                                    lead to unauthorised or unlawful processing, and as such it should be considered
                                    inappropriate, unless it is strictly necessary, suitable, and in line with national law.
                                    In such cases the controllers should have systems in place that ensure a level of

                                    security appropriate to mitigate the higher risks for the rights and freedoms of the
                                    data subject to receive such data. It is also important to note that identification by
                                    means of an identity card does not necessarily help in the online context (e.g. with

                                    the use of pseudonyms) if the person concerned cannot contribute any other
                                    evidence, e.g. further characteristics matching to the user account.







                                 2EDPB, Guidelines 01/2022 on data subject rights — Right of access, Version 1.0. The guidelines have been out for
                                 public consultation and are awaiting final adoption.Privacy Protection Authority   Our ref: IMY-2022-1032                                                                 5(8)
                               Date:2022-12-12






                               Assessment of IMY

                               On the basis of the complaints in question, IMY has examined the company’s conduct

                               in these two individual cases.

                               Has the company acted in accordance with 12(6) of the General Data Protection

                               Regulation when the company requested current information from the
                               complainants?


                               Has Lensway Group had reasonable grounds to doubt the identity of the
                               complainants?


                               It is only when the controller has reasonable grounds to doubt the identity of the
                               person making the request that additional information to confirm the identity may be
                               requested. What constitutes “reasonable grounds” in Article 12(6) GDPR should be

                               assessed on the basis of the circumstances in the individual case. The assessment of
                               whether there are reasonable grounds in an individual case to doubt the identity of the
                               one requesting is normally made in the light of the information provided in connection

                               with the request. This applies particularly in situations where the controller has no
                               further knowledge of the person. However, the need for an individual assessment does
                               not preclude the establishment of routines for how the controller normally verifies the

                               identity of the data subject.

                               The company was given the opportunity to motivate the individual assessment made

                               based on the complainants’ situation if they considered that they had reasonable
                               doubts as to the identity of the complainants when the complainants submitted their
                               requests. With regard to both complainants, the company argues mainly as follows.

                               The company should always ensure that it is the right person that contact them when it
                               comes to requests to exercise a right under the GDPR. The customer has not
                               previously been able to be identified in a good and secure manner when they
                               contacted the company through Customer Service. Functionality for handling requests

                               to exercise a right under the GDPR has not been available through Customer Service
                               or on My Pages.


                               IMY notes that it is not clear from the investigation in the case what information the
                               complainants provided in connection with their request and whether there were
                               reasons for the company to doubt their identity on the basis of those requests.

                               However, IMY considers that, in light of what has emerged in the case, there is no
                               need to question the company´s statement that it had reason to doubt the identity of
                               the complainants. In the assessment, IMY takes into consideration the fact that the

                               obligation to ensure the identity of the one requesting also is intended to protect data
                               subjects against someone else making requests in their name, which may lead to
                               negative consequences for the data subject. The risks of these negative

                               consequences in the event of false requests are particularly obvious in the case of
                               more invasive measures, such as the exercise of the right to erasure. IMY therefore
                               takes the view that it has not been shown other than that the company, in the present

                               cases, have had reasonable grounds to doubt the identity of the complainants.

                               Has the information requested by the Lensway Group been necessary to confirm the
                               identity of the complainants?Privacy Protection Authority   Our ref: IMY-2022-1032                                                                 6(8)
                               Date:2022-12-12






                               Although the controller has reasonable grounds to doubt the identity of the data
                               subjects, the controller shall not collect more personal data than is necessary to
                               enable the confirmation of the identity of the requesting data subject.


                               The company mainly states the following concerning the necessity of the information
                               they have requested from both complainants. A copy of the identity document has

                               been requested as it was the only way in which the company has so far been able to
                               verify the identity of the customer. In addition to a copy of the identity document, the
                               complainants were required to submit a written form. The information requested in the

                               written form and why it was necessary is presented by the company in essence as
                               follows. The name has been requested to confirm the identity of the data subject. The
                               email address has been requested because it is used as a unique identifier of

                               customers in the company’s system. The signature has also been requested and is,
                               according to the company, a necessary information for the company to be able to
                               ensure that the data subject has read the information and given his or her consent to

                               the handling of the request.

                               As regards the verification of the identity of the complainants, the company states that

                               both complainants made purchases where they were identified through the company’s
                               payment service provided by Klarna.


                               It appears from the company’s statements that it was not required that the company
                               itself verified the identity of the complainants when the customer relationship was
                               established, i.e. at the time of purchase. IMY states that the company cannot require

                               more personal data when the complainant wishes to exercise its rights than was
                               required when establishing the customer relationship. A copy of the identity document
                               and signature is information that the company has not requested at the establishment
                               of the customer relationship in these two cases. Furthermore, IMY takes into account

                               that, according to the EDPB Guidelines on the right of access, the use of a copy of an
                               identity document as part of the authentication process should be considered
                               inappropriate, unless strictly necessary, suitable and in line with national law. IMY

                               considers that the requirement to provide the controller with a copy of its identity
                               document is an intrusive measure, which is only appropriate where the controller has
                               previously ensured the actual identity of the data subject and where alternative less

                               intrusive means of verification are inappropriate. IMY considers that there have been
                               no circumstances identified that speak against that other, less intrusive, verification
                               methods could have been used in the present cases, such as login via My Pages or

                               control questions. IMY notes that it has therefore not appeared in the case that the
                               request for a copy of the identity document or the signature would have been
                               absolutely necessary or appropriate.


                               Against this background, IMY considers that the copy of the identity document and the
                               signature cannot therefore be considered to have been necessary to confirm the

                               identity of the complainants in accordance with Article 12(6) of the GDPR.

                               Has the company acted in accordance with 12(2) of the General Data Protection

                               Regulation when the company requested the complainants to send the
                               information by mail?


                               The next question is whether it has been permissible to require the complainants to
                               send the requested information to the company by regular mail.Privacy Protection Authority    Our ref: IMY-2022-1032                                                                    7(8)
                                Date:2022-12-12






                                In view of the requirements to facilitate the exercise of the data subject’s rights in
                                Article 12(2) GDPR, it can only be accepted in exceptional cases that a controller as
                                the sole channel of contact refers individuals to ordinary mail if they have to submit

                                information in order to ensure their identities, for example if it is justifiable for reasons
                                of security. The starting point should be that alternative means of submitting requested
                                information should be offered. In that regard, the company has mainly stated that it

                                required the information to be sent by regular mail in order to ensure that they received
                                the original written documentation.


                                IMY takes the view that the transmission of a copy of an identity document may indeed
                                pose particular risks, which may justify requiring that the document be sent by mail.
                                This provided that it is necessary information to confirm the identity of the data subject.


                                In the present cases, IMY concludes above that a copy of the identity document was
                                not necessary to confirm the identity of the complainants. By requiring the

                                complainants additionally to send the information by regular mail, IMY takes the view
                                that the company did not facilitate for the complainants to exercise their right to
                                erasure. IMY therefore considers that the company thereby acted in breach of Article

                                12(2) of the GDPR.

                                Choice of corrective measure


                                It follows from Article 58(2)(i) and Article 83(2) of the GDPR that IMY has the power to
                                impose administrative fines in accordance with Article 83. Depending on the
                                circumstances of the case, administrative fines shall be imposed in addition to or in

                                place of the other measures referred to in Article 58(2), such as injunctions and
                                prohibitions. Furthermore, Article 83(2) determines the factors to be taken into account
                                when imposing administrative fines and when determining the amount of the fine. In

                                the case of a minor infringement, IMY may, as stated in recital 148, instead of
                                imposing a fine, issue a reprimand pursuant to Article 58(2)(b). Account needs to be
                                taken to the aggravating and mitigating circumstances of the case, such as the nature,
                                gravity and duration of the infringement as well as past infringements of relevance.


                                IMY notes the following relevant facts. It has emerged from the investigation in the
                                case that a copy of an identity document and signature is no longer requested by

                                Lensway Group AB upon requests from data subjects to exercise their right to erasure
                                under the GDPR. Furthermore, the infringements found have occurred relatively far
                                back in time (2020) and have affected two data subjects.     Against this background, IMY

                                considers that it is a minor infringement within the meaning of recital 148 and that
                                Lensway Group AB must be given a reprimand pursuant to Article 58(2)(b) of the
                                GDPR.


                                ___________________________________________________
                                This decision has been taken by the specially appointed decision-maker, legal advisor

                                               , following a presentation by legal advisoPrivacy Protection Authority     Our ref: IMY-2022-1032                                                                    8(8)
                                 Date:2022-12-12






                                 How to appeal


                                 If you wish to appeal IMY:s decision, please write to IMY. Please indicate in your letter
                                 the decision you are appealing and the amendment that you are requesting. The
                                 appeal must reach IMY no later than three weeks from the date on which you received
                                 the decision. If the appeal has been received in due time, IMY forwards it to the
                                 Administrative Court in Stockholm for trial.


                                 You can send the appeal by email to IMY if the appeal does not contain any sensitive
                                 personal data or information that may be subject to confidentiality. IMY:s contact
                                 details are set out in the first page of the decision.